Thread

Hi there,

Google displays a message reading “This site may be compromised.” when I search for my site, http://www.soooali.com, and text about drugs appears below the search result. There is a whois.dat file in my site’s root that seems to contain at least some of the problem text. The site appears fine when I visit it.

Build:  20091201
ExpressionEngine Core 1.6.8

Obviously I should upgrade EE, but is the latest version of EE 1 only available with a purchase of EE 2? I’d be very grateful for any help on this matter. I’m contacting my host, Dreamhost, now too.

Thanks!

The official stance is that Core is no longer supported. As part of that the updates are not available either. If you want to update the site then your only proposition is to purchase EE2 now while the 1.x version is still available for download. Even better would be to upgrade to 2.3.1.

Hey Martin,

Just wanted to chime in to say that I’m sorry to hear about your site. I’m sure that’s a really frustrating experience. We’d love to help you work through this; holders of current EE2 licenses (which still include a download of EE1 for a very, very limited time) receive support from our dedicated support staff. If you’d like to purchase an EE2 license that would enable us to help you resolve this. After you purchase the license, I would highly recommend you download a copy of EE1 and use it to update your site to the latest version of EE1.

I also wanted to point you to a resource on hacking. Noah Stokes wrote a great piece a few years ago on an EE1 site being hacked; as it turned out for him (and as is true in most cases), there wasn’t a vulnerability in EE1 itself that allowed the hacker in but rather a vulnerability in another application that gave the hacker free reign to the site. His blog post goes into some good depth on how to sanitize your site from all hacked content and keep it running smoothly.

Again, I hate to hear of your site being hacked, but I hope this provides you with some good resources for fixing it!

Little info, I’ve been outsourced as a consultant to fix a clients web site.

I have the same issue that has just recently occured in this thread. I was called in to take a look at a clients site that hadn’t been managed at all with upgrades/security patches and a negligant MLSP that doesn’t bother to take backups….not sure how much they pay for insurance in the event of a fire or natural disaster.There should have really been someone in the orgnisation making sure it was continually patched but we’re past that now. Not worth thinkging about.

I guess the options are right now to try and clean up the site. Althought the host is giving me a hard time getting into the MySQL DB to look through the tables.

Has anyone got a list of files that extentiate the exploit? It was running 1.6.4 from memory which is a LONG way off the current platform 2.5.x. It would be good to stay with EE but i need to swap hosting services first of all because the current guys are hopeless, 24/7 support that starts at 8am. Trying to work back of the clock to resolve this issue. It’s a real pain. I assume the v2 CMS has a lot of these php holes closed?

/root/PHP5.php contained a list of drug names (has been renamed *.bak)
htdocs/companyfolder/templates/options.php (renamed to a *.bak)
htdocs/themes/site_themes/scache.php (has been removed by another colleague)
htdocs/Copy_of_help/doc/classes.php (renamed as it pulled malware)

All of these files timestamped with 2008-2009.

I guess the exploit gave acces to the MySQL DB that allowed them to add tables and content. Any pointers at this stage would be ideal. No backups of the DB or the front end or i’d have restore by now.

I’ve removed what I can and used google webmaster tools to re-index the site. I’m not confident i’ve removed the malware as it looks encrypted.

At the end of the day, we need to step up up our online presence. So EE might not be the platform of choice but if someone can liase with me re: why I should stay we EE we could consider it.

Kind Regards,
Chris