CMS Made Simple Forums

Can somebody take a look at the source code for http://www.belastinggidsopmaat.nl, at the bottom? I've no idea what happened but there seems to've been some code injected... I'm running 1.6.6...

COuld you check with SystemVerification what files are modified?

Ronny

Done, it's a whole bunch, mostly related to modules... these seem to be the most important:

/admin/pagedefaults.php
/admin/dashboard.php
/admin/themes/default/css/style-rtl.css
/admin/themes/NCleanGrey/docs/license.txt
/admin/themes/NCleanGrey/docs/readme.txt
/admin/themes/NCleanGrey/docs/CHANGELOG.txt
/admin/themes/NCleanGrey/docs/AUTHORS.txt
/admin/themes/NCleanGrey/images/icons/readme.txt
/admin/themes/NCleanGrey/NCleanGreyTheme.php
/admin/editevent.php
/admin/checksum.php
/admin/eventhandlers.php
/admin/systeminfo.php
/tmp/cache/index.html
/tmp/templates_c/index.html
/lib/sllists/SLLists.class.php
/lib/adodb_lite/adodb-error.inc.php
/lib/html_entity_decode_php4.php
/lib/xajax/xajax_core/plugin_layer/xajaxEventPlugin.inc.php
/lib/xajax/copyright.inc.php
/uploads/.htaccess

Ok i found it. it was injected into index.php... I've removed it, but how did it happen? I'm a total security-noob, so what should i look into? chmod?

Possible ways they could have hacked into your site:

1) The PC you use to work on the site has been infected with malware. This then collects passwords etc and then sends it back to the hacker.

2) Your server has been compromised. Get your web host to check.

3) The PC of someone else who has access to the site has been infected.


In all cases, run a virus/malware scan on ALL the PCS that have access to the site (Yours, colleagues, clients etc). AVG/malwarebytes or other good anti virus/malware software should do the trick.

When you have finished running all scans and hopefully getting rid of all infections. Make sure you change the password for the site.

Note that the code may have also have been injected into all other default files on the site.
It's a pain in the backside but i recommend you check every folder on your site and see if the default files have been infected (index.html, index.php, default.html etc).

Make sure you have run the scan before changing the password on your site.

Thanks for the quick responses. Since there's only 3 people who work on this website (me, a developer and my mother), of which only 2 have FTP-access (me and the developer), and we both run strict security regimes (i actually bought an ESET NOD32 license, don't install any cracked / hacked software, firewall is shut tight), i believe this to be a security flaw on the hosting-side. Sucks that this means we'll be removed from google's index for 30 days  .

I dont think it's certain that you'll be removed from google index. If you get rid of all the crap ASAP then you should be fine (not certain but likely).


Run a scan on all 3 pcs and if it comes back clean then fair enough. Change the password once the scans are completed.

Get in touch with your webhost and see if they can fix it.

If they can't then you should move hosts.

Thanks for the swift responses guys! Turns out my hosting-provider was at fault. They've uprated some security things (of which they'll tell me the details soon) and everything seems back on track!