PHP eval + gzinflate infection - what can the attack vector be?

Question

When I came home today I found all my php files infected on godaddy linux hosting. The following code was inserted at the beginning of all files:

/**/ eval(base64_decode("aWYoZnVuY3....")

According to the logs the infected code failed to run:

eval()'d code line 1: gzinflate() [function.gzinflate]: data error

Nevertheless, I want to prevent this from happening again, but I have no idea how they came in the first place. I have an FTP access (no SFTP), so theoretically they were able to sniff out the password, but there is probably a simpler explanation.

They could also exploit an insecurity in Goddady's setup, but in that case I cant't do anything to prevent it.

Could there be a typical error in my PHP code or configuration which makes it possible to hack the php files like this?

Answer 1

Could there be a typical error in my PHP code or configuration which makes it possible to hack the php files like this?

There could be a shit-ton of it. But most probably, you got your FTP login/password stolen : clean your PC, use sFTP and change your password for something secure.

Answer 2

Could there be a typical error in my PHP code or configuration which makes it possible to hack the php files like this?

Yes it could be - but without checking through every line of code as originally deployed its rather hard to tell. Note that in order to re-write your code, in addition to finding a backdoor in, then the files must have been writeable by the uid of the process being run. If the backdoor was a vulnerability in your code, then, by definition, there is something wrong with GoDaddy's setup to allow the webserver uid to have write permission on your files.

But good luck getting them to fix it.

And, of course, the attacker may have got in via a different route.

C.

Answer 3

Your site is being attacked by an automated agent (auto-hacker or worm) that is hacking thousands of servers. This is caused by a vulnerability in your code base that a developer has introduced. Despite popular opinion, this it is extremely unlikely that this is SQL Injection because it is difficult to get to full PHP remote code execution using a mysql database like this.

1) Change your FTP password. Use SFTP whenever possible, FTP is extremely insecure and should never be used by anyone for any reason. In fact I would just go with a different hosting company that actually cares about security.

2) When i have cleaned up sites in the past i have seen problems with phpmailer (this project was written by retarded recess monkeys and about a million servers have been hacked because of this garbage. ) If you update phpmailer you probably won't get hacked again for at least 6 months.

3)The 2nd place to look is FCKEditor, this is a very insecure project. By default it doesn't introduce a vulnerability, but if you intend on using it then you probably configured it to be very insecure. SDL or simple directory listing can also be problematic, but its less likely.

Basically make sure all your PHP Libraries and all installed PHP applications are up to date. This includes CMS's like Joomla and forums like PHPBB.

The final solution is to higher a professional. A lot can go wrong with a web application and you need someone who is experienced in cleaning up hacked sites. I know I can fix the problem firealwaysworks(at)gmail.com .

Answer 4

Seems like the reason was I included a php file which name came from a url parameter and they supplied their own script in the parameter.

I thought it was safe, because it was in the form

require "data/$param";

so I assumed it can only be a local include which they can't modify. Looks like they gave a URL as a value of $param which pointed to an external php file which contained the attack code. I'm not sure how the URL was resolved properly with the data/ part before it, but this seems the most likely explanation.

Does anyone know how the URL is handled in the case?