Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Index.php file hacked??

February 29, 2012 5:19pm

Subscribe [4]
  • #1 / Feb 29, 2012 5:19pm

    Danny Valle

    21 posts

    Hello, I logged into my control panel and noticed that I was getting redirected to a strange site.  After a few tries, I saw that the index.php file was changed.  There was a function “<?php eval(base64_decode()); ?>” with many lines of encrypted text.  Is this the cause of a hack??

  • #2 / Mar 01, 2012 12:55pm

    Shane Eckert's avatar

    Shane Eckert

    7174 posts

    Hello Danny Valle,

    I am sorry to hear you are running into this hack. I feel your pain. I want you to know that we take security very seriously and will do our best to work with you on figuring out what’s going on.

    You are right that “<?php eval(base64_decode()); ?>” does not belong there. It’s probable that the redirection to the strange site is actually an infected site. Make sure if you are browsing with Windows that nothing made it on to your system.

    Please call your hosting provider and let them know you are being hacked. They need to know this in order to help stop it. Typically the only way to get rid of this is to find out how the exploit is being made and to repair that. This could be an operating system level fix or it could be another application installed in your web root. Do you have anything else installed, like phpBB, WordPress, or the like?

    It’s probable that these files are corrupted as well.

    * index.php
    * admin.php
    * system/index.php
    * system/expressionengine/config/config.php

    Search the above files to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

    You may also wish to refresh your files by following the update instructions.

    Sorry to repeat myself, but I want to make sure this point comes across. You will be fighting a losing battle until you get rid of the exploit. Make sure no other apps are installed and if they are, list them here. If you are not using them, delete them. And please be sure to let you hosting service know. You might not be the only one with this frustration.

    Again, I am sorry you are dealing with this.

    Please keep me posted!

    Cheers,

  • #3 / Mar 01, 2012 2:08pm

    Danny Valle

    21 posts

    Hay, thanks for getting back to me on this.  So far it looks like the one site with EE is the infected one.  I have a few wordpress apps for separate websites.  All are up to date.  I did notice that I am not running the latest EE 2.4.  I have 2.3.1 I believe.  This could be the problem?

    I have contacted the hosting company. Waiting to hear back from them. 

    I do see a strange folder: “.svn”.

    I have looked into the files and have removed the code that does not belong.

  • #4 / Mar 01, 2012 2:13pm

    Shane Eckert's avatar

    Shane Eckert

    7174 posts

    Hey Danny Valle,

    That .svn folder is there if you have used Subversion to grab a repo.

    There are no reported security flaws with 2.3.1, but it never hurts to keep up to date.

    Please keep me posted.

    Cheers,

  • #5 / Mar 01, 2012 2:19pm

    Danny Valle

    21 posts

  • #6 / Mar 02, 2012 2:34pm

    Shane Eckert's avatar

    Shane Eckert

    7174 posts

    Hi Danny Valle,

    Yeah, you want to get rid of that.

    Have you been in contact with your provider?

    Have you checked the WP files to see if any of them are corrupt?

    I hope this process is going well for you. Please keep me posted.

    Cheers,

  • #7 / Mar 05, 2012 10:59pm

    grahambot

    3 posts

    My site, hosted on Dreamhost, was brutally hacked to pieces with this same hack overnight last night at some point.

    I have downloaded my entire site to my computer, and run a massive find/replace using Dreamweaver to find the <?php eval > malicious code. It had been inserted at the beginning of nearly EVERY .php file in my whole install.

    My find/replace function found over 900 instances of this code on separate documents. I deleted that line of .php from all the files and reuploaded them. I also changed the name of my system folder as a precaution, and reset my FTP passwords.

    Aside from accidentally pushing up a very old stylesheet, I believe the malicious code is gone, but I’ll need to delete these “logs” files as well.

    Here’s a helpful blog post from someone who experienced this hack on WP: http://www.stumbleupon.com/su/7PymQm/danhilltech.tumblr.com/post/

    So, my question to support is: how can we know that we’ve really gotten rid of any extra files these stooges uploaded? Is there an easy way to check our 1800+ files against a clean expressionengine install?

  • #8 / Mar 06, 2012 5:48am

    Etheya's avatar

    Etheya

    213 posts

    Second this personally too… ive had this happen to a number of clients all running EE including only yesterday night… which has caused some hassle this morning as well as time… would be nice if there were any other pointers from Ellislab on security measures etc.

    thanks
    B.

  • #9 / Mar 06, 2012 1:56pm

    grahambot

    3 posts

    Unfortunately, all my efforts yesterday did nothing to protect my site.

    It has been hacked, again, for the second night in a row. There must be a security vulnerability somewhere in ExpressionEngine. Any tips on cleanup within EE?

  • #10 / Mar 06, 2012 2:37pm

    Etheya's avatar

    Etheya

    213 posts

    You must have a file in there that is keeping the hidden code… have you checked EVERY php file, as it will have infected them all. Also make sure there is nothing in any of the JS files too.

  • #11 / Mar 06, 2012 3:16pm

    grahambot

    3 posts

    Checking EVERY php file would entail over 900 files, and I’m not familiar with most of them since they were just part of the package for a basic ee install plus a few modules/plugins.

  • #12 / Mar 06, 2012 3:22pm

    Etheya's avatar

    Etheya

    213 posts

    You will probably find that EVERY php file has some code in the top of it on the very first line along the lines of

    <?php /**/ //eval(base64_decode("aWYo….......


    You need to remove all this! and also check other files have not been added to your root or similar. Anything out of the ordinary.. without removing the source of the problem it will just come back.

     

  • #13 / Mar 07, 2012 5:49pm

    Shane Eckert's avatar

    Shane Eckert

    7174 posts

    Hello grahambot and Etheya,

    Sorry to hear about the hack guys. No fun.

    ExpressionEngine does not have any reported vulnerabilities.

    As I mentioned above the hack can come from anywhere and lately users who have been hacked have had phpBB or WP in their directory as well. Until the hack is found and dealt with, it’s a never ending loop to repair the infected files.

    This morning a user posted about a rash of hacks on Dreamhost. He also has some tips on cleaning up after it. Worth checking out.

    Cheers,

ExpressionEngine News

#eecms, #events, #releases