All PHP files getting hacked

views:

252

answers:

+1 Q:

All PHP files getting hacked

Hey All,

Like always, just want to say thank you for all of the help and input in advance.

I have a particular site that I am the web developer for and am running into a unique problem. It seems that somehow something is getting into every single PHP file on my site and adding some malware code. I have deleted the code from every page multiple times and changed FTP and DB passwords, but to no avail.

The code that is added looks like this - eval(base64_decode(string)) - which the string is 3024 characters.

Not sure if anyone else has ran into this problem or if any one has ideas on how I can secure my php code up.

Thanks again.

You should move to another server. It would appear that the attacker has access to the server or is running some code as a background process which is overwriting the files. It may be possible to identify and remove the problem, but smart attackers will hide additional scripts etc to trip you up later.

BrianLy 2010-05-17 20:19:09

That makes sense. Sadly, I do not have control over the hosting company, at this moment. I even talked to them on support and they are saying it's a PHP security hole.

nsearle 2010-05-17 20:36:36

+1 A:

yes i have ran into this problem myself, i take it you are on a shared host? are you perchance on rackspacecloud?

this is where i had that problem, the first thing you need to do right away is notify your host, this is a hosting issue, and i suspect the malware has gained access to your server on an ftp level.

make sure you have nothing chmod 777 world writable, if it needs to be writable by your app make it 775

hope this helps, good luck

David Morrow 2010-05-17 20:19:23

I am on shared host, but not on rackspacecloud. I have notified my hosting solution and they are saying it is a PHP security problem.

nsearle 2010-05-17 20:38:13

@nsearle, can you get more information than "It is a PHP security problem"? What do they mean by that?

Marcus Adams 2010-05-17 21:03:12

@Marcus Adams - That is a great great question. I was just told that it could be some random PHP security problem and that "I" needed to tighten up my problem. GD fails again.

nsearle 2010-05-17 21:06:43

+1 A:

You should change the file permissions so that only you can write to those files. 0777 (the default on some hosts, I believe) is just asking for trouble. See File Permissions.

Also, it's advisable to not put any files that aren't supposed to be accessible by URL outside of the public_html folder, for example, config files.

Lotus Notes 2010-05-17 20:19:35

+1 A:

I had a similar problem. However, my problem was that I was running a python code evaluator on my site. As far as I remember you need to use eval() function to execute the python code. In one of my php files I had a weird eval statement. What kind of script are you developing? I mean does it involve evaluation of some other code?

2010-05-17 20:21:02

+2 A:

The server itself could be compromised. Report the problem to your web host. What is their response?

An insecure PHP script coupled with incorrect file permissions could give the attacker the ability to modify your PHP files. To eliminate this possibility I would take the site down, delete all the files, re-upload, then switch permissions on the entire site to deny any writes to the file system.

Edit: As a short-term fix try asking your web host to disable eval() for your account. If they're worth their salt they should be running Suhosin which has an option to disable eval.

pygorex1 2010-05-17 20:46:47

I've come across viruses that read filezilla conf files. I SWEAR TO GOD. at first i was: WOW, then i was: mother f*** sneaky b*stards.

Check your pc for viruses.

mhughes 2010-05-17 20:46:56

I use a Mac...haha

nsearle 2010-05-17 20:50:35

Why the downvotes? This is the way closest answer.

CurtainDog 2010-05-18 05:11:15

I don't think a Mac would make you any safer in this case... sure, an attacker is less likely to take over your whole system, but a conf file here or there is a different story.

CurtainDog 2010-05-18 05:13:36

Didn't even know that was possible. Had to read up, filezilla store passwords as plaintext, happy I haven't had any viruses in a long time.

Noctrine 2010-05-18 17:23:50

Seriously. Check ftp access logs.remove ALL evals. Leaving one on your site means they have a way of rewriting your files.

mhughes 2010-05-19 19:03:48

One of the possible scenarios is that somebody managed to get write access somehow and changing passwords etc. helped, but he left a php file that can still run.

See if there are any unknown files there. Or delete every damn thing and restore some backups.

naugtur 2010-05-17 21:07:23

+1 A:

You should use "disable_functions=eval,exec" in your php.ini or .htaccess as first measure.

mario 2010-05-18 04:55:37

Get the last modified time of your files, then go over to your access logs (FTP, HTTP whatever's open, if you don't know where they are ask your host) and find out who was mucking around on your system at that time.

Likely the attacker has installed a script that they can call periodically to re-infect any files you fix.

CurtainDog 2010-05-18 05:18:16

You should also note that (assuming you are using a hosting solution to host your site) that it's almost never your fault. An example being that networksolutions hosting company recently had a server hacked and over 1K webpages were affected, not due to security holes on each particular site, but due to some bad configuration/monitering of what was put on that particular server that hosts those sites. If you can't see any thing security wise wrong with your code, aka you sanitize everything properly and or you are running a non vulnerable version of whatever CMS you are using (if your using a CMS) then it's probably not an issue with your site, just the server in general.

2010-05-22 17:45:15

ansaurus

tags:

views:

answers:

All PHP files getting hacked

related questions