Thread

I think my site was hacked, but I’m not 100% sure. What can I do?

Thanks for reporting this. We take security very seriously and will do our best to work with you to figure out what’s going on. To do that, we need some additional information from you:

What version and build are you running? Are there any other scripts on your account, whether in use or not (php, etc…)? Do you’ve got a link to your site? While we work through this, please check through these files:

- path.php
- config.php
- index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find such code, please back-up the file and remove said code. If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask. You may also wish to refresh your files by following the build update instructions.

Please report this to your host immediately, as only they can help you identify where the attack originated from so that steps can be taken to prevent this in the future.

Thanks!

Thank you for your answer. I realize that I was unclear, so here are more details.

Today one of the site member told me that the site is hacked. I checked the site and the home page is changed with something named “c99shell”. After googling, I found that this is a backdoor used in site hacking. I’m not programmer and I don’t have any responsibility with that site anymore, but I like to know if the hack is real and if is based on EE vulnerabilities.

Should I put here, in forum, the site address?

I am prepared to bet that it’s not an EE vulnerability, but we like to make sure all the same. Go aheads, send me the URL via email, referencing this thread. I’ll then have a look, thanks.

I have received your mail and the URL of the site. Unfortunately, as you have indicated, the site has been suspended by the host, so there is no way for us to even take a look at it. You, or whoever is in charge of the site now, really should contact the host—they would be in the best position to tell you about the hack, and how it was pulled off.

Just to be clear, there is nothing at this stage to suggest that EE was involved in any way, but we would still like to determine what caused this. If and when you get a reply by the host, please let us know. Thanks.

I contacted the host and he told me that the site was suspended at the site’s owner request. However, he didn’t knew about the c99shell page. Right now I expect an answer from him.

When I decided to use EE as the CMS of the site, the good security of EE was one of the reasons. Nobody will be more happy than me if I find that there is no problem.

Thank you.

Keep us updated, imagi-nation.  We’ll dig in as soon as there more data to go on.

After 2 days, the host told me that nothing happened from his part. I can’t do anything else, because the site owner is in the process of a (long) re-organize and this subject is not on priorities list. Please consider this thread closed.

If I can provide any other informations useful for this subject please tell me. Thanks to everyone.

I am tentatively closing this thread, as per your request. If you hear anything from either the site owner or the host, please let us know by starting a related thread. Thanks.