Hacker Warning: Check Your Site's Index.php Pages

I found that someone or something modified my index.php page on one of my wordpress blogs.

Check the permissions on your index.php pages folks and make sure that they are not writeable.

 

hey

what made you check the index?

what was going on that made you look?

was popups showing???

thanks

 

If your using php5 with php4 running along side, and have been accepting customers or new domains to this server, chances are you may have a very dangerous exploit that could view root directories, and cause index.X defacing. You may want to enable mod_user on your server, as well as check FTP logs to see who, when, and where it was located. You can check FTP logs
nano /var/log/messages
Good Luck!
Also, if nano /var/log/messages doesnt work, you can always use pico /var/log/messages
Then grep the file name and user

 

I've been having the same thing happening, and i'm about to give up on 60 sites. Anything with index is being written to despite their permission setting, funny thing is it's happening to sites running on 4 different servers and to my reseller account's 9 different cPanel log-ins.

Leads me to believe it's something local on my machine, but i have scanned with everything and nothing is found. Even been converting the unescape code in my pages, and adding the domains to my Windows hosts file and servers deny list.

Any ideas? The code is several different URL's, but unescape encoded:

 

Alot of JaguarPC Customers were going through the same problem too. Are you with JaguarPC?

I was told it was a password leak and a bot added the piece of code to any page with "login" and "index" in its name. You need to change your ftp passwords and disable that "anonymous" login option and remove the code that was added to the index and login pages. The person that crafted this is stealing website traffic and scaring off your site visitors and then sending them to an affiliate link.

 

Thanks, i just read that whole thread but no i'm not with Jaguarpc however it's exactly what's happening with me.

It's happening on different servers, run by different companies and different cPanel versions.

Passwords are unique to each login, are random strings and have been changed every time it has occured (about 10 now). I've also been blocking IP's and adding them to Windows Hosts file, most belong to Russia but no joy.

Some sites are plain vanilla .HTML with no PHP or MySql, another is a vBulletin 3.6.8 on it's own cPanel and is fully blocked in robots.txt so is not in any search engine.

Frustrating, i've checked for Root Kits on my machine, changed/reinstalled FTP clients, netstat -a to check what's listening... arrgh

I just can't get to the bottom of it.

 

What about cPanel itself ? Is that locked down to only your/your customer's IP addresses ?

Unfortunately, if they managed to get anything more than just index.php modified then it's very difficult to be certain that no rootkit is installed. You can't use the machine itself to do integrity checks because the integrity checker might be what has changed. The only way to be certain is to check the hard drive in another box (or to boot from a CD) and run a file integrity check against a remotely stored file database that was created before the intrusion.

If that's not possible (and it rarely is) then a fresh re-install is likely the only option if you want certainty.

I suppose it's possible that someone could be sniffing passwords off the wire, or have a keylogger installed on one of your customer's computers. But you said that it has happened across multiple servers... what's common to all those servers ? Who has a login to all those servers ?

It sounds puzzling but keep going. I'm sure you'll find it in the end.

 

muahaha. That's gotta be the lovely russians (yeah, has happened to me before too). Looking it down is pretty pointless, they mostly use 0-day exploits, or barely released exploits.
If you're paranoid, most of these insert cloaked links into your page. So if you want to dodge it, write a cronjob curl script that loads the google cache for your site, and looks for non-visible CSS, or unescape() commands. External javascripts are a good flag too. Those are the worst, as they generally just redirect the visits.

 

This was inserted in two places on my index.php page.

This is part of a file inserted in the root directory called php.php.

I have now banned all Russia and India. Who needs them anyway.

 

If your not using mod_security, you need to look into it.

OSSEC is also highly recommended for thwarting brute force attempts, checking for rootkits, and monitoring your files for changes and more. When you have multiple machines to support, it allows you to have a master server, and agents.

I put together some additional security recommendations here: http://www.mnxsolutions.com/blog/apache/securing-your-server.html

Hope this helps in the future..

 

This is not brute force attack. iframes are generally used by hackers to steal personal information like passwords tetc.

This needs to be removed asap, oir you'll run into more and more troubles.

 

Surprisingly enough, this could have come from brute force ftp attempts. As this can be one of the simplest means of access and gives direct access to the files for change.

We recently worked with a client who had very similar code injected into his sites, and it turned out that the hacking bot (as it was completely automated) was downloading the files via ftp, and uploading modified versions.

So a combination of brute force detection (in particular if you have users and no password policy enforcement in place) and mod_security, can go a long way.

 

There are many modules available for apache and php now a days, I'd say use them and they'll kepp you more protected.

 

It wont do much good really because they will use a private proxy server from the uk or somewhere else.

The availability of cheap VPS servers now has opened the door to multiple proxy surfing and connections meaning these guys can be in the middle of russia but you will think they are surfing from the UK.

 

I managed to prevent any further code injections, one by one i backed up the databases and deleted every file off the server then re-uploaded fresh copies of every script followed by password changes on FTP and script log-ins.

It's been 4 or 5 days and there hasn't been any new code injections when they were happening daily. I don't know how "exactly" the files were being modified, whether they were being downloaded/modified and re-uploaded but on CuteFTP they all had the exact modified time to the minute.

It was hitting every file with index, home, login and admin down to 3 or 4 sublevels deep.

Also i had a bunch of 50MB .core files uploaded, anyone know what these are?

 

Open em in TextPad(it can handle large files, download it).
ASCII or binary data?

 

Well, it's alot of gibberish but it looks like one file is hacked PayPal and CC logins... Great

The other is also gibbersih but appears to be various code and script referencing all sorts of stuff like SOCKET_ commands, mail commands, different paths such as /usr/bin/php cron.php etc. It's also got some of my index code in it.

 

Oh Jesus. PM me some instant messenger information, and I'll help you(without copying the data, I don't want that shiite on my hard drive)
This looks like a phishing setup. Either front end or backend. Either way, this seems kinda nasty.

 

i can gess that was written from your wordpress admin panel.
check chmod.