Hacked Login Form
-
-
- cchang
- Jr. Rocketeer
- Posts: 44
- Thanks: 0
-
Our website was hacked and the intruders attempted to hijack our login module. We cleaned out everything that we thought was tampered with, ran security scans, checked all permissions, looked for file changes by date, etc. But we still have what appears to be a URL rewrite happening on our logon form. The links go nowhere and users get a 404, but it is really annoying. We have not been able to figure out where the rewrite is occuring. Pretty certain that this is the only remaining security gap for now.
We are using Metropolis theme.
I tried creating a new login module and placing it in the same position on the screen, but it comes back with the same rewrite. I have checked the php in the login module, the helper module, htaccess, etc and cannot find where this is coming from. Can someone point me in the right direction? Any ideas of where to look. CSS, other includes, etc.
The url after rewrite looks like http://website/index.php/aladat+cvs+price
Thanks in advance.
-
-
-
- DanG
- Preeminent Rocketeer
- Posts: 36750
- Thanks: 3229
- Custom work done
-
cchang wrote:
Can someone point me in the right direction? Any ideas of where to look. CSS, other includes, etc.
Hacks are always PHP file based as they need to inject their malicious content into the page output. You can't do that with CSS.
Check out these two links:
https://www.akeebabackup.com/documentation/admin-tools/php-file-scanner.html
https://securitycheck.protegetuordenador.com/
-
Time to create page: 0.047 seconds