Blog Sections Open
Recognizing Shared Attack Vectors on Hacked Evolution CMS Sites
How to reason about two hacked Evolution CMS sites by comparing their shared extras, legacy version history, and file-upload surface.
When two different sites are hacked, the fastest way to find the real entry point is to compare what they have in common. In the original report, one site was extremely old, another had once been current, yet both were compromised. Their shared stack included familiar Evolution extras such as AjaxSearch, eForm, Wayfinder, Ditto, and the default supporting code around them.
That comparison is useful because attackers rarely care about the site theme or the business domain. They care about outdated upload handlers, stale browser modules, forgotten install directories, weak manager passwords, and old core files that were never fully patched.
How to investigate systematically
- List the exact extras and versions present on both sites.
- Check upload and file-browser components first.
- Audit manager accounts, passwords, and login logs.
- Search writable directories for recently created PHP files.
- Compare modified timestamps of core and manager files against a clean distribution.
If both sites share the same vulnerable component or the same outdated manager file set, that is usually more important than any one symptom seen on the frontend.
The lesson from cases like this is simple: once a site is hacked, do not only clean the visible payload. Rebuild trust in the whole stack by comparing against clean source files, removing dead extras, and patching every shared weak point.
Fixing Easy2Gallery Installation SQL Errors on Older MySQL Hosts
How to diagnose Easy2Gallery installation failures when older MySQL servers reject table creation syntax such as ENGINE clauses.
Investigating Suspicious Files in manager/media/browser/mcpuk/
A practical security response for Evolution CMS sites where a random PHP file appears inside the old mcpuk file-browser directory.