tags:

views:

355

answers:

4
+2  Q: 

Website Link Injection

I have a website that is fairly static. It has some forms on it to send in contact information, mailing list submissions, etc. Perhaps hours/days after an upload to the site I found that the main index page had new code in it that I had not placed there that contained a hidden bunch of links in a invisible div.

I have the following code the handles the variables sent in from the form.

<?php
// PHP Mail Order to [email protected] w/ some error detection.

    $jamemail = "[email protected]";
    function check_input($data, $problem='')
        {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        if ($problem && strlen($data) == 0)
            {
            die($problem);
            }
        return $data;
        }
    $email    = check_input($_POST['email'], "Please input email address.");
    $name    = check_input($_POST['name'], "Please input name.");

    mail($jamemail, "Mailing List Submission", "Name: " . $name . " Email: " .$email);
    header('Location: index.php');
?>

I have the following code within the index page to present the form with some Javascript to do error detection on the content of the submission prior to submission.

    <form action="sendlist.php" method="post" onSubmit="return checkmaill(this);">
        <label for="name"><strong>Name: </strong></label>
        <input type="text" name="name"/><br />
        <label for="email"><strong>Email: </strong></label>
        <input type="text" name="email"/><br />
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="submit" value="Subscribe" style="width: 100px;"/>
    </form>

At the end of the day, the source code where the injected hyperlinks is as follows:

</body>

</html><!-- google --><font style="position: absolute;overflow: hidden;height: 0;width: 0">    
xeex172901
<a href=http://menorca.caeb.com/od9c2/xjdmy/onondaga.php&gt;onondaga&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/tami.php&gt;tami&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/shotguns.php&gt;shotguns&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/weir.php&gt;weir&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/copperhead.php&gt;copperhead&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/mpv.php&gt;mpv&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/brunei.php&gt;brunei&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/doreen.php&gt;doreen&lt;/a&gt;
+1  A: 

It seems highly unlikely that your form has anything to do with your problem, more likely your ftp information has been compromised. Assuming that you use ftp to upload changes to your web-site...

jeroen  2010-01-30 01:10:46
The website has had the link injection happen 3 times already. I manually removed it two times. After that I changed the FTP password, and it has happened again and I've removed it once more. Unless someone can detect what kind of changes I'm making from our sites cpanel then that should have covered it.
Ryan B  2010-01-30 07:01:35
If you can, use sftp instead of ftp. By the way, I´ve had clients who had that happen because their pc was infected by a virus. Changing the password obviously didn´t have any effect then.
jeroen  2010-01-30 14:28:06
We have changed our FTP protocol to SFTP, but still experienced the same problem.
Ryan B  2010-01-30 17:36:34
Try changing the password on a different computer to see if it really is a virus.
musicfreak  2010-02-11 01:20:04
+1  A: 

Unless someone has physical access to your server, there is a missing piece here. Are you sure this is the only server side code that runs?

You don't need a post request to be vulnerable. XSS comes in all shapes and sizes.

Kyle Terry  2010-01-30 02:37:29
I handwrote everything on the main site. So, yes, that PHP code and two others just like it are the only PHP running. The pages are segmented into header.php, index.php, and footer.php w/ includes to bring them all together. The only other PHP is in a Wordpress blog running in a subdomain.
Ryan B  2010-01-30 06:54:16
A: 

I suggest you to upgrade your wordpress

I found another site still effected with same inject code here, they using wordpress and have contact form there too.

By the way, the page you show us is after redirected page, vulnerabilty could be in contact.php or in wordpress.

S.Mark  2010-01-30 03:58:59
Upgraded. We'll see what happens from here. Although I am confused how Wordpress, being in a seperate folder and having no problems of it's own, is affecting files in the parent directory.
Ryan B  2010-01-30 07:04:08
After the Wordpress upgrade we have still received the attack. I'm not sure how the code (which is posted in the question) from contact.php could insert any code into the actual index.php file.
Ryan B  2010-01-31 05:01:21
contact.php have 3 input box, name, email, and comment, the one you posted don't have comment box. I think its a different page.
S.Mark  2010-01-31 05:30:25
Sorry, that's correct. However that page uses code that is modeled in the same fashion but extended to send some extra info (ie. comments).
Ryan B  2010-01-31 06:56:25
A: 

The webhosting server is hacked, instead of a mass-deface = Replacing indexes with "IPWND!U" they just choose to spread viruses and use blackhad seo for other domains they have in control, I recomend you change your hosting.

DCC  2010-02-26 12:44:45

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases