Site hacked ?

[Neow]

Hello,

I sent a topic few days ago, but I can't find it... So I re-post. I think one of my websites has been hacked. Some people and I had antivirus and firewall alerts when accessing some pages, and I found a strange code in the end of the source code, after the html tag. I can't find it anywhere in the template or in content.
It looks like the virus, if it is a virus, appears when accessing the site or the admin.

What can I do ?

Thanks,

[Dr.CSS]

If it is a hack and it shows at the end of the template/page look in the index.php in the root of the site for any hack/code...

[Wishbone]

Which version of CMSMS? 1.9.4.2 and earlier had a security issue with the News module.

[staartmees]

Those are the risks of shared hosting. With FTP you can see when your index.php was changed. Just replace your index.php with the orginal one. Then look for some unusual files in your cms-directory with the same date as your hacked index.php and remove them.

[Neow]

It is CMSMS 1.6.6.

I'll try to look in the index.php file and I'll go back when it's done, thanks.

[staartmees]

no wonder your site got hacked, 1.6.6 is way too old.

[Neow]

In fact, all my websites using CMSMS have been "hacked"... Even those using the most recent version of CMSMS.
Each time, it was the same trojan, and each time, the same files were infected : index.php in the cms root folder, and index.php, home.php and footer.php in the admin folder. Deleting these files and remplacing it by the original files solve the problem.

[Jo Morg]

I had that problem once, with one site, and it turned out to be a virus on the server (all it takes is someone using FileZilla on an infected PC since it doesn't encrypt the site data). So, apparently my client had a virus, can't remember the name now. With that data all the virus had to do was to add a line to all index.* files after the < / html > tag that triggered a js on a remote server. The server was no longer on-line by the time Google flagged the site. It seems that it took only a few weeks before someone unplugged the hacker's site, so basically there was no harm done, except for all the trouble of cleaning ALL index files (don´t forget all those empty index.html files all over cmsms folders).

[Rolf]

In fact, all my websites using CMSMS have been "hacked"... Even those using the most recent version of CMSMS.
Each time, it was the same trojan, and each time, the same files were infected : index.php in the cms root folder, and index.php, home.php and footer.php in the admin folder. Deleting these files and remplacing it by the original files solve the problem.

Can you be sure, there isn't still a 'bad' script/file at your server that could hack your website again, and again, and...
I have seen it before. Just replacing the changed core files isn't enough... The real problem is still there.

grtz. Rolf

[Marre]

Hello,

I have exactly the same problem as above. My site is getting hacked again and again, same files involved

I'm a teacher and this is the class' site we've made for a contest. This is the first time I'me using cmsmadesimple. I don't understand what I'm doing wrong.

I use the latest version: 1.10.3, I'm on the contest's server.

Yesterday night I've cleaned everything on my server, installed again the 1.10.3 (juste I didn't creat the DB because it was already created and has my datas), changed the config.php to 444, changed the admin folder's name.

At 8 AM I was hacked again, same way , again around 3PM. Worst, I suspect that I've been infected with internet security virus 2012 by visiting my hacked site this morning -_- (I've fixed it on my computer).

Please, could you help me to stop that difinitely ? the end of the contest is less then 1 month and we can't work on it with the children

[M@rtijn]

Yesterday night I've cleaned everything on my server, installed again the 1.10.3 (juste I didn't creat the DB because it was already created and has my datas), changed the config.php to 444, changed the admin folder's name.

Did you also change all your passwords?

[Marre]

Thank you for your answer.

I did change my phpmyadmin password, my CMSMS Admin login and password, but I didn't change the student's accesses (should have ?). I could not change my ftp password also.

[Jo Morg]

I did change my phpmyadmin password, my CMSMS Admin login and password, but I didn't change the student's accesses (should have ?). I could not change my ftp password also.

Students can be asked to change their own passwords, but maybe not worse case. FTP passwords MUST be changed ASAP.

[Marre]

ok, well I'll have to ask the support. I have no information about how I can change my ftp password...

One hour ago I've juste delated every thing on my server to put a new single index.html with a maintening message. Guess what ? some minutes ago it was infected also. Isn't that the proof that the problem comes from my hosting platform ? or could it be some hidden files or whatever (I have very poor knowledge about hosting) ?

I've contacted the support the first time I had the problem but they said it was cmsms's fault.

I'll keep you informed of their answer. Thank you all for your time.

[Neow]

My websites were also hacked again and again. Same files : index.php and index, footer and home in the admin folder. It seems that changing ftp password resolved the problem... for now.