Attack on EllisLab thwarted by their webhost Nexcess

Mon, 4th May 2015, 17:00

EllisLab, the software development company behind the ExpressionEngine CMS is urging users to change their passwords after hackers gained unauthorized access to EllisLabs servers. EllisLabs says that on March 24, 2015, an attacker logged into with a Super Admin’s stolen password. The perpetrator then uploaded a common PHP backdoor script that allowed a group of attackers access to the server without requiring authentication.

One of the functions of the backdoor software is to gain root access to the server. A number of failed attempts alerted EllisLab’s webhost Nexcess to the malicious activity. Nexcess immediately shut down access at the firewall level and informed EllisLab’s of the activity.

EllisLabs says “they began dissecting the server logs to retrace their steps and learn how they gained access. We went through all our files to remove what they added. We also audited ExpressionEngine, since we would need to release a patch before disclosing the attack if the breach was due to an exploit.”

EllisLab’s has determined that the the perpetrator used a Super Admin’s stolen password to log in to the site. ExpressionEngine was not exploited, the attack began from a session created using a valid username and password. Referer data reveals it was multi-national, but the source and number of assailants is unknown, as the use of Tor servers disguised the route of the attacks.

In a statement released by the company EllisLabs says

“We can’t begin to express our gratitude to Nexcess for their alertness and speed. It inspires confidence in their team and platform.”

While the attackers did have approximately three hours of access to the server, the evidence shows it is unlikely that they stole the database. Preferring to err on the side of caution EllisLabs is urging all users to change their passwords.

Nexcess Magento Hosting banner