Curious if anyone else has had this issue. I checked my site today, and only the Top Navigation on my Home page was changed, the internal pages where fine, which is interesting because they all use the top.phtml file.
I checked my logs for strange ip’s and compared my local install vs my live install to see if any files where changed (using beyond compare)
I didn’t see anything particularly interesting in my logs, and I didn’t see any files changed on my live site, so the only place left to check was my database.
I changed my top.phtml file previously to add 2 links like this
<?php //if(count($this->getStoreCategories())>1): ?>
<?php foreach ($this->getStoreCategories() as $_category): ?>
<?php echo $this->drawItem($_category) ?>
<?php endforeach ?>
<li><a href="<?php echo $rooturl;?>/blog">BLOG</a></li>
<li><a href="<?php echo $rooturl;?>/forum" class="last">FORUM</a></li>
<?php //endif; ?>
The /blog and /forum links where the only links changed by this “hack” so maybe the way I implemented this has a security vulnerability.
The links where changed to ”wantsfly dot com”
I searched my database for the domain name and it was only found in the log_url_info table. I also noticed plenty of visits from hxxp://proxyjudge1.proxyfire.nethxxp://proxyjudge1.proxyfire.net/fastenv
Here is what the wantsfly value looked like:
Does this mean anything to anyone?
So from what little I know it looks like someone was using proxys to find an exploit.
All I had to do to fix my site was clear the cache