Site was hacked

kac · Post by **kac** » Sun 27. Nov 2005, 18:04

Hey, as the title says I had a site hacked... actually I had about 7 hacked the last 2 weeks, all phpwcms sites. I've pretty much have them all restored except for one and it only seems to be having problems with the phpwcms.php right after the login.

Once I log in phpwcms.php loads but it looks like the image below

then I get a pop up that takes me to a **** site.

I've spent most of the morning trying to figure out what's causing it with no luck. I've gone to one of the sites that is running okay and used the good files to replace the ones in the site that I can't fix. I think I've done everything except a new install, but I'm not ready to do that yet.

Does anyone know what file could be the culprit? The site was hacked by going into folders that were 777 and leaving small scripts, so it must be phpwcms_templates, content/???, and all the other ones. I also don't know if the database could have been compromised, I looked and didn't see anything that would create a pop-up to the site, but who knows if I missed it.

I have done the update too... just incase someone cares.

Thanks,

-k

Post by **flip-flop** » Sun 27. Nov 2005, 19:04

Hi kac,

look at this http://www.phpwcms.de/forum/viewtopic.php?t=9154
It is advantageous to upgrade your site to 1.26 DEV.
http://www.phpwcms-docu.de/index.php?cvs_info_en

Gruß Knut

kac · Post by **kac** » Sun 27. Nov 2005, 19:11

Thanks, I did the upgrade/patch a few days ago but the hacks all came before the patch was released. The problem is trying to figure out what's causing the problem.

Any ideas?

-k

Post by **Oliver Georgi** » Sun 27. Nov 2005, 20:23

If you make a screen shot - show something we can see.

Check the security warning I have made.

Oliver

kac · Post by **kac** » Sun 27. Nov 2005, 20:50

Hi,

The text of the admin section is fine, you don't need to see it, I mean you can if you want, but what it says has no bearing on what I'm asking, I only inserted an image so I wouldn't have to describe what it looks like. If I would have said the text is all jammed to the left someone would have asked for a screen shot.

I know about the security warning. All the sites have been patched, and all but this one site has been restored... that's what I'm trying to figure out, why this one site's admin section is still having problems. Like I pointed out in my first post, I think I've replaced every file and removed all the hackers inserted files... but I can't figure out what would be causing it. Could the db have been modified to do what I've described? What particular scripts could be modified that would change the layout of phpwcms.php?

thanks

k

pico · Post by **pico** » Sun 27. Nov 2005, 21:18

Hi

as your Screenshot looks like, you're working with Vers. 1.1RC?

I can't remember, but wasn't the Backendtext stored in the Database - and if so maybe there is what you are looking for.

Just a Idee

Post by **Oliver Georgi** » Sun 27. Nov 2005, 22:56

no, text wasn't stored in db.

Oliver