I've been hacked-Need help getting UN-hacked.

[fishfreak911]

Hello there, I am a CMSMS user, but only do minor website upkeep and don't know how to undo what these a-holes did. I was sent this email by Google:
Security Issues
Hacked with spam
A hacker may have modified your site to contain spammy content. To protect visitors to your site, Google’s search results may label your site’s pages as hacked. We may also show an older, clean version of your site. Learn more
Download all samples
URL injection
These pages appear to be created by a hacker with the intent of spamming search results.
Show details
Sample URLs Last detected
http://sierra-nets.com/info-xzsxbd/Us-only-online-casino.html 3/29/16
http://sierra-nets.com/info-xzsxbd/Free-slot-games-for-pc-nook-casino-slots-games-99.html 3/30/16
http://sierra-nets.com/info-xzsxbd/Slot-machine-winning-9-line-free-slots-casino-machines-queen-nile.html 3/30/16

I am hoping to find somebody here that has experience with this type of issue and can speedily get me back on the road again. Please reply with some of your qualifications and your pay rate. A ballpark estimate would be appreciated but I understand that can vary widely. Thank you in advance,
Greg


----------------------------------------------

Cms Version: 1.10.3

Installed Modules:

CMSMailer: 2.0.2
FileManager: 1.2.0
MenuManager: 1.7.7
ModuleManager: 1.5.3
News: 2.12.3
Printing: 1.1.2
Search: 1.7
ThemeManager: 1.1.4
TinyMCE: 2.9.12
Gallery: 1.4.4
Showtime: 1.0.1
Gallery: 1.4.4
CGExtensions: 1.29.1
CGSimpleSmarty: 1.5.1
CGBlog: 1.7.2
CGFeedback: 1.3.2
FrontEndUsers: 1.12.12
CMSPrinting: 1.0
MicroTiny: 1.1.1

Config Information:

php_memory_limit:
process_whole_template: false
output_compression: false
max_upload_size: 12000000
default_upload_permission: 644
url_rewriting: none
page_extension:
query_var: page
image_manipulation_prog: GD
auto_alias_content: true
locale:
default_encoding: utf-8
admin_encoding: utf-8
set_names: true

Php Information:

phpversion: 5.2.17
md5_function: On (True)
gd_version: 2
tempnam_function: On (True)
magic_quotes_runtime: Off (False)
E_STRICT: 0
memory_limit: 64M
max_execution_time: 60
output_buffering: 1
safe_mode: Off (False)
file_uploads: On (True)
post_max_size: 12M
upload_max_filesize: 12M
session_save_path: /var/chroot/home/content/g/r/e/gregmadrigal/tmp (0755)
session_use_cookies: On (True)
xml_function: On (True)

Server Information:

Server Api: cgi-fcgi
Server Db Type: MySQL (mysql)
Server Db Version: 5.0.96

----------------------------------------------

[Jeff]

What backups do you have?

When did this hack happen?

How did they get in and has the hole been fixed?

[Jeff]

After a quick look at the CMSms install at http://www.sierra-nets.com/CMS-Sierra/ it doesn't look to be compromised (a checksum test in the admin need to be done to be sure). It looks like most of the files (atleast the ones link in the original post) are outside the CMSms root directory.