[Solved]Site hacked cannot find source

[KJHunt]

CMS Version 1.4.1 "Spring Garden"
Server Operating System (server_os): Linux 2.6.9-89.0.11.ELsmp On i686
Server Software (server_software): Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.7a FrontPage/5.0.2.2635 mod_bwlimited/1.4 mod_auth_passthrough/2.1 
Server Database (server_db_type):  MySQL (mysql)
Server Database Version (server_db_version): 5.0.90


One of my sites http://www.riding-centre.com is showing malicious code in Google Cache and I cannot find out where it is coming from.

All the site files have been fully scanned for malwear and are showing clean.  When the source code is viewed in the site there is no evidence of any infection.

Can anyone help me on this as it is wreaking my head for 2 weeks now and no resolution in sight. Thanks

[calguy1000]

we no longer support 1.4.1

Restore your site from a known good backup
then Upgrade.

[KJHunt]

Hi calguy1000
The problem is that as I cannot find any malwear in any of the file I dont know what is good and what is not.  Is there any way to find out where the malicious code in the Google Cache is coming from?
Thanks.

[edented]

Try google? They have a whole 'how to' section about this.
Also, upgrading to the current cmsms version would likely be a wise thing to do for security reasons.

[scooper]

We had something similar on one of our sites a while back. The code being injected into your page is only being served if the server recognises the User Agent as Googlebot.

Using the 'User Agent Switcher' extension for Firefox when I visit your site with the user agent set to 'Googlebot' I get lots of links to some dubious sites at the top of the page. If I visit the page with the user agent set to Firefox or IE then I just get the normal page. You'll probably see the same if you use Google Webmaster tools to view what the google bot uses.

Sneaky aren't they.

In our case the code had been added to one of the default files that get called from all pages (so index.php or stylesheet.php or something similar) I don't remember which one exactly I'm afraid. You should be able to find out by doing a diff on your install.

You should (obviously) update to the latest version and keep your installation up to date. There's also some useful reading on security on these forums that's well worth taking a look at.

Let me know how you get on and if you need a hand. Good luck.

s.

[KJHunt]

Hi Scooper
Sounds like you might be onto it there - I will check the files (although Malwarebytes could not find anything).

When I upgrade the cms version will it cause any problems for imported (customised templates and stylesheets)?
Kieran

[scooper]

I will check the files (although Malwarebytes could not find anything).

In the instance we had the code was just checking the user agent and pulling in html data from a remote server - so there won't be any malware signature to check in the file itself - just a couple of extra lines of php.  I would recommend doing a diff of your files against a fresh version of 1.4.1 to make sure that there's nothing else going on and to try and understand what's happened.

When I upgrade the cms version will it cause any problems for imported (customised templates and stylesheets)?

You should be fine - but of course you should always backup backup backup.

[KJHunt]

[Solved] Site hacked cannot find source