Forums

Hacked

Permalink
My web host, InMotion, ran some scans today as a result of some issues I was having. They found four areas where I may have been hacked.

./http:/southregionstars.com/dir/translations/French.txt
./http:/southregionstars.com/dir/translations/French-UTF8.txt
./cgi-bin/pages.php
./concrete/pages.php

I'm not quite sure what to do now. I did find./cgi-bin/pages.php which is a
GIF image data, version 89a, 16188 x 26736. Is this file suppose to be there or is it safe to remove it.

As for the French translation files, there's a lot of code (much of is about The Coolest DHTML Calendar widget (from SourceForge). (All the 'translations include the same copy but in the native language.)

Where do I go from here???
 
Hypocrite replied on at Permalink Reply
Hypocrite
1. Backup everything, files and database in safe place which cannot be accessed. You can for example download all the files in a ZIP file to your computer.
2. Remove any extra files. At least that pages.php should not be there.
3. Change your FTP password.
4. Check your computer for viruses or malware.

Are you running any other scripts or applications in your site except concrete5? If there is some other application, I would check if they have any known security holes.

If there is only concrete5, I would guess that your FTP password has been hacked. Safest bet is to change the password.
Webcoach replied on at Permalink Reply
Thanks so much! I have already changed most of my passwords and will do the ftp next. Question, though -- if I download all my files to a safe place, won't the corrupt files also be downloaded? In other words, how can I tell which are the 'extra pages.'

I really appreciate your advice...

Reine
Webcoach replied on at Permalink Reply
Sorry - I meant back-up, not download.