Thread

When I click on the option to view a page from within the Template module of my website, rather than displaying my page content I am brought to a page that is filled with spam.

Here’s what happens;

I click on the “view” link next to the template page I want to view
I get a message that says, “To proceed to the URL you have requested, click the link below:
http://www.mysite.com/index.php?/weblog/index/
The URL that is then displayed in my address bar is;
http://www.mysite.com/index.php?URL=http://www.mysite.com/index.php?/weblog/index/

This page is filled with spam links. At the time this happened (this morning), I was using Version 1.6.7, Build 20090320. This afternoon I have updated to Version 1.7.0, but I can’t get my site back online.

Also, when I googled my website address the description that’s displayed is Spam related;
“Buy cialis professioanl online | Top Canadian Online Pharmacy| Best Quality Drugs Without Prescription! Only Friendly Customer Support! Fast Worldwide Shipping! Special Internet ...”

Can anyone shed some light on why and how this has happened? Can I fix it somehow so that it doesn’t happen again? Any help would be greatly appreciated! I’ve had my EE site for approx. 6 years and hate to see it be destroyed like this.

Linda

Do you’ve got a link to the site?

Yes, can I MSG it to you rather than post it here?

Thanks,
Linda

Ingmar, I’ve sent you a link to my site as you requested. In the meantime I’m trying to get my site back online after upgrading to 1.7.0 from 1.6.7. The installation was successful but for some reason my pages are not displaying. I’m wondering if it’s a path issue since I renamed my system folder when uploading the new version???

Any help would be greatly appreciated!

Thanks,
Linda

Hi, Linda. The link you sent Ingmar is coming back as not being a valid site..

Thanks for your reply Sue. As mentioned, I’ve been trying to get my site back online after updating to 1.7.0. The update said it was successful, but I’m getting a blank page when I try to go to the login page. When I enter my site’s URL in the address bar I get the following message;

Content Encoding Error
The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

When updating to 1.7.0 I changed the system folder name (as suggested in the instructions) and also because I had changed it right from the very first installation 7 years ago. I tried updating the path.php folder but it still isn’t displaying my page.

The link I sent is definitely a valid website. It was up and running fine as of Friday when I discovered the spam problem and tried to update EE.

Is there something else I can try?

Linda

Hi, Linda. The link you sent Ingmar is coming back as not being a valid site..

Hello Sue and Ingmar,

I’ve restored my website so that you can see the spam problem I referred to in my original post on Feb 5. As I mentioned, when I click on the option to view a page from within the Template module of my website, rather than displaying my page content I am brought to a page that is filled with spam.

Here’s what happens;

I click on the “view” link next to the template page I want to view
I get a message that says, “To proceed to the URL you have requested, click the link below:
http://www.mysite.com/index.php?/weblog/index/
The URL that is then displayed in my address bar is;
http://www.mysite.com/index.php?URL=http://www.mysite.com/index.php?/weblog/index/

This page is filled with spam links.

Do you need any additional information from me?

Linda

HI Linda,

I can see that white page.
Do those spam entries show up in your weblog entries page in the Control Panel?
Who else outside of you has access to the control panel?  Have you all changed your passwords?
Are you running any Stand Alone Entry Forms?

Best regards,
Barry

Thanks for your reply Barry. No one else has access to my control panel, I’m the only one. Also, I don’t have a stand alone form and the spam entries do not show up as weblog entries anywhere on my site.

I can’t understand not only how these entries are associated with my site, but how when I Bing.com my website address the description for my website is Spam related as follows;
“Buy cialis professioanl online | Top Canadian Online Pharmacy| Best Quality Drugs Without Prescription! Only Friendly Customer Support! Fast Worldwide Shipping! Special Internet ...”

Thanks,
Linda

Linda,

Can you take screen-shot of where you see these spam links. I can’t quite work out where you see them

Thanks for your reply John.

I’ve attached a screenshot of the Spam page as you requested. Here’s how I got to this page;

- from my Templates module in my Control Panel I click on “View” next to any template. This action takes me to a page that says,

To proceed to the URL you have requested, click the link below:
http://www.mysite.com/index.php?/weblog/index/

The URL for this page is; http://www.mysite.com/index.php?URL=http://www.mysite.com/index.php?/weblog/index/

- When I click on the link I’m taken to the page in the screenshot. The URL in the browser for this page is; http://www.mysite.com/index.php?/weblog/index/

However, if I take that URL and paste it into a new Browser page it bring me to my REAL website home page.

If you need my login information so you can see it in action first hand, please let me know and I’ll PM it to you.

Any help would be greatly appreciated!

Thanks,
Linda

mountain monkey,

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

Can you please check your email

If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

You have refreshed your files through a build update but the hack may still exist in certain files

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Thanks John, I’ve submitted my login information as requested.

Linda

Hi Linda,

It looks like you’re still on 1.6.7. There was definitely spam code added to a few EE files which I have removed, however please perform a version upgrade to 1.7.0 to ensure we have all new files up there.

I also see a number of non-EE scripts in there; were you able to work with your host to determine where the attack originated from?

Thanks for your help Brandon. As I mentioned above, the first thing I tried was to upgrade to 1.7.0. The upgrade said it was successful but I couldn’t get my site to display so I reverted back to version 1.6.7. so that EE Support could see the issue asap. I will try upgrading again.

I have some questions;

Since my control panel wasn’t hacked, can you tell me how the spam code was added to my EE files?
Which files were targeted? Were the files in question, forms, or a particular type of file that made it vulnerable to adding code?
What non-EE scripts are you referring to? I’d like to remove them.

Most importantly, how can I prevent this from happening again?

Lastly, I have not contacted my host yet as their blanket statement in regards to any third party software question is they don’t provide any type of support related to it (ie. they blame the software). From your observations, can you give me some details that will help “convince” them that it’s not an EE problem but a hosting problem.

Thanks again for your help,
Linda