Site Hacked - Help!

[renegade]

This morning the admin page for one of our sites now displays an alert box with OK button and hack message when logging in.

I've compared the local and remote source code and there's no changes and I've looked outside the root www folder for anything that's changed and I can't see anything.

The site still works but I'm obviously very worried and I can't get hold of my programmer at the moment.

Is there anything else I should be looking at?

Any help gratefully received.

[Elaine]

hope you've got it fixed Joe, if not my first port of call would be Rich. Sorry I can't help - but that won't surprise you

[tbp]

Theres got to be something on the page itself doing it, even if its pulling in code from elsewhere.

The problem with things like this is that although some bits are obvious like your popup message, but other things aren't. There could easily be a backdoor in another section of the site to let them back in, or sending data to a server.

As a result, even if you change the admin page you can' t be sure thats it. Ideally you need to restore the whole site from a backup so you know that there is nothing nasty left somewhere else.

[renegade]

Thanks Guys, and Kandevil for offer of help.
It turns out the problem was localised to my network - across all our macs, PC and across FF, IE and Safari!
I got one of my other programmer mates to take a look and it wasn't displaying the form for him so I shut down all our machines and rebooted the internet connection and now everything is back to normal but I'm going to change all the passwords because it's likely that info has got back to the intruder/hacker.
Has anyone else experienced this sort of network intrusion? It's the first time I've experienced something like this that affects all machines (Mac/PC) on network.

[befuddle]

I spotted that my own code site was hacked this morning.

The site appeared fine but I spotted what appeared to be a 1x1 pixel missing image on my home page only.

Assuming that I'd messed up the template slightly I viewed the source code to see lots of viagra related references and links to another site.

I've removed the header code but I'm concerned that it may re-appear as I don't know how it got there in the first place.

[purple]

This is a bit of a worry how can u check if ur site / sites have been hacked

[renegade]

Sorry to hear your site was hacked Ray.
The problem with my site turned out AIUI to be a javascript snippet posted into the search form which ran itself when I accessed the admin screen which displays the recent searches. I think it's pretty harmless.
Purple, keeping a sequence of backups of your online site means you can use a file compare tool to pick up any changes, there's probably some techy automated solutions out there was well but most sites probably don't justify this level of redundancy.
Thanks again for your posts everyone.

[Fraser]

Quote:

Originally Posted by befuddle I spotted that my own code site was hacked this morning. The site appeared fine but I spotted what appeared to be a 1x1 pixel missing image on my home page only. Assuming that I'd messed up the template slightly I viewed the source code to see lots of viagra related references and links to another site. I've removed the header code but I'm concerned that it may re-appear as I don't know how it got there in the first place.

I've had this problem too search rankings dropped liked a stone until I investigated and removed it. It was a wordpress site that cause the problem for me but I don't know how.

[DannyW]

The same happened to one of my WordPress based sites a month ago, ton's of pharma links.

It's a php injection into the .header.php producing a js file that will show a shed load of links in an off page div?

If so it was probably injected via trackback uri's, and will affect nearly all versions of WordPress below 2.3.**. The only thing you can do is upgrade to a newer version and hope they don't pop back once they've cracked this one..

Anyway I lost ranking (like a brick) for exactly 3 weeks to the day and believe it triggered a red-flag causing a manual review...