Thread

Hello - I have a site that’s been taken over. I am hoping someone might be able to help me.

Basically, sometimes it will redirect you to a porn site and the index in google shows my pages but all of the text is spam text (see screenshot). I am on v2.5.2 and I have the membrr and cartthrob add-ons.

Also, some of my text is showing up but some channels (like news) is not working.

http://publishersroundtable.org/

Has anyone heard of this before? Do you know where I should start n fixing it?

Thanks!
Heather

Just an update. I had someone who was able to help me take out the offending files but I wondering what I can do to stop this from happenings. Could it have anything to do with my add-ons?

Some of my channels are still not working but that I am not so worried about as long as the virus is gone.

Thanks-

We discovered that someone had uploaded an image.php into he images folder and then somehow modified the htaacess file to take down the site. Has any one ever heard of that? I would really appreciate if anyone has any ideas for me as to how I can protect this site.

Those pesky hackers. I would check the log files, they’re usually in statistics/logs and look for anything suspicious around the time you think the site might have been hacked. Look in the access log, ftp log and error log. Change all your passwords to something really secure and make sure ftp is locked when you’re not using it. Also what version of PHP/MySQL are you running? Older versions can have some vulnerabilities.

You also want to check the permissions of your files and folders to make sure they are set properly.

Thanks Jason and Patrick for your help!

I have changed the passwords and changed permissions on that image/uploads directory. Expression Engine does request that the permissions are set to 777 on that directory and I am wondering if that’s how they got in… do you keep those permissions at 777?

I am also confused at how they were able to modify that htaccess file.

I am running PHP 5.2.17 and MySQL 5.1.39 on dreamhost.

Heather

Hi Heather,

Any chance your site is hosted on a Plesk server?

http://blog.unmaskparasites.com/2012/06/26/millions-of-website-passwords-stored-in-plain-text-in-plesk-panel/

No, Dreamhost doesn’t use Plesk but that’s kind of scary that they would have them in plain text.

That version of PHP is a bit old. I would ask your host to upgrade it.

Here’s an interesting list of the vulnerabilities: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-106044/PHP-PHP-5.2.17.html

Edit: link

Hi Heather,

I hate to hear that this has happened to you! Regarding permissions, the important thing is just that PHP is allowed to write to those directories. 777 ensures that in all cases, but your server doesn’t necessarily have to be that permissive. Ask your host what permissions would be required for that on their servers.

I would certainly see if you could get your host to update your version PHP. The other recommendations given here are solid as well. Change your passwords, and work with your host over the next few weeks to monitor your site. If someone has targeted your site already, they might not be done. And they might have left themselves a back door for an easy return visit!