Home page script injection
Moderator: General Moderators
Home page script injection
I have a site on a shared server that mysteriously gets hacked between the client and the server. My ISP gave up trying to figure it out and thinks it's me (I've done extensive client a/v scanning and this occurs on several clients for just one URL - and due to several other reasons don't have much faith in this ISP for solving issues).
An HTML script tag referencing a randomly generated *.js file name is inserted after the body tag. This results in client side code in the randomly generated file trying to download a virus.
All I can figure is the PHP interpretter or one of it's config files has been hacked to filter files and insert this code. Is this possible? I tried replacing the file when I first discovered this, and within minutes the tags started appearing in the new file (but if you look at the original file on the server there is no tag - and the *.js file keeps changing). To me, this looks like a server problem, but they say they are fine.
Any ideas? This is one crafty virus / hack. And it happens very infrequently. I've also managed to grab the *.js file using SpyBye.org's proxy - which tells me it's definately not a client issue.
An HTML script tag referencing a randomly generated *.js file name is inserted after the body tag. This results in client side code in the randomly generated file trying to download a virus.
All I can figure is the PHP interpretter or one of it's config files has been hacked to filter files and insert this code. Is this possible? I tried replacing the file when I first discovered this, and within minutes the tags started appearing in the new file (but if you look at the original file on the server there is no tag - and the *.js file keeps changing). To me, this looks like a server problem, but they say they are fine.
Any ideas? This is one crafty virus / hack. And it happens very infrequently. I've also managed to grab the *.js file using SpyBye.org's proxy - which tells me it's definately not a client issue.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Search Google for the text (or a sample unique string from it) being appended. A lot of the time you'll quickly find it's used in a number of scenarios and someone else might have found the cause. Also try uploading a clean copy of your scripts from a backup (if available) and change your shared server passwords. Shared servers are notoriously easy to infiltrate esp. if the source code you're using is insecure in some way.
A good measure is whether input variables into HTML or templates are being properly escaped, e.g. htmlentities(), otherwise that's a very likely suspect if a variable is being tainted. If a file has been tampered with you might be able to check the last modified date to get a clue as to which one was edited/changed.
A clean copy is the most obvious first step - but resist the urge to replace the current copy until you have a bit of work done trying the above first.
A good measure is whether input variables into HTML or templates are being properly escaped, e.g. htmlentities(), otherwise that's a very likely suspect if a variable is being tainted. If a file has been tampered with you might be able to check the last modified date to get a clue as to which one was edited/changed.
A clean copy is the most obvious first step - but resist the urge to replace the current copy until you have a bit of work done trying the above first.
All good suggestion, but here's the thing. Even when I put up a very simple index.htm file with nothing more then this:
<html>
<body>
This is a test.
</body>
</html>
Something was randomly converting it to:
<html>
<body><script type="JavaScript" src="bqxxx.js"></script>
This is a test.
</body>
</html>
But if you viewed the original file on the server it would be fine, and there would be no sign of any *.js. So it's not a PHP coding issue, because I took that out of the equation by converting to a *.htm. But since even *.htm's can go through the interpretter for processing, I figured I'd look there first. But who knows, it could be happening on the Apache end of things. Maybe it's not even a PHP issue at all. I'm just exploring all possibilities.
BTW, a friend who also has an account on that ISP tells me he has the same virus.
<html>
<body>
This is a test.
</body>
</html>
Something was randomly converting it to:
<html>
<body><script type="JavaScript" src="bqxxx.js"></script>
This is a test.
</body>
</html>
But if you viewed the original file on the server it would be fine, and there would be no sign of any *.js. So it's not a PHP coding issue, because I took that out of the equation by converting to a *.htm. But since even *.htm's can go through the interpretter for processing, I figured I'd look there first. But who knows, it could be happening on the Apache end of things. Maybe it's not even a PHP issue at all. I'm just exploring all possibilities.
BTW, a friend who also has an account on that ISP tells me he has the same virus.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
If this is happening with a .htm file then it's not PHP. It's something else on the server, which given the level of permissions the average shared host user has, likely means - as feyd said - the server is compromised. I suggest contacting your hosts and telling them to fix it. If they refuse to explain what's wrong, find another host - and try to get back any prepaid fees you paid this host for your account period.
Thanks everyone
Moving my domain to another ISP is already in the works. I'm going back to an old ISP that was much more reliable. I was unable to convince them that the problem is on their end. I was also rather annoyed to find out that they don't pro-rate - even in a case like this. Unfortunately, I have several domains that I have to move - can't have my home pages infecting peoples PC's.
I really would like to know how this is happening though. If anyone could point me to a really good site on security that has seen this issue, I'd appreciate it.
I really would like to know how this is happening though. If anyone could point me to a really good site on security that has seen this issue, I'd appreciate it.
It's possible that another PHP script on your site is giving someone the ability to alter your HTML file. A request to a.php might be injecting code to alter b.html. It's unlikely, but possible.
I agree that the host is compromised. Someone's probably running scripts within their servers to alter pages across many accounts.
I agree that the host is compromised. Someone's probably running scripts within their servers to alter pages across many accounts.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA