WEBSITE HIJACKED - Php code infected - HELP?

  • PHP
  • Thread starter bigdawg723
  • Start date
  • Tags
    Code Php
In summary, a website was hijacked and infected with a php script that redirects every visitor to a new site. The attacker is asking for help.
  • #1
bigdawg723
13
0
WEBSITE HIJACKED - Php code infected! - HELP!?

Hey All,

I've got a major *$%#@ problem. I'm freaking out here.

Check this out.

On my website, I have a way to allow visitors... to become distributors and sell my product as well. When they become a distributor, it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.

So... not only do I have my set of about 20 php pages and a solid 20+ php includes... I have to multiple those numbers by roughly... 50 distributors or more!

Here's my problem.

EVERY, not just a few... not just the pages (also includes, etc)... not just my root directory (also all subdomains)... EVERY PHP FILE has a new line of code at the very top that is a Script to a php file (oo.php) on another website that redirects every visitor to a new site and it's one of those 'fake antivirus' programs that are, essentially, a virus in their own.

When I first saw the redirect, I knew I was hijacked... but I assumed it was just 1 thing injected into my SQL Databases... or a simple code change or file somewhere... but it is THOUSANDS of files... and yes, I could go ahead and remove that snippet of code from each php file... but I still wouldn't know where it came from and I can only assume that the process which infected those pages still exists and would reinfect them all again the the very near future.

I'm begging you for help.

I know my contact form doesn't "close" the inputs or something... because it sends all contacts to the database table... and there's some major vulnerability there... but I couldn't find any entry in that database with any malicious code... perhaps it auto-deleted itself or something?

Please, I beg you, please lend a hand if you know anything about this.

Thank You,
Josh
 
Technology news on Phys.org
  • #2


it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.
What is "it"? Is "it" from a trusted source? I am by no means an expert with these things, but that was the first thing that got my attention.
 
  • #3


First up, do a search on google for text snippits of the php line that was added. If someone else has been fighting this battle already, they'll be a good candidate to help solve the problem.

Otherwise, not enough information. Something on your site that has write access to your PHP files is either currently compromised, or is still vulnerable and was/is being attacked. What OS are you on? Do you have script access? Cron access? Who's your ISP? Has anything else been modified?

Step 1, look for non-PHP files that have been modified recently. Hopefully, you can use that to detect whether or not there's some binary file or otherwise that's sitting on your system that will re-infect you. That's dangerous. If you have some that look suspicious, quarantine them. Make them non-executable and non-readable-- change the file name, whatever. There's a distinct possibility if you've got other programs that have installed themselves, that they'll try to re-install themselves, so check any config files you have. Heck, compare them to backups with your ISP.

Step 2, look for PHP files that have changed that reference the evil site in question. That is, it's possibly just a single PHP file that has write access to other PHP files, and if that PHP file is executed again, you're re-infected.

Step 3, look at your HTTP access log. See what was happening around the time that you were infected, and examine whatever relevant files were accessed during that time. Chances are, the attack started with a web request, and that's one way of trying to narrow down the point of attack. Otherwise, if the infection started in some OTHER way, talk to your ISP.

DaveE
 
  • #4


I searched for that PHP thread... found it!

http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html

Apparently this happened to "hundreds" of GoDaddy shared servers... I assume thousands!

I've never seen this before... I have a few words for GoDaddy... but they don't care, maybe time for a host switch? They said it was due to outdated versions of WOrdPress... mine was fully up-to-date at the time of the attack. BS

Thanks for the quick replies though!

I love this forum - more helpful than any PHP-only forum I've found thus far.
 
  • #5


You have really 2 ways to go with this:

1) Delete everything and start from new
2) Figure out how and where the vulnerability occurred, fix it, and then go about fixing the database issue.Good luck.
 
  • #6


Please tell me that you have shut down your site until you fix the problem.
 

1. What is website hijacking?

Website hijacking is when a hacker gains unauthorized access to a website and takes control over it. This can involve altering the website's content, redirecting visitors to malicious sites, or stealing sensitive information.

2. How does a website get hijacked?

Websites can be hijacked through various methods, such as exploiting vulnerabilities in the website's code, using stolen login credentials, or injecting malicious code through plugins or third-party scripts.

3. What is php code infection?

Php code infection is when malicious code is injected into a website's php files. This can be done through vulnerabilities in the website's code or through unauthorized access.

4. How can I tell if my website has been hijacked?

Some signs that your website may have been hijacked include unexpected changes to the website's content, a sudden decrease in website traffic, or warnings from search engines or browsers about potentially harmful content.

5. What should I do if my website has been hijacked?

If your website has been hijacked, it is important to act quickly to minimize the damage. This may involve removing the malicious code, changing login credentials, and updating the website's security measures. It is also important to inform your website host and any affected users.

Similar threads

  • Programming and Computer Science
Replies
15
Views
1K
  • Programming and Computer Science
Replies
9
Views
3K
  • Programming and Computer Science
Replies
12
Views
1K
  • Programming and Computer Science
Replies
16
Views
2K
  • Programming and Computer Science
Replies
7
Views
2K
  • Programming and Computer Science
Replies
13
Views
1K
  • Programming and Computer Science
Replies
7
Views
5K
  • Programming and Computer Science
Replies
7
Views
6K
  • Programming and Computer Science
Replies
2
Views
2K
  • Programming and Computer Science
Replies
3
Views
1K
Back
Top