Thread

Hello, I logged into my control panel and noticed that I was getting redirected to a strange site.  After a few tries, I saw that the index.php file was changed.  There was a function “<?php eval(base64_decode()); ?>” with many lines of encrypted text.  Is this the cause of a hack??

Hello Danny Valle,

I am sorry to hear you are running into this hack. I feel your pain. I want you to know that we take security very seriously and will do our best to work with you on figuring out what’s going on.

You are right that “<?php eval(base64_decode()); ?>” does not belong there. It’s probable that the redirection to the strange site is actually an infected site. Make sure if you are browsing with Windows that nothing made it on to your system.

Please call your hosting provider and let them know you are being hacked. They need to know this in order to help stop it. Typically the only way to get rid of this is to find out how the exploit is being made and to repair that. This could be an operating system level fix or it could be another application installed in your web root. Do you have anything else installed, like phpBB, WordPress, or the like?

It’s probable that these files are corrupted as well.

* index.php
* admin.php
* system/index.php
* system/expressionengine/config/config.php

Search the above files to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the update instructions.

Sorry to repeat myself, but I want to make sure this point comes across. You will be fighting a losing battle until you get rid of the exploit. Make sure no other apps are installed and if they are, list them here. If you are not using them, delete them. And please be sure to let you hosting service know. You might not be the only one with this frustration.

Again, I am sorry you are dealing with this.

Please keep me posted!

Cheers,

Hay, thanks for getting back to me on this.  So far it looks like the one site with EE is the infected one.  I have a few wordpress apps for separate websites.  All are up to date.  I did notice that I am not running the latest EE 2.4.  I have 2.3.1 I believe.  This could be the problem?

I have contacted the hosting company. Waiting to hear back from them. 

I do see a strange folder: “.svn”.

I have looked into the files and have removed the code that does not belong.

Hey Danny Valle,

That .svn folder is there if you have used Subversion to grab a repo.

There are no reported security flaws with 2.3.1, but it never hurts to keep up to date.

Please keep me posted.

Cheers,

Ok, I also noticed a folder within main directory where the index and admin files are called “.logs”.  In there it’s a text file named “log1.txt” with the following:

http://gical45exact.rr.nu/
http://ionis90landsi.rr.nu/
http://ionbr82eastna.rr.nu/
http://ati14onst.rr.nu/
http://rmore79riveru.rr.nu/
http://ionsh64iitet.rr.nu/
http://enlosu65spicio.rr.nu/
http://iedla63wyers.rr.nu/
http://com04men.rr.nu/
http://ouvech35oicetim.rr.nu/
http://stec31onomi.rr.nu/
http://ligen92tcusto.rr.nu/
http://ily23visi.rr.nu/
http://xingsa51ltpreve.rr.nu/
http://astre09atyqr.rr.nu/
http://sbulle06tsconti.rr.nu/
http://nia91nskg.rr.nu/
http://line20arpr.rr.nu/
http://tabsin60dustryr.rr.nu/
http://asin54grepl.rr.nu/

Hi Danny Valle,

Yeah, you want to get rid of that.

Have you been in contact with your provider?

Have you checked the WP files to see if any of them are corrupt?

I hope this process is going well for you. Please keep me posted.

Cheers,

My site, hosted on Dreamhost, was brutally hacked to pieces with this same hack overnight last night at some point.

I have downloaded my entire site to my computer, and run a massive find/replace using Dreamweaver to find the <?php eval > malicious code. It had been inserted at the beginning of nearly EVERY .php file in my whole install.

My find/replace function found over 900 instances of this code on separate documents. I deleted that line of .php from all the files and reuploaded them. I also changed the name of my system folder as a precaution, and reset my FTP passwords.

Aside from accidentally pushing up a very old stylesheet, I believe the malicious code is gone, but I’ll need to delete these “logs” files as well.

Here’s a helpful blog post from someone who experienced this hack on WP: http://www.stumbleupon.com/su/7PymQm/danhilltech.tumblr.com/post/

So, my question to support is: how can we know that we’ve really gotten rid of any extra files these stooges uploaded? Is there an easy way to check our 1800+ files against a clean expressionengine install?

Second this personally too… ive had this happen to a number of clients all running EE including only yesterday night… which has caused some hassle this morning as well as time… would be nice if there were any other pointers from Ellislab on security measures etc.

thanks
B.

Unfortunately, all my efforts yesterday did nothing to protect my site.

It has been hacked, again, for the second night in a row. There must be a security vulnerability somewhere in ExpressionEngine. Any tips on cleanup within EE?

You must have a file in there that is keeping the hidden code… have you checked EVERY php file, as it will have infected them all. Also make sure there is nothing in any of the JS files too.

Checking EVERY php file would entail over 900 files, and I’m not familiar with most of them since they were just part of the package for a basic ee install plus a few modules/plugins.

You will probably find that EVERY php file has some code in the top of it on the very first line along the lines of

<?php /**/ //eval(base64_decode("aWYo….......

You need to remove all this! and also check other files have not been added to your root or similar. Anything out of the ordinary.. without removing the source of the problem it will just come back.

Hello grahambot and Etheya,

Sorry to hear about the hack guys. No fun.

ExpressionEngine does not have any reported vulnerabilities.

As I mentioned above the hack can come from anywhere and lately users who have been hacked have had phpBB or WP in their directory as well. Until the hack is found and dealt with, it’s a never ending loop to repair the infected files.

This morning a user posted about a rash of hacks on Dreamhost. He also has some tips on cleaning up after it. Worth checking out.

Cheers,