Recently I've seen a hack that edits the "ad_navbar_below" template by adding a <script> tag and trying to load a domain.
The first one added a script that loaded a "lovehouse.work/......" URL, as well as another one. Then when I tracked this down and removed the template, it was hacked again 3 days later and the URL now became "adsmedia.work/.......".
Here are two screenshots of the first and second hacks. I remove the script and save the template. It seems that hack source, whatever it is, is still available.
Since templates are stored in the DB, I don't think this is going through FTP or something like that. I checked "last" and "lastb" on the server but there are no logins I don't recognize.
Our admincp is protected by an htaccess block that only two people know.
I realize there is this big long procedure for trying to clear this out and remove templates and reinstall everything and stuff, but I can't jack the forum that much. I need to discover this specifically. There has to be a log or report or trail somewhere for how this template got edited.
I don't run a ton of plugins, just a highly customized template. I have spam-o-matic in there, a tiny email-related script, and Tapatalk. That's it. I'm on version 4.2.3.
I've tried looking at Apache logs, access logs, server messages. A lot of stuff there, not sure what I'm looking for. Googling this issue, it doesn't seem others are experiencing it (yet?).
Any ideas?
The first one added a script that loaded a "lovehouse.work/......" URL, as well as another one. Then when I tracked this down and removed the template, it was hacked again 3 days later and the URL now became "adsmedia.work/.......".
Here are two screenshots of the first and second hacks. I remove the script and save the template. It seems that hack source, whatever it is, is still available.
Since templates are stored in the DB, I don't think this is going through FTP or something like that. I checked "last" and "lastb" on the server but there are no logins I don't recognize.
Our admincp is protected by an htaccess block that only two people know.
I realize there is this big long procedure for trying to clear this out and remove templates and reinstall everything and stuff, but I can't jack the forum that much. I need to discover this specifically. There has to be a log or report or trail somewhere for how this template got edited.
I don't run a ton of plugins, just a highly customized template. I have spam-o-matic in there, a tiny email-related script, and Tapatalk. That's it. I'm on version 4.2.3.
I've tried looking at Apache logs, access logs, server messages. A lot of stuff there, not sure what I'm looking for. Googling this issue, it doesn't seem others are experiencing it (yet?).
Any ideas?
Comment