Received an email regarding this

Your 1&1 webspace has been attacked via a security leak in the software you
> installed. As a result of this attack, a phishing site has been uploaded to your
> 1&1 webspace. These sites are used to steal login information for eBay,
> PayPal, bank accounts etc. The site was to be found at:
>
> http:\\********\xoops_lib\modules\wachovia\index.htm
After having analyzed the attack and disabled the files related to the phishing
> site, we will unlock your webspace.
>
> The intrusion was processed via your script:
> ./xoops_lib/modules/protector/notification.php
>
>
> These files were used to upload the malicious content or send spam:
> ./themes/zetagenesis/img/questions.php
> ./themes/zetagenesis/img/verification2.php
> ./themes/zetagenesis/img/verification3.php
> ./themes/zetagenesis/img/verification.php
> ./themes/zetagenesis/img/verify.php
> ./themes/zetagenesis/img/wellsfargo.php
> ./themes/zetagenesis/img/wellsfargo-online.php
> ./uploads/tmx.php
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.htm
> ./xoops_lib/modules/protector/library/HTMLPurifier/update.php
> ./xoops_lib/modules/protector/library/get.php
> ./xoops_lib/modules/protector/library/index.html
> ./xoops_lib/modules/protector/library/thankyou.htm
> ./xoops_lib/modules/protector/library/notes.txt
> ./xoops_lib/modules/protector/library/webpay/get.php
> ./xoops_lib/modules/protector/library/webpay/thankyou.htm
> ./xoops_lib/modules/protector/library/webpay/index.html
> ./xoops_lib/modules/protector/library/webpay/notes.txt
> ./xoops_lib/modules/protector/language/german/wuse.php
> ./xoops_lib/modules/protector/language/russian/gate.php
> ./xoops_lib/modules/protector/main/index.php
> ./xoops_lib/modules/protector/main/wellsfargo-online.php
> ./xoops_lib/modules/protector/main/questions.php
> ./xoops_lib/modules/protector/main/verification.php
> ./xoops_lib/modules/protector/main/verify.php
> ./xoops_lib/modules/protector/main/mail11[1]..php
> ./xoops_lib/modules/protector/wuse.php
> ./xoops_lib/modules/protector/code.php
> ./xoops_lib/modules/protector/admin_page.php
> ./xoops_lib/modules/protector/notification.php
> ./xoops_lib/modules/wachovia/index.htm
> ./xoops_lib/modules/wachovia/index2.htm
> ./xoops_lib/modules/wachovia/login2.php
> ./xoops_lib/modules/wachovia/wachovia.php
> ./xoops_lib/plain.php
>

sorry to hear this..

i think this is related

https://xoops.org/modules/news/article.php?storyid=4601

1. make sure there's an index.html file in every folder with the following code inside:



2. put xoops_lib outside document root or put htaccess in xoops_lib

Quote:

Quote:

Good idea to rename the folder too (you'll need to change the reference to it in mainfile.php too).

Thanks for all the help, all infected files are now deleted.

Thanks Guys

Quote:

Hi, just a question.

I can only put this code in a empty html file? that's it? Or I need to put another code like etc?

And I must put this index.html file in every folder, no exceptions?

Thanks

Yes, only the text as showed. If you look around on your site, there should be plenty examples, which you can copy.
In principle, every directory should have this file.

You can also add this to your .htaccess:


Read also some threads and articles for advice about hacked sites.

If files have been altered, change all your administration passwords on all levels (XOOPS admin, MySQL, site, FTP, ...).