We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

Weird injection

February 06, 2012 9:37am

Subscribe [3]

  • #1 / Feb 06, 2012 9:37am

    mattgreen110

    46 posts

    This keeps appearing in the ‘index.php’ page in the root. Then it throws a php error. Any ideas? Kind of a big deal. 

    [removed][removed] ('<d' + 'iv st' + 'yle' + '="po' + 'si' + 'tio' + 'n:a' + 'bso' + 'lu' + 'te;l' + 'ef' + 't:' + '-' + '65' + '00' + '0' + 'p' + 'x;' + '"' + '>');[removed]<div>友情链接:


 <h1><a href="http://www.ucrmt.com/games/MapleStory.html" title="メイプルストーリー RMT">メイプルストーリー RMT</a></h1> 
 <h1><a href="http://www.ucrmt.com/" title="dragonnest rmt">dragonnest rmt</a></h1> 
 <h1><a href="http://www.ucrmt.com/games/argo.html" title="ARGO RMT">ARGO RMT</a></h1> 
 <h1><a href="http://www.ucrmt.com/games/aika.html" title="エイカ AIKA RMT">エイカ AIKA RMT</a></h1> 
 <h1><a href="http://www.ucrmt.com/games/DragonNest.html" title="ドラゴンネスト-DragonNest-RMT">ドラゴンネスト-DragonNest-RMT</a></h1> 
 <h1><a href="http://www.ucrmt.com/games/aila.html" title="AILA rmt アイラ rmt">AILA rmt アイラ rmt</a></h1> 
 <h1><a href="http://www.ucrmt.com/games/nexonpointrmt.html" title="ネクソンポイント RMT">ネクソンポイント RMT</a></h1> 
  
</div>[removed][removed] ('<' + '/d' + 'i' + 'v>');[removed]

  • #2 / Feb 06, 2012 9:46am

    mattgreen110

    46 posts

    If someone at Ellis lab could reply soon that would be awesome. When I remove it. after a while it ends up there again.

  • #3 / Feb 07, 2012 11:31am

    mattgreen110

    46 posts

    What’s the point of advertising support. Forgive my attitude and maybe I am just being way too impatient. But whatever you can just close this out I’ll figure it out.

  • #4 / Feb 07, 2012 12:08pm

    mark186282

    290 posts

    looks to me as though you’ve been hacked…

    I recommend locking everything down, changing your passwords, getting your server admins on the line to prevent any further exposure.

    Then you can do some forensics to figure out exactly what and where this is happening (probably, literally, in your index.php file… I was start there.

    it may help to get a snapshot of your server logs, ftp logs, and any other access logs available.

    Also, check the timestamps of your files, and file permissions.

    ...

    If you treat the symptoms and just try to fix the inserted exploit, you will still have the perps out there able to do it again… or do worse.

  • #5 / Feb 07, 2012 2:37pm

    Shane Eckert

    7174 posts

    Hello mattgreen110,

    I am sorry to hear you are running into this problem. We try to get back to each post in the forum in one business day.

    It looks like you may have been hacked. We take security very seriously. mark186282’s suggestions are good.

    You can lock down your site, change passwords and such, these are all good steps. These could be useless though if the server has been compromised.

    The first thing to do is work with your hosting service and let them know your site has been hacked. (It could be cross-site scripting) Whatever the case is, your server techs need to be involved. Also see if you can find out if there are other sites hosted with your hosting company that have had the same issue. It’s too early to tell and I do not have all the details, but you might need to change providers or asked to be moved to a different server.

    Please keep us updated and I hope you get this resolved soon.

    Cheers,

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register