Thread

My site was hacked over the weekend. Per Hostingmatters tech support:

You have two directories under your account space that are full of script kiddie files:

[...]

They fact that they’re owned by user “nobody” means they were placed there via an exploit in a php application or plugin you’re using. You need to upgrade your blog software/other php applications, remove any plugins you’re not using and upgrade the rest. Also recommend changing passwords for all users on your blogs, or anything else that is a php application.

This is a good time to upgrade to the latest EE. I need to find out what version of EE I was running so as to upgrade, and since my site is down, I can’t log in to check.  All my EE files are still accessible by FTP though. What EE file can I examine to determine what EE version I was running?

In EE1, it’s /system/config.php:

$conf['app_version'] = "169";

In EE2, it’s /system/expressionengine/config/config.php

$config['app_version'] = '211';

Hi Vik,

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you.

  1. EE version and build (since you can’t access the control panel, open config/config.php and let us know the value of app_version)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  Please also check these files:

  * path.php
  * config.php
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

After a full backup, go ahead and perform a version update. Thank you and please keep us posted.

Hi Brandon,

Thanks very much for your help!

1. EE version and build
$conf[‘app_version’] = “160”;

2. Other scripts
No other scripts on this account.  There are of course various EE extensions.

I have checked path.php, config.php, and index.php, per your request, and have not seen any iFrames or Javascript includes.

I will perform an update later today and will report here on the status.

Question: Should I upgrade immediately to the latest version of EE? I believe I saw a forum post saying I first had to upgrade to EE 1.6.9.

I just installed EE 1.7, without copying in, yet, any of the mods and extensions I am using. I’m still getting an error message on trying to access the site:

The requested URL /main was not found on this server.

Does this error message indicate something I need to do?

Also, are any database changes required to move from EE 1.6 to EE 1.7?

Thanks in advance for any info.

Hi, Vik. There are a number of database changes from EE1.6 to EE1.7.0. Your best course of action is to do a Version Update. Does that help?

My site is back online! It looks like no data was lost.  Somehow the last time I upgraded I had left the upgrade.php and the uploads folder on the site, and that is something that EllisLabs specifically says not to do as it can be a security risk.

Thanks to all here for your help!

Glad things are working again. Don’t hesitate to post again as needed.