• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Site Got Hacked, line of bogus "code" on first line of every PHP file in my entire root directory

I

Inferno0032

Golden Member
Title basically describes it all, apparently a security weakness was found out in my site's script, and I got hacked, already an update this afternoon to fix the vulnerabillity, but I'm left with a huge headache.

Can you write something that will search for the "code" inserted and delete it?

Any other ways to delete it as quickly as possible? Or at least to mass-search the contents of my files to find all the files that contain the line of code?

Thanks so much in advance!

EDIT- Also found the code in PHTML files as well.
 
Originally posted by: KLin
Restore from backup and fix the vulnerability?
Click to expand...

Huhaaah, the epic win twist!

Fairly new site ~month old. Backup all other sites very very often.... did I backup this one? The one i've been working on the most? Why would I do something like that and save my skin?

Yeah, feel like a real winner right now, and actually could have sworn I had a backup on at least one of my machines, but do not. I am paying for it now, and now need a "dirty" solution. I haven't changed much from default script install, so I'm going to try to replace the directories with that and see if I can fix it and not lose any information.

Any other ideas?
 
Are you that sure you know what all the modifications are? Sounds like you have nothing you can diff against, so for my part I wouldn't be convinced the problem was resolved until I had inspected every line.
 
Any basic text editor with simple multi-file search/replace functionality should suffice. It's a fairly common feature.
 
Originally posted by: Markbnj
Are you that sure you know what all the modifications are? Sounds like you have nothing you can diff against, so for my part I wouldn't be convinced the problem was resolved until I had inspected every line.
Click to expand...

It's from an open source script, so the few changes I made can be compared to a default install. And as for inspecting every line, there are just under 10,000 files, inspecting every line isn't much of an option.

If all else fails, I really won't lose a great amount if I have to start from scratch. Notepad ++ has done the trick, now uploading to see if all is well.

Thanks for the help!
 
don't forget to change passwords. and make sure you dont have one of those viruses that steal FTP info from your FTP clients. They sucks, and are very viral on developers machines because of how much FTP info is typically on them.
 
Originally posted by: NiKeFiDO
don't forget to change passwords. and make sure you dont have one of those viruses that steal FTP info from your FTP clients. They sucks, and are very viral on developers machines because of how much FTP info is typically on them.
Click to expand...

Yup, first thing I did, deleted any and all unused directories/ftp/access clients, and changed the passwords on anything that I was using.
 
yes, you can use sed. you should be able to do it in one line from the shell.

can you print the line of code here?
 
I wouldn't trust any existing files that were exposed when the hack happened. That's just me. I would restore from last check in from my code repo.
 
Anytime a server gets hacked you should backup your data if you don't have a recent valid backup, format and start over.
 
Revert to the last backup.

Then do a line by line comparison of all source files.

Rebuild all binaries
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top