CMS Made Simple Forums

Posted: **Wed Jul 27, 2011 1:16 am**

I am seeing the below code in all 12 CMSMS sites that I manage. I have restored one site from a backup taken last year and the code is there. I have looked at several other of my CMSMS installations and this code is there in all of them. Is this a part of CMSMS or do I have a corrupted copy?My sttes were installed at different times anusing different versions but I have updated them as new versions became available. The code has been trunkated as it was too long to post.

Code: Select all

<span id="leoHighlights_iframe_modal_span_container">
<div id="leoHighlights_iframe_modal_div_container" style="position: absolute; visibility: hidden; display: none; width: 520px; height: 391px; z-index: 2147483647;" onmouseover="leoHighlightsHandleIFrameMouseOver();" onmouseout="leoHighlightsHandleIFrameMouseOut();"><!-- Top iFrame --><!-- Bottom iFrame --></div>
<__script__ type="text/javascript">// <![CDATA[
   var LEO_HIGHLIGHTS_INFINITE_LOOP_COUNT =              300;
   var LEO_HIGHLIGHTS_MAX_HIGHLIGHTS =                   50;
   var LEO_HIGHLIGHTS_IFRAME_TOP_ID =                    "leoHighlights_top_iframe";
   var LEO_HIGHLIGHTS_IFRAME_BOTTOM_ID =                 "leoHighlights_bottom_iframe";
   var LEO_HIGHLIGHTS_IFRAME_DIV_ID =                    "leoHighlights_iframe_modal_div_container";
      
   var LEO_HIGHLIGHTS_IFRAME_TOTAL_COLLAPSED_WIDTH =     520;
   var LEO_HIGHLIGHTS_IFRAME_TOTAL_COLLAPSED_HEIGHT =    391;
   
   var LEO_HIGHLIGHTS_IFRAME_TOTAL_EXPANDED_WIDTH =      520;
   var LEO_HIGHLIGHTS_IFRAME_TOTAL_EXPANDED_HEIGHT =     665;
  ;
// ]]></__script>

</span>

Posted: **Wed Jul 27, 2011 1:55 am**

Hmm.. I don't see it in any of my installs. Which file are you seeing it in?

Are they all on the same host? Which host?

Posted: **Wed Jul 27, 2011 2:15 am**

The host is Hostmonster. The code shows up on a View Source on the home page. I have 12 websites that I manage that are running CMSMS. Mostly they are 1.9.4.2 but a couple are a version back. I downloaded the files from the first site that I found this on and searched all the files for the string LEO_HIGHLIGHTS without success so it may be a SQL injection thing.

Posted: **Wed Jul 27, 2011 2:58 am**

I found the code in the database in the content_props table. I deleted the code from the table and deleted 2 files in the /tmp directory that also contained the code. I deleted the temp files from Firefos and tried the home page again. The code is still there.

I checked the database and it is gone. I am running out of ideas.

Posted: **Wed Jul 27, 2011 3:57 am**

My guess it is because you use common base templates and/or js plugins.

Without seeing the site and the template we can't tell where it is coming from.

Posted: **Wed Jul 27, 2011 4:10 am**

According to a Google search, it's some Firefox plugin doing this... Try a different browser.

Posted: **Wed Jul 27, 2011 4:19 am**

I guess that doesn't make sense, since you found it in the database and cache.. Anyways. That's what Google said.

Posted: **Wed Jul 27, 2011 6:28 am**

If you were on shared hosting, it's possible you're site got hacked. Probably your index.php got changed. Replace your index.php with the original index.php

Posted: **Thu Jul 28, 2011 5:00 pm**

I got it fixed. I downloaded a database dump and went through the SQL looking for LEO_. I found the section which was quite large and deleted it. Then I dumped the database and reloaded it. Next I uploaded a frest copy of 1.9.4 and ran the upgrade and it now works. I also have tightened the security settings more and added SiteLock support to the site.

CMS Made Simple Forums

[SOLVED] Problem or not?

[SOLVED] Problem or not?

Re: Problem or not?

Re: Problem or not?

Re: Problem or not?

Re: Problem or not?

Re: Problem or not?

Re: Problem or not?

Re: Problem or not?

[SOLVED] Re: Problem or not?