Thread

See the first line here:

http://4sightcommunications.com/site.php?css=includes/landingpage.v.1226038376

I’m not sure where this is coming from. I’m running 1.6.4 and I will be updating today, but can someone help me get started on how this is happening if it’s not related to the update?

Yes, your site has somehow be compromised.
Refer to the guidelines given here here.
First checking index.php (in your case site.php), path.php and config.php for code that doesn’t belong there.

Yes, it looks like you’ve been compromised.  If you edit the css template, do you see the added code there?  I suspect not- and as silenz recommends, check your index.php, path.php and config.php for added code.  If you aren’t sure what you’re looking for, let me know and I’ll walk you through it.

Security is top priority for Ellislab, so let’s get the site fixed and pursue how this happened.

To help us with that, can you let me know if you’re running any other scripts?  And are you on shared hosting?  Also, please report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

I’m going to upgrade now. Attached is an image of what I see at the top of path, site and config.

Yes- that’s the hacked bit.  You’ll want to keep your config.php but remove the added code.  The same for your path.php file.  You may want to replace the index.php file entirely with a new copy.

Then- upgrade everything.

However, if they gained access once, it’s possible they will do so again.  So definitely contact your host, explain what has happened, and see if they can help track down how access was gained.  We’ll want to plug the hole so it doesn’t happen again.

Ok, that hacked bit is now gone from the css after updating. However, its still showing up on this page: http://4sightcommunications.com/site.php/whitepapers/ten_tips which has a freeform form in it. When I remove the freeform tag, it removes that big chunk of injected code. Is this a freeform issue?

Andy, are you running the most recent build of Freeform? It wouldn’t hurt to report this in Solspace’s forums.

I am but I re-uploaded it anyways. Still persists. I have a thread started here:

http://www.solspace.com/forums/viewthread/1754/

Also check the filedates of ANY file below your webroot to identify any files that have been altered around and/or after the attack.
Often those hackers create directories and/or install shell-scripts for further exploitations. If you discover any foreign files or dirs you don’t have permission to delete, ask your host to do it.

Andy, have you heard anything back from your web host yet?

I’m currently on hold with MediaTemple about this - just to see if I can get more info.

Solspace has yet to get back with me.

MT told me that it’s a php exploit that injects html into my php pages. Wow. Glad I called!

We’ve done some more looking and think it might involve a Wordpress exploit.

In a backup of my site from a week ago, I had about 165 pages with that odd snippet of code at the top of the page. I’ve search and replaced all of that out of the files and I’m now in the process of re-uploading them and updating wordpress. Not sure I’ll have a specific answer here, but I’ll let you know what I find out - if anything.

Thank you. I am glad to hear it wasn’t an EE issue per se.

its hard to tell. but if updating wordpress results in no more compromised files, then we have our answer!

Well, I see nothing pointing in that direction, but do let us know if and when they get back to you. Thank, it is appreciated.