UDPride,
I suspect that you're right about Host Excellence and IX Web being connected.
Meanwhile, I found the malicious code that's been attacking my CMSMS site in the modules area of the database. PhpMyadmin for Host Excellence is not secure, so maybe that's where the hole is. I have CMSMS installs (many different versions) with other hosting companies that are fine.Their PhpMyadmin interfaces are secure.
I removed the malicious line from the database, restored it, and restored the site files from a clean copy that I had on my local computer. I changed ALL the passwords (hosting login,database, CMSMS backend) and made nice clean backup copies of everything. We will change hosting if there's any more trouble (and maybe even if there isn't). I only use PhpMyadmin to do backups and will change the database password each time I do (in the hosting control panel and CMSMS config.php file).
The malicious code points to a remote file. It is the last line in the database excerpt below. Happy hunting.
Roger M, NYC
http://www.aboriginaltheatre.com
Code: Select all
--
-- Table structure for table `cms_modules`
--
CREATE TABLE IF NOT EXISTS `cms_modules` (
`module_name` varchar(255) default NULL,
`status` varchar(255) default NULL,
`version` varchar(255) default NULL,
`admin_only` tinyint(4) default '0',
`active` tinyint(4) default NULL,
KEY `module_name` (`module_name`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
--
-- Dumping data for table `cms_modules`
--
INSERT INTO `cms_modules` VALUES
('CMSMailer', 'installed', '1.73.10', 0, 1),
('FCKeditorX', 'installed', '1.0.1', 1, 1),
('MenuManager', 'installed', '1.2', 0, 1),
('News', 'installed', '2.1', 0, 1),
('nuSOAP', 'installed', '1.0.1', 0, 1),
('Search', 'installed', '1.0.4', 0, 1),
('ThemeManager', 'installed', '1.0.7', 1, 1),
('../../../../../../../../../../../../../../../../../../../../../hsphere/local/home/andrewha/v8-powered.com/forum/Packages/pic8.jpg\0', 'installed', NULL, 0, 1);