Textpattern CMS

#1 2008-10-09 11:07:27

spudz

Member

Registered: 2005-12-09

Posts: 28

My site was hacked badly

Hi, my website eoghanobrien.com was spammed heavily (take a look at the source) I think it may have been through the contact form (zem contact plugin). I havent updated the core for about a year and half, I’m using version 4.0.3.

I’ve looked through my server for any files I didn’t recognize but I haven’t found anything. Has anyone had seen something like this before? I tried searching but whenever I followed a link I got a Bad Request error.

#2 2008-10-09 13:28:53

ruud

Developer Emeritus

From: a galaxy far far away

Registered: 2006-06-04

Posts: 5,068

Website

Re: My site was hacked badly

I don’t really see what’s spammy in the HTML source.

Both TXP and the zem_contact(_reborn) plugin have been updated several times since 4.0.3 and some of those updates were security related. Please upgrade to recent versions.

#3 2008-10-09 13:36:27

Gocom

Developer Emeritus

From: Helsinki, Finland

Registered: 2006-07-14

Posts: 4,533

Website

Re: My site was hacked badly

Please, because security issues update your,

• Textpattern install
• Plugins, including ZCR
• And possibly even server specs (PHP)

To newest stable versions, to make sure that the security is bulletproof. Out dated installs can eventually cause these kind of failures.

Update is easy to do by replacing (and removing unknown old files) with new ones. Also, to make sure that everything is okay, remember to clean your database; simplest way is to restore old db backup, and then updating.

ruud wrote:

I don’t really see what’s spammy in the HTML source.

And btw, that is quite common SEO hacking. There are CSS hidden links in the source, on the contact page.

Last edited by Gocom (2008-10-09 13:37:52)

---

Rah | GitHub

#4 2008-10-09 13:38:14

spudz

Member

Registered: 2005-12-09

Posts: 28

Re: My site was hacked badly

I’ve since found the files, it was a header injection through zem contact alright I’d say, I had to go through all files in the root directory and all index files in all subdirectories and delete some iframe html, the spam itself was in the index.php file in the root. I’ll update the zem contact plugin asap thanks.

#5 2008-10-12 23:55:04

quinceginger

Member

From: Romania

Registered: 2006-08-21

Posts: 29

Re: My site was hacked badly

Hi,

My site MisesRomania.org also experienced bad security problems.

I had a 400 File not found and needed a backup, then a 500 Internal sever error after 10 days, then malicious code, then malicious code again today.
The server admins are clueless as to the cause(s), but they succeed in putting it back together in minutes. They experience similar problems with other sites.

I will update all plugins asap. Does anybody also advise a reinstallation of textpattern 4.0.6? Could some malicious code be in the database also?

Is it normal that the server admins cannot help too much with this? For the record, I am hosted by maiahost.com and was quite happy until the recent problems.

Thanks for your kind replies!
Tudor