HELP- Search module or site hacked or phished, or not?

[burlington]

Website was upgraded last month to latest CMSMS version 1.11.13.

'Search' module files show changes/creation dates at the time of the upgrade, 23/3/15. HOWEVER, there is a file ini.php which is dated 10/4/15.

I raise this question because the site owner has had an email from '<noreply@google.com>' which states:
<quote>
Below are one or more example URLs on your site which may be part of a phishing attack:
http://www.xyz.co.uk/modules/Search/templates
http://www.xyz.co.uk/modules/Search/templates/
http://www.xyz.co.uk/modules/Search/templates/index.html
</quote>

Any ideas folks?

Many thanks

Martin

[staartmees]

I don't think the email is really from the email address "noreply@ google.com", it was probably spoofed. Bet if you clicked on 'reply' you would be sending an email to an email address that is not "noreply@ google.com".

[Jo Morg]

Any ideas folks?

Did you actually try any of those links in your own site to see what happens?
In all CMSMS distributions all directories created or used by the core have an index.html file with the following content:

Code: Select all

<!-- dummy index.html -->

which would display a blank page in any case.
That is what you should find there, and nothing else. If there is some other page, you should be looking for security problems with your host. Typically this is not a CMSMS problem.