PHP file spam injection

[mrMarcus]

Hello there,

 

anybody heard of/seen this before .. i have no idea how this is happening, but i was looking over my source code today, and noticed that at the top and the bottom of the source, there were hundreds of links that had been injected/inserted into the source code somehow.

 

now, i grabbed the files off the server and some actually had the links physically in the file, and some it was only viewable via the web browser/view source code.

 

i scanned and searched my database, it's clean.

 

how does this happen, and what can i do to prevent this from happening again?

[Adam]

Can't say how they will have done it without seeing anything but, you'd be best looking into PHP security.. http://www.sitepoint.com/article/php-security-blunders/ - should protect from any further problems!

 

Adam

[mrMarcus]

thanks for the reply...

 

thing is, i wouldn't even know where to begin when trying to give you guys some examples .. i can't figure out a point of entry for such an attack .. like i said, there is nothing stored in the database, and i've thoroughly scanned all directories for any suspicious files and such.

 

i'm stumped, and very worried .. apparently these kinds of incidents can get you blacklisted from Google, etc...

[waynew]

What kind of hosting do you have?

[corbin]

If you want, you could link us to the live site and we could try to find the hole.

[phil88]

If you're on a shared host, it could be a vulnerability in someone else's site that is messing up your site because it's on the same server.

[mrMarcus]

^i did just changed hosting companies a few days ago to HostGator.com .. seemed like a reputable gig.

 

If you want, you could link us to the live site and we could try to find the hole.

my site is www.transcanadarentals.com .. it's been an ongoing project of mine for years now .. but just recently, i've really tried to buckle down and get going on it.

[awpti]

Most likely someone broke your FTP Password and just uploaded the changes.

 

Some content can be pulled in via javascript (hence "only viewable via the web").

 

Use a stronger password and check for vulnerabilities in your PHP Application (I'm guessing you didn't write it, so check the developer's site for news/info).

[mrMarcus]

Most likely someone broke your FTP Password and just uploaded the changes.

 

Some content can be pulled in via javascript (hence "only viewable via the web").

 

Use a stronger password and check for vulnerabilities in your PHP Application (I'm guessing you didn't write it, so check the developer's site for news/info).

i wrote that entire site from scratch.  like i said, it's been an ongoing project for quite some time now.

 

thanks for the FTP tip .. i'll definately check into that.

 

i'm just gonna have to go back over my forms .. i have captcha set up on a couple of the forms, but not all .. these web bots feed on unprotected forms.

 

thanks for the feedback(Y)

[corbin]

Hrmmm....  Do any of your pages write files?  Someone could've exploited a page to write a file.  When I suggested posting the link, I didn't realize it was such a large site.  Usually such problems are found on smaller sites x.x.

[mrMarcus]

Hrmmm....  Do any of your pages write files?  Someone could've exploited a page to write a file.  When I suggested posting the link, I didn't realize it was such a large site.  Usually such problems are found on smaller sites x.x.

ya, it's a pretty large site:S

 

and no, no page writes any file(s) .. no pages contain write permissions either.

[PFMaBiSmAd]

One common security hole of dynamically generated sites is to use a php include statement to include pages/content based on a GET parameter, but there is no validation of the value and this allows external raw php code to be included from a hackers site and executed on your server. This included code can do anything that your script can do. Doing anything like -

 

include $_GET['some_parameter_on_the_end_of_the_url'];