-
☆ A M B ☆
- 24,524 Posts
Do you have phpmyadmin installed on those sites?
not at the time of the hack, I installed it after.
-
☆ A M B ☆
- 309 Posts
What version of Revo were the sites using, or what were they using on the date the hack happened?
-
☆ A M B ☆
- 24,524 Posts
I asked about phpmyadmin, because when you install it on a Cloud installation, by default it's in the /phpmyadmin/ folder, which doesn't exist until it's installed, and you mentioned one site at least that had one of the malicious files in there.
2.2.1 I think.
It was not phpmyadmin, it was phpdmyadmin
This week I also noticed a site was hacked this way by inserting malicious spam code. Despite removing the corrupted files /assets/cache.idx.php ,
/assets/xPDO.idx.php and/core/cache/xPDO.idx.php . Removing the admin users that shouldn't be there and changing all passwords for the site and database.
Somehow the code was still there. By doing a search in the database on "Xpdo core services" I found the malicious plugin. Removed it and spam hacks are gone.
I hope that was it.