I had an email from one of my users this morning telling me that my site had been hacked. Sure enough, when I went there I saw a single political page rather than my XOOPS home page. The page kept coming up even when I tried to access through files like user.php or register.php.

Basically, it turned out that theme.html.php in templates_c was displaying the foreign page. Once I deleted that file, everything went back to normal. I've checked the theme settings in preferences and the database, but haven't found anything so far. I'm using XOOPS 2.2.3 btw.

I've been in touch with my host, just to make sure they know what's going on. But none of my files were altered, and I'm not seeing anything that shouldn't be there, so I'm guessing this was some sort of injection attack.

Does anyone have any ideas what might have caused this? Aside from using the outdated. 2.2 branch, I have a couple of different things I'm looking at:

1. XoopsGallery recently had a security hole revealed. Currently I'm running 1.3, but I'm working on upgrading to the new version.

2. I recently activated WF-Downloads in order to host some files. Not sure if this could be the culprit, or if it's just a coincidence.

After deleting the theme file, it looks like everything is working, though I still have a placeholder index.html on the site atm. My plan now is to make backups and then upgrade to the most recent XOOPS release (is there a script that will roll back from 2.2?)

If anyone else has any help or advice on what to check, it would be much appreciated. Thanks!