Hi,
one day I opened up my Dolibarr instance (v18) and I was suddenly redirected to a starnge website. I started to look into the source HTML that server sends to browser. I noticed there was an additioanl obfuscated script prepended before tag.
After that I logged in to my server and started to look into the files.
I noticed a pattern that a lot of index.php and index.html.bak.bak files were added inside most of the subfolders of the Dolibarr folder. The PHP files are referencing a css file with PHP content. They are all over the place.
The most annoying thing is that these files are also in other folders of the hosting (some other websites).
How to clean this mess? I plan to reinstall the dolibarr completely, but the question is how to make sure that this hack did not change anything inside the database?
I tried to cahnge my admin password, but I couldn’t which is really bad.
First thing I updated the Dolibarr via Softaculus to v 19, which replaced the corrupted files, but left the additional hacked ones there.
Shut down your Dolibarr server, but do not delete it.
Unfortunately you upgraded the server, because else I would have done a similar installation somewhere else, and then do a file by file comparison to see exactly what was changed.
Then I would do an additional fresh Dolibarr installation somewhere else on a completely different server. I would install the newest version.
I would also check the data, and then transfer only the data.
Do not reuse passwords, and if possible change the usernames as well.
I run my Dolibarr as a podman container and I run it that inside a small Linux VPS dedicated to only running Dolibarr. My database is also running inside another container, and everything is contained inside a pod, and it all runs as it’s own user.
Hi @gregor.tusar
Can you give some more info about your exact Dolibarr version, your php version and the name of the provider of server that hosts your instance?
From your description either you used a weak admin password or they hacked your server by leveraging some known vulnerability they are so many lately…
Contact your host support immediately usually they provide daily backups anyway…
Also a reminder that there is a known vulnerability in v. 18.0.4
and everyone needs to upgrade to 18.0.5 or 19+
This is the wild west out there and those of you that have to use older versions of Dolibarr that they depend on older deprecated-unsupported php versions like 5 or 7 stop exposing your instances to the web and use localhost instead!
