This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
September 28, 2010 2:47pm
Subscribe [2]#1 / Sep 28, 2010 2:47pm
We created a website for a client about a year ago using Expression Engine 1.x. It was recently flagged by Google as being an attack site. In the code, it appears someone got in and inserted some javascript code pointing to “http://addonrock.ru/...”. I plan to replace all of the site files from backup; however, I’m curious as to how the intrusion could have occurred. Any thoughts?
The client has their site hosted on GoDaddy.
Thanks!
#2 / Sep 28, 2010 5:47pm
Thank you for bringing this to our attention. We take security very seriously and will do our best to work with you to figure out what’s going on. To that, we need some additional information from you:
What version and build are you running? Are there any other scripts on your account, whether in use or not (php, etc…)? While we work through this, please check through these files:
- path.php
- config.php
- index.php
to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find such code, please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask. You may also wish to refresh your files by following the build update instructions, upgrading to the most recent version / build in the process.
Is that a managed server? Your host should be able to pinpoint the vector of attack so that steps can be taken to prevent this in the future. My suggestion would be to replace all of EE’s files, and change all passwords (EE, MySQL, FTP).
Thank you.