Thread

yes, I got it from musicnewsweekly.com

No, PC or Mac won’t make a difference.

Can you email me (not PM but email - derek.allard at ellislab.com) me
1) FTP information
2) Your CP location, and an admin username/password

I’d like to get in there and take a look myself.  I promise I won’t change anything.

coming

Hi Shawn.  I got your email, but what I need are FTP information and access to your ExpressionEngine control panel (CP).

FTP information will look something like this
FTP host: ftp.musicnewsweekly.com
user: someusername
pass: somepassword

If you don’t know it, you can ask your host.

ExpressionEngine CP will be something like
http://musicnewsweekly.com/system
user: someusername
pass: somepassword

Where is my Control Panel? from the knowledge base may help here.

Don’t post this information to the forum, but email it.

musicnews, the index.php file you zipped up here, is it the one from your site right now?

Hi, ok, got the ExpressionEngine CP access (thanks) but still no FTP.  That said, just from logging in I can see some problems.  Your install says its using the “default” CP theme, but its purple.  The default in EE 1.6 is black, which isn’t a big deal, but it does imply that your installation wasn’t fully updated when it moved from 1.5 to 1.6

This might just mean updating your “themes” folder, but it might also mean that there is more under there that needs looking at.  If you can get me FTP access, I can verify further for you.

check the 3rd email I just sent

OK.  When I logged in and looked at your index page, it was injected with javascript whose intention is to redirect your users, not NOT the default EE index.php page.  When I replaced it with the proper index.php page, everything worked.

I’m sorry to say this, but it is my opinion that your server has been compromised.  Nothing to panic about.  Firstly, take a read through this thread, where I just found the exact same thing for another user. 

Next up, contact your webhost, and tell them that your index.php page was maliciously injected with code, and ask them to look into it.  Give them as much detail as you can, including when it stopped working. Also, you’ll want to change your passwords now, and then again after your host helps you narrow things down.

Also, do a full backup at this stage, just in case.

Let us know how it turns out Shawn.

Hi Sue:  thats the same one.

Hi Derek:  The ftp info is in the last email (3rd)

Wow, thanks Derek.  You are a true genius.  Another question, Would it be better to change my hosting to avoid future problems like this?

By the way, who is shawn?  I’m Tim, remember.

To change the passwords/access did you go to the FTP Manager?

Sorry Tim.  I’m doing too many things at once.  Apologies!

If you’ve been happy with your host so far, I wouldn’t recommend a change necessarily yet - but if you’ve had trouble it might be something to consider.  Some webhosts allow you to change your password yourself, and others will require a request for this.  The only way to know is to ask them.

I’m glad we could help to this point for you.  Let us know what your host says.

Hello derek,
I just talked with hosting.  They said the code needs to be debugged, as the problem has already escalated again.  Can you help?

If its already come back, then that says that the server still has a security hole.  Your host must get this closed up for you.  As it is right now, no amount of work you or I do will ever fix things, because they hackers will get back in.

Your host should be able to tell you how the file was put on there, who put it there and how it got there.  If they can’t do this, then perhaps you should consider changing hosts.

Imagine you rented your house, and your landlord didn’t have a lock on the door.  One night your TV got stolen. You tell your landlord that the TV is stolen, and their advice is to replace your TV.  What really needs to happen is that a lock gets put on the door.

Go back again and ask them for specific information about how your file was overwritten, by who, and how the compromise happened.  It probably didn’t happen from your account, but rather another account on the same server as you. After they get it cleaned up, and your passwords are changed, I’ll be more then happy to help you get everything straightened out.

Good luck!