This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
June 09, 2010 8:13am
Subscribe [4]#1 / Jun 09, 2010 8:13am
Hello, one of my EE installation had its path.php modified and replaced with malicious codes. I need help re-making a path.php manually. I’d be grateful if someone could paste their existing path.php for me to see (with your details masked of course).
#2 / Jun 09, 2010 8:49am
Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…
1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*
* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.
While we work through this, please check through these files:
* path.php
* config.php
* index.php
to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.
You may also wish to refresh your files by following the build update instructions.
Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.
#3 / Jun 09, 2010 10:08am
I was running version 1.6.7 at that time. I am in the process of refreshing the files with the latest build. Yes config and index.php looks fine.
I am aware another user on the same server running WP was hacked too.
#4 / Jun 09, 2010 3:32pm
This is probably not an EE issue, but we certainly would like to get to the bottom of this. Please let us know if and when your host gets back to you. In the meantime my recommendation is to replace all files with a freshly downloaded set, upgrading to 1.6.9 in the process. Be sure to change your passwords, too, just in case.
#5 / Jun 11, 2010 2:46pm
I think it’s the WP installation on the other customer that messed up with my site. Could someone paste an example of path.php so i can restore mine?
Thanks!
#6 / Jun 11, 2010 2:50pm
Here you go, Jabbler - EEWiki:// Path
#7 / Jun 14, 2010 2:41am
Here you go, Jabbler - EEWiki:// Path
Thanks LOADS Lisa.
#8 / Jun 14, 2010 3:48am
Jabbler,
glad Lisa was able to help. Did your host confirm it was a WP installation on the same server that the breach was on?
#9 / Jul 06, 2010 3:52am
Hello John,
Yes it was hacked through WP, it’s confirmed by my host. Some WP installations were not up to date on the server. It’s weird that even if my file were properly CHMODed i.e 666 for config/path files - the hacker was still able to modify my path.php
#10 / Jul 06, 2010 5:43am
Jabbler,
Thanks for following up with the origin of the hack. Feel free to start a new thread if you have any more questions.