views:

355

answers:

4

I have a website that is fairly static. It has some forms on it to send in contact information, mailing list submissions, etc. Perhaps hours/days after an upload to the site I found that the main index page had new code in it that I had not placed there that contained a hidden bunch of links in a invisible div.

I have the following code the handles the variables sent in from the form.

<?php
// PHP Mail Order to [email protected] w/ some error detection.

    $jamemail = "[email protected]";
    function check_input($data, $problem='')
        {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        if ($problem && strlen($data) == 0)
            {
            die($problem);
            }
        return $data;
        }
    $email    = check_input($_POST['email'], "Please input email address.");
    $name    = check_input($_POST['name'], "Please input name.");

    mail($jamemail, "Mailing List Submission", "Name: " . $name . " Email: " .$email);
    header('Location: index.php');
?>

I have the following code within the index page to present the form with some Javascript to do error detection on the content of the submission prior to submission.

    <form action="sendlist.php" method="post" onSubmit="return checkmaill(this);">
        <label for="name"><strong>Name: </strong></label>
        <input type="text" name="name"/><br />
        <label for="email"><strong>Email: </strong></label>
        <input type="text" name="email"/><br />
                    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type="submit" value="Subscribe" style="width: 100px;"/>
    </form>

At the end of the day, the source code where the injected hyperlinks is as follows:

</body>

</html><!-- google --><font style="position: absolute;overflow: hidden;height: 0;width: 0">    
xeex172901
<a href=http://menorca.caeb.com/od9c2/xjdmy/onondaga.php&gt;onondaga&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/tami.php&gt;tami&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/shotguns.php&gt;shotguns&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/weir.php&gt;weir&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/copperhead.php&gt;copperhead&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/mpv.php&gt;mpv&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/brunei.php&gt;brunei&lt;/a&gt;
<a href=http://menorca.caeb.com/od9c2/xjdmy/doreen.php&gt;doreen&lt;/a&gt;
+1  A: 

It seems highly unlikely that your form has anything to do with your problem, more likely your ftp information has been compromised. Assuming that you use ftp to upload changes to your web-site...

jeroen
The website has had the link injection happen 3 times already. I manually removed it two times. After that I changed the FTP password, and it has happened again and I've removed it once more. Unless someone can detect what kind of changes I'm making from our sites cpanel then that should have covered it.
Ryan B
If you can, use sftp instead of ftp. By the way, I´ve had clients who had that happen because their pc was infected by a virus. Changing the password obviously didn´t have any effect then.
jeroen
We have changed our FTP protocol to SFTP, but still experienced the same problem.
Ryan B
Try changing the password on a different computer to see if it really is a virus.
musicfreak
+1  A: 

Unless someone has physical access to your server, there is a missing piece here. Are you sure this is the only server side code that runs?

You don't need a post request to be vulnerable. XSS comes in all shapes and sizes.

Kyle Terry
I handwrote everything on the main site. So, yes, that PHP code and two others just like it are the only PHP running. The pages are segmented into header.php, index.php, and footer.php w/ includes to bring them all together. The only other PHP is in a Wordpress blog running in a subdomain.
Ryan B
A: 

I suggest you to upgrade your wordpress

I found another site still effected with same inject code here, they using wordpress and have contact form there too.

By the way, the page you show us is after redirected page, vulnerabilty could be in contact.php or in wordpress.

S.Mark
Upgraded. We'll see what happens from here. Although I am confused how Wordpress, being in a seperate folder and having no problems of it's own, is affecting files in the parent directory.
Ryan B
After the Wordpress upgrade we have still received the attack. I'm not sure how the code (which is posted in the question) from contact.php could insert any code into the actual index.php file.
Ryan B
contact.php have 3 input box, name, email, and comment, the one you posted don't have comment box. I think its a different page.
S.Mark
Sorry, that's correct. However that page uses code that is modeled in the same fashion but extended to send some extra info (ie. comments).
Ryan B
A: 

The webhosting server is hacked, instead of a mass-deface = Replacing indexes with "IPWND!U" they just choose to spread viruses and use blackhad seo for other domains they have in control, I recomend you change your hosting.

DCC