Site hacked ?

[calguy1000]

One hour ago I've juste delated every thing on my server to put a new single index.html with a maintening message. Guess what ? some minutes ago it was infected also. Isn't that the proof that the problem comes from my hosting platform ? or could it be some hidden files or whatever (I have very poor knowledge about hosting) ?

This is not proof that the problem comes from the hosting platform... it is however proof that the problem does not come from CMSMS. It could still be a compromised ftp password.

[Marre]

Yes, I had the same thought after my writting I've asked them to have a look and give me a new FTP password. Hope it will fix my problem but I'd like also to understand what happend exactly to prevent, if possible, in the futur.

[mcDavid]

My websites were also hacked again and again. Same files : index.php and index, footer and home in the admin folder. It seems that changing ftp password resolved the problem... for now.

You should also run virus scanners on ALL computers accessing your FTP folders, or it'll be back sooner or later.

These "hacks" are 99% of the time just keyloggers that record the passwords people use in their FTP-client.

[Neow]

Another question : one the infected website has now another problem. I replaced infected files by originals one, and now the site doesn't load when accessing by Firefox or Internet Explorer, but works on Chrome. I tried to reupload many files, clear cache, etc. but nothing works. Any idea ?
I use the same process on the other sites and they have no problem...

The site is : http://www.ce-clemessy-strasbourg.com/

[Jo Morg]

It also opens fine with Opera. It seems that a script is taking too long to execute. Can't pinpoint which or why. But try to look into server logs for errors. That may very well give you a clue.

[Neow]

It seems my problem comes from the root index.php file.
And after many tries with die() instruction, the problem seems to be here :

Code: Select all

		if( isset($config['process_whole_template']) && $config['process_whole_template'] === false )
		  {
			
		    $top  = $smarty->fetch('tpl_top:'.$contentobj->TemplateId());
		    $body = $smarty->fetch('tpl_body:'.$contentobj->TemplateId());
		    $head = $smarty->fetch('tpl_head:'.$contentobj->TemplateId());
		    $html = $top.$head.$body;

		  }

Somebody knows something about a problem with this code ?

[M@rtijn]

As long as 'they' can access FTP, and they can cause they know the password, they will.

Change ftp password, check pc for viruses (keyloggers!), revert to last safe backup and live happily

[Marre]

Some news. I've received a new FTP password and my hosting support said they've found suspicius FTP login in the server's logs.

Everything seems OK now, hope it will be fine in the futur. Thank you all for your help and advices.

[Wishbone]

Did they give you any details? I had a site on a host that was continuously being hacked (flat HTML site). They told me the same thing. I changed the FTP password from a clean computer (no virus/spyware), never used it, and it was still getting hacked. The hosting company was being hacked, and they didn't want to admit it. Changed hosting company, and the issue went away.

[Marre]

Well no, they didn't give me any details except that I have to keep my FTP password secure. What I did.

But, in my case I know that my computer had once a problem. I can't etablish wich one between my website or my computer was first infected as it arrived quite together. It's the very first time in my internet's life I had to face that kind of problem. First I thought my son may have done something wrong on my computer.

Now my computer is clean. I really hope that I was the problem at the begining as I have no opportunity to change the hosting for the contest

[sjukke]

Some of my sites also got infected. After the last </div> tag it places a javascript. I can't figure out where the code is, I replaced all files with clean CMSMS files and it's not in the template. Can somebody point me in the right direction?

[sjukke]

I can also not find anything in the database of this code.. I can't figure out where the hell it is, very frustrating. Does someone got an idea where to find the code?

[Neow]

If it is the same problem I got, you will have to replace all index files (in each folder, you have a index file). Try also to search for files that are not from CMSMS ans files that have been modified since you were infected.

[Dr.CSS]

If you can't find it anywhere else look in the index.php in the [root]...

[Wishbone]

If you have any PHP experience, you can do what I've done once before. The site wasn't hacked, but all language file strings were missing in the admin panel, and I had to do some extreme debugging to find the issue.

I start editing index.php and put in debug print statements. As the code descends into subroutines, I find that file and continue on until I find the culprit piece of code that is outputting (or in my case not outputting) the culprit string.

In this case, one PHP command was not acting as expected, and after looking it up I found that it was a PHP4 vs PHP5 issue. The user's host had upgraded her to a newer version of PHP, and her version of CMSMS didn't support it.