Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

PHP WEBSITE HIJACKED - Php code infected! - HELP?

  1. May 12, 2010 #1
    WEBSITE HIJACKED - Php code infected! - HELP!?

    Hey All,

    I've got a major *$%#@ problem. I'm freaking out here.

    Check this out.

    On my website, I have a way to allow visitors... to become distributors and sell my product as well. When they become a distributor, it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.

    So... not only do I have my set of about 20 php pages and a solid 20+ php includes... I have to multiple those numbers by roughly.... 50 distributors or more!

    Here's my problem.

    EVERY, not just a few... not just the pages (also includes, etc)... not just my root directory (also all subdomains).... EVERY PHP FILE has a new line of code at the very top that is a Script to a php file (oo.php) on another website that redirects every visitor to a new site and it's one of those 'fake antivirus' programs that are, essentially, a virus in their own.

    When I first saw the redirect, I knew I was hijacked... but I assumed it was just 1 thing injected into my SQL Databases... or a simple code change or file somewhere... but it is THOUSANDS of files... and yes, I could go ahead and remove that snippet of code from each php file... but I still wouldn't know where it came from and I can only assume that the process which infected those pages still exists and would reinfect them all again the the very near future.

    I'm begging you for help.

    I know my contact form doesn't "close" the inputs or something... because it sends all contacts to the database table... and there's some major vulnerability there... but I couldn't find any entry in that database with any malicious code... perhaps it auto-deleted itself or something?

    Please, I beg you, please lend a hand if you know anything about this.

    Thank You,
  2. jcsd
  3. May 12, 2010 #2
    Re: WEBSITE HIJACKED - Php code infected! - HELP!?

    What is "it"? Is "it" from a trusted source? I am by no means an expert with these things, but that was the first thing that got my attention.
  4. May 12, 2010 #3
    Re: WEBSITE HIJACKED - Php code infected! - HELP!?

    First up, do a search on google for text snippits of the php line that was added. If someone else has been fighting this battle already, they'll be a good candidate to help solve the problem.

    Otherwise, not enough information. Something on your site that has write access to your PHP files is either currently compromised, or is still vulnerable and was/is being attacked. What OS are you on? Do you have script access? Cron access? Who's your ISP? Has anything else been modified?

    Step 1, look for non-PHP files that have been modified recently. Hopefully, you can use that to detect whether or not there's some binary file or otherwise that's sitting on your system that will re-infect you. That's dangerous. If you have some that look suspicious, quarantine them. Make them non-executable and non-readable-- change the file name, whatever. There's a distinct possibility if you've got other programs that have installed themselves, that they'll try to re-install themselves, so check any config files you have. Heck, compare them to backups with your ISP.

    Step 2, look for PHP files that have changed that reference the evil site in question. That is, it's possibly just a single PHP file that has write access to other PHP files, and if that PHP file is executed again, you're re-infected.

    Step 3, look at your HTTP access log. See what was happening around the time that you were infected, and examine whatever relevant files were accessed during that time. Chances are, the attack started with a web request, and that's one way of trying to narrow down the point of attack. Otherwise, if the infection started in some OTHER way, talk to your ISP.

  5. May 12, 2010 #4
    Re: WEBSITE HIJACKED - Php code infected! - HELP!?

    I searched for that PHP thread... found it!


    Apparently this happened to "hundreds" of GoDaddy shared servers... I assume thousands!

    I've never seen this before... I have a few words for GoDaddy... but they don't care, maybe time for a host switch? They said it was due to outdated versions of WOrdPress... mine was fully up-to-date at the time of the attack. BS

    Thanks for the quick replies though!

    I love this forum - more helpful than any PHP-only forum I've found thus far.
  6. May 13, 2010 #5
    Re: WEBSITE HIJACKED - Php code infected! - HELP!?

    You have really 2 ways to go with this:

    1) Delete everything and start from new
    2) Figure out how and where the vulnerability occurred, fix it, and then go about fixing the database issue.

    Good luck.
  7. May 13, 2010 #6


    User Avatar
    Gold Member

    Re: WEBSITE HIJACKED - Php code infected! - HELP!?

    Please tell me that you have shut down your site until you fix the problem.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook