Home page script injection

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
webdroid
Forum Newbie
Posts: 3
Joined: Thu Apr 05, 2007 7:22 am

Home page script injection

Post by webdroid »

I have a site on a shared server that mysteriously gets hacked between the client and the server. My ISP gave up trying to figure it out and thinks it's me (I've done extensive client a/v scanning and this occurs on several clients for just one URL - and due to several other reasons don't have much faith in this ISP for solving issues).

An HTML script tag referencing a randomly generated *.js file name is inserted after the body tag. This results in client side code in the randomly generated file trying to download a virus.

All I can figure is the PHP interpretter or one of it's config files has been hacked to filter files and insert this code. Is this possible? I tried replacing the file when I first discovered this, and within minutes the tags started appearing in the new file (but if you look at the original file on the server there is no tag - and the *.js file keeps changing). To me, this looks like a server problem, but they say they are fine.

Any ideas? This is one crafty virus / hack. And it happens very infrequently. I've also managed to grab the *.js file using SpyBye.org's proxy - which tells me it's definately not a client issue.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Check the auto_prepend_file and auto_append_file settings. You may have to dig through all your scripts to find odd source. If you've replaced all the source with original versions then the leak is likely somewhere else or your scripts allow arbitrary code execution.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Search Google for the text (or a sample unique string from it) being appended. A lot of the time you'll quickly find it's used in a number of scenarios and someone else might have found the cause. Also try uploading a clean copy of your scripts from a backup (if available) and change your shared server passwords. Shared servers are notoriously easy to infiltrate esp. if the source code you're using is insecure in some way.

A good measure is whether input variables into HTML or templates are being properly escaped, e.g. htmlentities(), otherwise that's a very likely suspect if a variable is being tainted. If a file has been tampered with you might be able to check the last modified date to get a clue as to which one was edited/changed.

A clean copy is the most obvious first step - but resist the urge to replace the current copy until you have a bit of work done trying the above first.
User avatar
veridicus
Forum Commoner
Posts: 86
Joined: Fri Feb 23, 2007 9:16 am

Post by veridicus »

I would first change account passwords like Maugrim suggests. You might also want to search your access logs for strange requests. That might tell you which of your scripts is allowing the change (if any).
webdroid
Forum Newbie
Posts: 3
Joined: Thu Apr 05, 2007 7:22 am

Post by webdroid »

All good suggestion, but here's the thing. Even when I put up a very simple index.htm file with nothing more then this:

<html>
<body>
This is a test.
</body>
</html>

Something was randomly converting it to:

<html>
<body><script type="JavaScript" src="bqxxx.js"></script>
This is a test.
</body>
</html>

But if you viewed the original file on the server it would be fine, and there would be no sign of any *.js. So it's not a PHP coding issue, because I took that out of the equation by converting to a *.htm. But since even *.htm's can go through the interpretter for processing, I figured I'd look there first. But who knows, it could be happening on the Apache end of things. Maybe it's not even a PHP issue at all. I'm just exploring all possibilities.

BTW, a friend who also has an account on that ISP tells me he has the same virus.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Sounds like the server is compromised.

It may be best to simply switch hosts.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

If this is happening with a .htm file then it's not PHP. It's something else on the server, which given the level of permissions the average shared host user has, likely means - as feyd said - the server is compromised. I suggest contacting your hosts and telling them to fix it. If they refuse to explain what's wrong, find another host - and try to get back any prepaid fees you paid this host for your account period.
webdroid
Forum Newbie
Posts: 3
Joined: Thu Apr 05, 2007 7:22 am

Thanks everyone

Post by webdroid »

Moving my domain to another ISP is already in the works. I'm going back to an old ISP that was much more reliable. I was unable to convince them that the problem is on their end. I was also rather annoyed to find out that they don't pro-rate - even in a case like this. Unfortunately, I have several domains that I have to move - can't have my home pages infecting peoples PC's.

I really would like to know how this is happening though. If anyone could point me to a really good site on security that has seen this issue, I'd appreciate it.
User avatar
veridicus
Forum Commoner
Posts: 86
Joined: Fri Feb 23, 2007 9:16 am

Post by veridicus »

It's possible that another PHP script on your site is giving someone the ability to alter your HTML file. A request to a.php might be injecting code to alter b.html. It's unlikely, but possible.

I agree that the host is compromised. Someone's probably running scripts within their servers to alter pages across many accounts.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

This wouldn't happen to be iPowerweb would it?
Post Reply