Multiple sites hacked! Line 225 index.php - Anyone else?

[ncd]

Hi there,

I've updated my sites to the latest version, 1.10.3 yet I'm getting repetitive security breaches - once hacked, this error message is displayed:

Code: Select all

Parse error: syntax error, unexpected T_STRING in /home/yeser5/public_html/index.php on line 225

It's adding a bunch of malicious code on line 219, in the php tag, right after $smarty->_eval('?...

Screen shot attached.

I have no idea what all that is, but it don't look good!

About 5 of my sites, on 3 different servers, have all had this hack a couple of times in the last few weeks... config and index have been set to chmod 644 - I try to set them to 444, but filezilla wont accept it - is there another way? Or is that not the issue?

Obviously putting the original index file back up fixes it, but I'd love to know how to prevent it. I update ftp and admin passwords regularly...

Anyone come across this or have any suggestions?

Thanks!

[Rolf]

Please read this: http://forum.cmsmadesimple.org/viewtopi ... 72#p276472

Rolf

[ncd]

Thanks Rolf!

[Wishbone]

It was nice of the hackers to comment their code.

[ncd]

Ha! I know...

It's organised crime that we're dealing with!

[ncd]

Hi,

Just wondering if anyone has come across this yet?

It's happened a few more times since.

Apart from upgrading is there anything else I should be doing?

Can the sever be hacked via the CMS admin? If users don't logout is it exposed? Is there a setting to enable sessions for the admin so if they don't logout the session will end?

Thanks.

[calguy1000]

If you have completely cleaned your sites... and some are still getting hacked, then the hack is probably coming from a file on your server either a file that exists on your site(s) placed there by a hacker.... or a site that exists on somebody elses site on the same host.

a: Clean your sites
b: Do system verification
- understand ALL of the errors, double check all of the files (even the images)
c: Tighten up all permissions
- Don't ask what permissions should be, they should be tight but the exact permission level depends on how the system is configured and the functionality you need.
d: Make a backup of everything (once it is clean)

if it happens again after you've cleaned up again, report it to your host or system administrator.

[ncd]

Ok great - thanks for that will give it a go!

[Rolf]

Ha! I know...

It's organised crime that we're dealing with!

LOL

Just wondering if anyone has come across this yet?

Yes, I seen it before. Like Calguy said, there is somewhere a file at your server that is changing your files.
So you aren't hacked *again*, but you are *still* hacked...

Rolf