Website hacked, how do I find the malicious code?
How Do I?
Hi everyone,
I have a quite old website from a former client created in 2012 and not managed anymore that has been cracked. The problem is only in this page http://www.montefiore.ch/index.php/products/ita and shows an injected ad that I don’t know how to remove. I noticed that the ad disappears if I delete the bullet points in the content. I altro tried several times to update my install to Expressionengine 2.11.9 but every time I launch the updated website I have a “your page has too many redirects…” even if there are no more .htaccess, the cookies has been deleted and the Detour and Structure extensions are disabled.
How can I clean the website? I appreciate any help Alberto
In terms of the hack. you can check the core files for alterations by checking the dates and see if anything shows as recently edited. If you have the original ee files for that version you could backup the db and config files, then reinstall. Based on what you are saying, I assume there is no clean backup to restore from?
Its uncommon for an ee install to be compromised, even an older version. Are you on shared hosting? Often (almost always) the intruder gets in to the host via another accounts problem WP install and the host has done a poor job of configuring/securing the shared environment.
Regarding the update:
Try to turn off extensions in your config file. Open system/expressionengine/config/config.php and change “allow_extensions” to n: $config[‘allow_extensions’] = “n”;
in case there is a gotcha beyond Detour and Structure. I assume those were updated to their most current versions for ee 2.x?
Hi Jeremy,
thank you for the suggestion, I will start to check any modified file; yes, Structure was updated and Detour deactivated. I will post soon the results of my scan. Alberto