CMS Made Simple Forums

Hello

I've got to try and 'repair' a site after it has had malicious code uploaded to it by some hackers. They have downloaded the site, added some malicious code to it and then reuploaded. The site is a CMSmadesimple site and some of the files that have been identified as containing the malicious code are some of the CMSmadesimple ones. I dont quite understand it as none of the templates seem to have the malicious code in them so I don't see where the malicious code can make its way into the pages that people view.

Anyway, google have flagged it as a dangerous site so I need to get it sorted ASAP.

I was wondering, as the content of the site is in the mySQL database, can I just delete everything in the site directory with my FTP client so all the files with the malicious code have gone, then reinstall CMSmadesimple connecting it to the existing database? The database is fine and was not accessed during the attack.

I have a feeling it wont be that easy and that I would lose uploaded files, images, PDFs etc? I presume reinstalling, and selecting the existing database wont write over the existing database?

It is an old version of CMSmadesimple so needs updating anyway

Thanks very much 

T

Why don't you try contacting the host, usually hosts backup data for 2-3 weeks, depending on host or has the site been hacked for longer time.

I would backup all the data of the current site and take notes what modules etc. were installed.
Basicaly you could delete all CMSMS files and re upload fresh files with corresponding version.
To keep your templates, images and files uploaded you will need to keep uploads folder.
Setting the config file with same data the site should work as usually.

I have answered this question a hundred times.

Cool, thanks very much.

When you say back up the data, what exactly do you mean? The MySQL database? I'll backup/download the 'uploads' folder but I'm nervous to download the whole site because of the malicious code in there

Thanks again

T

Sorry replytomk3

I'll search again but if you've got a link to an earlier post I'll follow it up

Thanks

T

I am going to assume that they have a copy of CMSMS and have found an exploitable code segment and that is split between the database (as in it is stored in the database) and they have likely got some check to see if the code is present on the server as some processes can be automated in the SQL side of things.

If you know what to look for, you could try finding out what processes have been automated, this is a s simple as a trigger on a database query that sets of a secondary query or process that can result in the infection being rewritten to the site.

If you can not find what the problem is, then your only option is to ditch the database completely and start a fresh.

I would examine your modules and plugins and especially any that use the database.