Thread

Hello tech support folks:

To start, here’s what I’m running:
EE 2.2.1, build 20110705
I realize that this is not the current version, and that I need to update.

The story:
This morning, I received an email from the hosting company where I have one of my clients’ sites hosted saying that the site had been compromised. I presume that they have some kind of security script running to check for this stuff, and it saw something it didn’t like. The email included a list of pages that it suspected were compromised and all of them were in the /cache/page_cache/ directory.

So, obviously I need to update to the latest version of EE, but are there other things that I need to do to be sure that I’ve not left a backdoor open somewhere?

Thanks in advance for your help!

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php (if using EE 1.x)
  * config.php
  * database.php (if using EE 2.x)
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hi Sue:

EE Version: 2.2.1, build 20110705
Other scripts on same hosting account (different domain, but still same account): latest version of Wordpress

This *is* a shared hosting environment.

config.php, database.php, and index.php are free of iframes and js includes.

I’m going to update the site right now, but is there anything else I should check for or remove?

About the only other thing I’d do is delete the /cache files. Let us know what happens, We’ll be here.

Updated everything, including the few addons that I had installed on the site.

I’m sifting through the backup that I did before I did the update, and I did find one static html file dropped into the page_cache directory which has a meta refresh pointing to a .ru site.

Of course, this could have been server/hosting related, but are there any “front-facing” things that I should address to prevent this from happening in the future? Do these types of compromises usually take place in the cache directories?

One more question: I’ve updated the database password. Which files need to be updated with the new password? Right now, I’m getting just a blank white page when I try to get to the homepage and the CP.

Any thoughts?

Hi, ctrialtdel.

You’d update the /system/expressionengine/config/database.php file.