tags:

views:

83

answers:

4
Q: 

Scripts(iframes and javascript) being added to site

My website is being hacked. iframes and JS is being added even after I have been manually searching for and removing them for the past couple of days. Why is this happening and what can I do to prevent it?

I have set all index files to permission 444 and most other files to 644. There are a few pages that have flash content being added to them and these files seem to need a more relaxed permission setting(755).

The files are mostly PHP files. I am reviewing the PHP code right now for any vulnerabilities. Is there anything specific I should be looking for and what should I be doing on the permissions front?

A: 

did you upgrade version on your server ? like if u have debian ...(mysql ,php ,apache)

a lot of security update need to done automaticly.

did you use only your code or use other framework or code that maybe have bugs.

Haim Evgi  2009-06-23 05:59:42
All the code involved is mine. No other framework code has been used.
Gaurav  2009-06-23 06:19:31
+2  A: 

Do you allow user submitted content (such as comments to a blog)? Check to make sure the data submitted is properly cleaned of dangerous content such as script tags and the like. Ideally, you will use a format like MarkDown that is converted to HTML for display but contains no dangerous tags itself.

1800 INFORMATION  2009-06-23 06:05:12
No. Only one person(trusted.. the admin) can add/delete content. Apart from that, no one else has access or at least should have access.
Gaurav  2009-06-23 06:18:57
+1  A: 

We recently came across a problem like this where someone had uploaded some code to a shared server which was resulting in our client's web site being infected. We moved their web site to our servers and this problem was fixed.

Sasha  2009-06-23 06:16:21
+1  A: 

There are so many things that could have happened. Someone somehow sneaked in something that was eval()ed via a parameter, an external script that was executed. Maybe while transferring something to your site via ftp someone sniffed your password and this list goes on forever... I would suggest taking the website offline, checking the logs and compare them with the timestamp of the files that were changed/last created. If he had access to your php files, most certainly he took a mysql dump with him. I think you need to change all user passwords and maybe inform the users. In a shared environment with bad security checks he could have even used a security hole in another site. In any case you should check with your sysadmin.

By the way changing permissions will often not alter anything. The attacker can simply change them back, if he has already snaked in something.

Which software are you using, something self made?

merkuro  2009-06-23 06:19:17

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases