bootstrap(index.php) "viagra" hack

Question

ok...so most of the sites we were serving were down, parsing errors in the index.php file...looking at the file, our previous versions of the said file were prepended with:

<?php @register_shutdown_function("__sfd1260709780__");function __sfd1260709780__() { global $__sdv1260709780__; if (!empty($__sdv1260709780__)) return; $__sdv1260709780__=1; echo <<<DOC__DOC

<!-- [7a61f37a57877a02feb836559e68fd46 --><!-- 0879070621 --><a href="javascript:document.getElementById('block25').style.display='block';" title="more"> </a><div id="block25" style="display:none"><ul><li><a href="http://florijani.com/verzija15beta/?qsa=5"&gt;took 100mg intagra</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=49"&gt;where can you buy silagra cheap</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=25"&gt;where can i get real generic viagra</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=27"&gt;silagra suppliers in india</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=9"&gt;silagra online sales</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=45"&gt;cheap uk vigora</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=40"&gt;discount generic intagra online</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=19"&gt;discount viagra 10 pack generic</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=43"&gt;how to buy viagra online</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=34"&gt;generic vigora overnight</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=24"&gt;generic viagra information</a></li><li><a href="http://florijani.com/verzija15beta/?qsa=22"&gt;generic viagra perception</a></li></ul></div><!-- 7a61f37a57877a02feb836559e68fd46] -->

DOC__DOC;

} ?>

<?php @register_shutdown_function("__sfd1260623256__");function __sfd1260623256__() { global $__sdv1260623256__; if (!empty($__sdv1260623256__)) return; $__sdv1260623256__=1; echo <<<DOC__DOC



DOC__DOC;

} ?>

<?php @register_shutdown_function("__sfd1260513491__");function __sfd1260513491__() { global $__sdv1260513491__; if (!empty($__sdv1260513491__)) return; $__sdv1260513491__=1; echo <<<DOC__DOC



DOC__DOC;

} ?>

and appended with

<?php error_reporting(0); echo "\n"; @__sfd1260513491__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1260623256__(); ?>

<?php error_reporting(0); echo "\n"; @__sfd1260709780__(); ?>

has anyone of you encountered this? please help because we are really at a panic right now

PS: I have been seeing in the script lots of recommendation for viagra doses...damn

Answer 1

Looks like someone has root access to your PHP folder. They traversed it with a bot which replaces the existing content to kill the PHP serving function and replace it with an echo'ed HTML page for a viagra add.

Probably want to look for user accounts you havent seen before and restore your scripts from source. Look for admin accounts that are infrequently used and may still have default passwords.

Otherwise the bot is most likely on the internal network with access to the root folder.

Answer 2

If possible, set up some security infrastructure for your servers.

• Block blacklisted IPs, and check your webserver/mail/ssh logs for malicious actions.
• Set up version control, to be able to roll back hacks
• Change your passwords and possibly use stronger ones
• Disable ssh login as root
• ...

Some related links:

• http://www.fail2ban.org/
• http://denyhosts.sourceforge.net/