3
The very first thing you need to do is close your site! Don't be a virus spreader.
Upload a traditional index.html page that says something like "We are upgrading our site. We'll be right back."
Change your Administrator password on your website, your database and on your hosting account. Most likely the hacker got in through the server.
Backup your database using phpMyAdmin, or something like it. Make sure you select "Drop Table if Exists" in the options. Other than that, just accept the phpMyAdmin defaults.
Unless you have custom HTML/PHP/etc. pages that you've wrapped in XOOPS, all your content is in your database. That's great news!
If you have a custom theme, download it and manually remove any malicious code in it.
Download your mainfile.php and remove any malicious code from it.
If you've made any special hacks that are not documented, you'd better record them somewhere.
Make a note of every theme and every module installed on your site.
If you have any files (like images) you've uploaded, download them to a safe place and scan them for viruses.
Now delete your current install of XOOPS. And I mean every last file! Going through everyfile for a mass infestation is too time consuming.
After you've deleted the XOOPS files, reupload the exact same version of XOOPS you were using as well as the exact same version of the modules you had installed.
Reupload your mainfile.php and set it's permissions to 444 (chmod) or Read Only (windows).
Reupload your cleaned files and custom theme, if applicable.
If you have SSH access to the server, chmod all directories to 755 and all files to 644. Then set mainfile.php to 444.
/**Side Note**/
Some may tell you to set the uploads/ cache/ and templates_c/ directories to 777. I currently have 10 sites running with the folder permission set to 755 on ALL directories and have yet to have a problem. This may or may not work for you, but it's worth a shot.
/**End Note**/
If you don't have SSH access, you'll need to change the permissions on your files and folders manually over FTP or through the cPanel File manager, whichever is applicable or prefered in your situation.
The above are the steps I performed when MyWebResource was hacked a while back. Turns out my new host didn't use as strict file system permissions as my old host and the site got compromised because I neglected to check the file system permissions. It just goes to show, you cannot get lazy.
Hope this helps.
James
Insanity can be defined as "doing the same thing over and over and expecting different results."
Stupidity is not a crime. Therefore, you are free to go.