My site has been hacked and tons of malicious code and trojan downloaders have been aded to each of the pages.
Worse still when I try to go to the admin menu the page is blank.
Every single page has malicious code and downloaders on it.
what can I do?


any help welcomed

here is the sitehttp://www.roughhausen.tinderboxrecords.com

take a look and see but I suggest you have a good antivirus system if you do go to take a look.

I just noticed that the effected pages only show if I am logged in as an admin.
regular users and anonymous users are un-effected.

pages hit :
http://roughhausen.tinderboxrecords.com/user.php
http://roughhausen.tinderboxrecords.com/admin.php
actually any php page is infected

?
help

First of first, empty /template_c/
And contact your hosting company.

Last time the same problem happened to my sites and it was finally found out that the server was hacked through another Forum programe.

The very first thing you need to do is close your site! Don't be a virus spreader.

Upload a traditional index.html page that says something like "We are upgrading our site. We'll be right back."

Change your Administrator password on your website, your database and on your hosting account. Most likely the hacker got in through the server.

Backup your database using phpMyAdmin, or something like it. Make sure you select "Drop Table if Exists" in the options. Other than that, just accept the phpMyAdmin defaults.

Unless you have custom HTML/PHP/etc. pages that you've wrapped in XOOPS, all your content is in your database. That's great news!

If you have a custom theme, download it and manually remove any malicious code in it.

Download your mainfile.php and remove any malicious code from it.

If you've made any special hacks that are not documented, you'd better record them somewhere.

Make a note of every theme and every module installed on your site.

If you have any files (like images) you've uploaded, download them to a safe place and scan them for viruses.

Now delete your current install of XOOPS. And I mean every last file! Going through everyfile for a mass infestation is too time consuming.

After you've deleted the XOOPS files, reupload the exact same version of XOOPS you were using as well as the exact same version of the modules you had installed.

Reupload your mainfile.php and set it's permissions to 444 (chmod) or Read Only (windows).

Reupload your cleaned files and custom theme, if applicable.

If you have SSH access to the server, chmod all directories to 755 and all files to 644. Then set mainfile.php to 444.

/**Side Note**/
Some may tell you to set the uploads/ cache/ and templates_c/ directories to 777. I currently have 10 sites running with the folder permission set to 755 on ALL directories and have yet to have a problem. This may or may not work for you, but it's worth a shot.
/**End Note**/

If you don't have SSH access, you'll need to change the permissions on your files and folders manually over FTP or through the cPanel File manager, whichever is applicable or prefered in your situation.

The above are the steps I performed when MyWebResource was hacked a while back. Turns out my new host didn't use as strict file system permissions as my old host and the site got compromised because I neglected to check the file system permissions. It just goes to show, you cannot get lazy.

Hope this helps.

James

thanks brother great info

now the real works begins

Thank you JMorris, you answer is really a good "how to do" .
I will pin it on my blackboard and send it to my friends.

Thanks James This will be FAQd!

No problem.

I did forget to mention something. Before you re-upload your cleaned mainfile.php, you'll need to change the MySQL password to whatever the new password is.

Something else you may want to consider is moving your database details out of mainfile.php...

Tutorial:http://xoops-tips.com/news-article.storyid-1.htm

... and you may also want to consider installing the Protector module by GIJOE.

Link:http://www.peak.ne.jp/xoops/md/mydownloads/viewcat.php?cid=1

Best Regards,

James

Hey james anybody tell you...you rock! today?

It's probalbly all that coffee.
Nice write up James.

Quote:

Nope, not lately, but thank you! It's nice to know I can be of some use from time to time.

And yes... It's the coffee.

Best Regards,

James