CMSMS Pharma Hacked--How do I fix? {solved}

[skarni]

I had been pharma hacked about a year ago, and after upgrading to the most recent version of CMSMS it seemed fixed. However, just recently I have been pharma hacked again.

I am running 1.11.7 "Genovesa", and all modules are up to date.

The unique thing about pharma hacks and hacks like them is they fly under the radar, and are truly to destroy page ranking by convincing google your site sells viagra and so on.

The troublesome site is: tourpikecounty.com/index.php?page=hatfield-mccoy-shop

The page may load correctly, but if you click around on the website, and back to that page (through shop hatfield-mccoy link at top), after a while, you'll see a whole page of viagra links.

We are a small non-profit, and I am more of a publication-prepress kind of guy. We need all the help we can get.

Screen shot.

[Dr.CSS]

Are you on a shared host, is there a WP install on the same server or some other system that could have let them in, did you change all passwords, CMSMS, FTP, etc...

[skarni]

Our host says it is on a shared host, but I do not see a Wordpress site installed on my domain when I check FTP.

I can change the passwords. We have done that before but clearly there is a security issue somewhere.

[Jo Morg]

I tested with Opera and Firefox, and only saw that behavior with Firefox.
I suspect that all index.* (php/htm/html) files may be infected with some code (probably Javascript), either on the top or bottom of the file. That being the case, it is a virus (quite an old one btw) that may have infected the server, and either never got completely eradicated or found it's way back (by some unsecured connection like ftp, etc). Sometimes, all it takes is another cms or script with some weakness coexisting on the same server/site for this to happen.
I would compare the root index.php file with one from the same version, freshly downloaded. If it's different than all you would need would be to overwrite the files. But, still, you would have to see if the database wasn't affected. Also, you would need to track the origin of the problem (I bet it's not CMSMS).
HTH

[skarni]

I will compare them Jo. BTW I notice this on safari as well, but you have to vigorously refresh the page and click the link to get it to expose itself.

[Rolf]

I had been pharma hacked about a year ago, and after upgrading to the most recent version of CMSMS it seemed fixed. However, just recently I have been pharma hacked again

The website isn't hacked again, but is still hacked!!
Seen it before a non-cmsms php file somewhere between the regular files hacking the files over and over... This file can be months or years old.
Upgrading might look like you fixed the problem earlier, but I am sure it didn't!

How to fix (in short)
- Make a screendump of the module versions list.
- After creating a full back-up (files and database) remove *all* files from the server.
- Change FTP passwords.
- Copy a new set of files CMSMS Core and third party add-ons (modules and tags). Don't install anything!! Just unzip the files from the Forge and FTP them to the server!
- Create the theme and image folders and copy the files one by one back to the server.

This way you can be for 99.99999% sure there are no bad files at your server!

[Jo Morg]

The website isn't hacked again, but is still hacked!!

I agree 100%! And to reduce the noise I would start by doing what Rolf suggested step by step.

Just make sure you match versions for CMSMS core and modules.

[skarni]

I noticed one piece of code that was different in my index.php file as compared to the clean install's index.php file in the root. There's an include for arrow.gif. I find it strange, think there's something to that? (highlighted below, at the top of the document)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

[Jo Morg]

arrow.gif can be a php file... the compiler will see it as such regardless of the extension. So, yes I would assume that is the entry for the hack.

[Rolf]

*NEVER* post hacked code!!!
Google recognize it as live code and will blacklist our forum!
We have been there!!

Take a screendump and post that...

[skarni]

I wonder what I need to do to keep them from getting in again?

[Rolf]

I wonder what I need to do to keep them from getting in again?

http://forum.cmsmadesimple.org/viewtopi ... 74#p301974