imaginarynumber Posted January 20, 2010 Posted January 20, 2010 (edited) Hi My site was unacessible for a while this morning (GMT)- when I eventaully managed to get to the home page Avast threw up a iframe KU warning. The file was changed at 19/01/2010 at 18.29 The inserted code is script removed I havent checked all of my other accounts yet and the file permissions are changed to 755. I was unable to edit out the code via cpanel and so renamed it via my ftp client. I have restored an old copy with 644 permissions. The last access ip address in cpanel is mine. Is it just my site that has been attacked or the whole palpatine server? Any suggestions? Thanks in advance _____________________________________________edit__________________ Have just been through my reseller account and this seems to have been the only site hacked. Edited January 20, 2010 by TCH-Dick Quote
TCH-Dick Posted January 20, 2010 Posted January 20, 2010 This is a typical JS insert done either via an insecure script or compromised ftp/cpanel password. Quote
imaginarynumber Posted January 20, 2010 Author Posted January 20, 2010 (edited) I contacted support but they couldn't access the main index file logs. It looks like the raw logs available for that date in cpanel have been overwritten and as I don't have root access to var/log/messages I have no way of finding and blocking the offending ip address (as suggested by tech support). So someone has managed to insert malicious code into a my index.html page after changing the chmod and I have no idea how or who? Nor if they will do it again.... ___________________edit_______________________ Thanks Dick There are zencart, SMF and drupal installs on the site, in sub folders. Could any of those be used to infect files at the public_html root? Edited January 20, 2010 by imaginarynumber Quote
TCH-Bruce Posted January 20, 2010 Posted January 20, 2010 Make sure you are running current versions of all your software packages and scripts. Quote
imaginarynumber Posted January 20, 2010 Author Posted January 20, 2010 Make sure you are running current versions of all your software packages and scripts. Thanks Bruce Admittedly my drupal was out of date but not SMF or Zencart. I cannot see anything in the drupal logs that looks untoward. Surely a drupal hack would leave the drupal infected and not the (static) site index page which is at the top of the file hierarchy? Quote
SteveW Posted January 20, 2010 Posted January 20, 2010 (edited) The "hack" allows them to upload and run a script in your site. The script would have access to all your files. In other words, a "Drupal hack" means Drupal was just the doorway into the site. Once they achieve the ability to upload and run a script, they can alter any file, even a static one. That's assuming Drupal was the way they got in, which isn't necessarily the case, but it's important to upgrade Drupal to latest version, scan your PC for viruses/spyware, and change passwords. This report might be useful: http://secunia.com/advisories/search/?search=drupal I was unable to edit out the code via cpanel... Why were you unable? It wouldn't save? Edited January 20, 2010 by SteveW Quote
imaginarynumber Posted January 21, 2010 Author Posted January 21, 2010 (edited) Why were you unable? It wouldn't save? I dont know why it wouldn't edit. I used file manager in CP and selected the file and then code edit but nothing was happening (ie no editing of anykind) so I renamed it using a FTP client and replaced it. I decided to ditch the drupal install- never really liked it. Will replace it with Joomla- I know that Joomla is the most hacked cms in the world but I am familiar with it and will remember to update it accordingly I have since discovered that an old unused copy of formmail (renamed to something else) on the root public_html had been hacked a minute after the index.html so I guess that the drupal might not have been to blame afterall. Thank you for your explanations- I shall be more vigilant in future Edited January 21, 2010 by imaginarynumber Quote
SteveW Posted January 21, 2010 Posted January 21, 2010 Why were you unable? It wouldn't save? The reason I asked is that if the script changed the file's owner to "nobody" instead of your normal ownership, you'd be able to edit the file from cPanel, but the Save would fail. If the script changed folder ownership or permissions, other similar strange behavior could result. Quote
imaginarynumber Posted January 22, 2010 Author Posted January 22, 2010 The reason I asked is that if the script changed the file's owner to "nobody" instead of your normal ownership, you'd be able to edit the file from cPanel, but the Save would fail. If the script changed folder ownership or permissions, other similar strange behavior could result. To be honest I don't know if cpanel was at fault or IE8. I was in a rush to get it sorted so I just fired up the ftp client, rather than persevering. I am guessing that it was some kind of drive-by script kiddy. Thus far things seem ok... I can only conclude that the formmail ( http://www.scriptarchive.com/formmail.html ) script was the entry point rather than zencart or drupal as neither of those seemed to be infected. If I am correct I am at a loss to explain how they found the script in the first place as it was renamed as somethingelse.pl Previously I had only had one site hack (elsewhere not here at TCH)- that just replaced the index page for every customer on the server Quote
SteveW Posted January 22, 2010 Posted January 22, 2010 Imagine this situation: Drupal has a bug in it. If you send it a magic phrase, it will allow you to run any PHP script you want on the site where it's running. That's not an imaginary scenario; it's a fanciful description of the actual situation. Rather than the formmail.pl script being the avenue of entry, it's much more likely someone sent Drupal the magic phrase which tricked Drupal into fetching and running a PHP script from some remote site. The script, which at that point was running within Drupal, on your site, found all your text files and injected the text into one or more of them. Considering that the Drupal page at Secunia is mostly about "script insertion vulnerabilities" (with 3 more new ones added yesterday!), that is by far the prime suspect. A script injected like that can delete your entire website if it wants, so whether sent by "script kiddie" or not, it's very dangerous. Quote
imaginarynumber Posted January 23, 2010 Author Posted January 23, 2010 Blimey- thanks Steve Had a quick look at their site I see what you mean about Drupal!!!! Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.