[El Forum]

[eluser]mrmeyers99[/eluser]
I've worked with a few websites with CodeIgniter, and in the past month (on different servers) two websites have gotten hacked. It's really weird, because the only thing that happens is the index.php file gets replaced with garbage (mostly links to drug websites and such). Nothing else happened either time. No database corruption. No other files were modified. The permission on the index.php file is 644. The host couldn't figure out what happened. Is there some security leak in CodeIgniter that would cause this to happen? What can I do to prevent this from happening again?

[El Forum]

[eluser]cahva[/eluser]
If the file's permission was 664, it probably was hacked using remote connection through FTP, SFTP or SSH. If you checked when was the file modified, it would be easy to check ftp etc. logs how it was modified.

If you have 2 sites already hacked and you use FTP, you or someone else using FTP to the sites may have infected machines as this sounds a lot like Gumblar. It is still spreading as one of our customer had that just 2 weeks ago.

[El Forum]

[eluser]mrmeyers99[/eluser]
I'll look into that. It was 644. I'll look into that Gumblar. That would make sense, since they were both websites I take care of. Seems kind of weird that they didn't do any other damage besides corrupting the main index.php file, though.

[El Forum]

[eluser]jedd[/eluser]
Change the index.php to 444 on one of the affected hosts, and see if that saves it in the future (if the other one, left at 644, is hit again).

If they're hitting only the index.php it either means they care less about exploits and more about the publicity (this is in your favour) or that was all they could get access to (similarly, but in a different way). If you're not logging to a dedicated syslog host, then now's the time to set one up - bumping up your log level in apache/php to 'stupidly high', at least while you're investigating this.

Check any upload scripts you may have to ensure index.php can't be over-written using those. index.php is a giveaway regarding their level of intrusion, given it's the only file that can easily be guessed at the name / location of - which makes it a very attractive target.

[El Forum]

[eluser]Ben Hirsch[/eluser]
mrmeyers99, wondering if you have any updates? Did you change all index.php files to 444? have you had any further issues? discover where the attack came from? We're having the same issues as you.

[El Forum]

[eluser]Krzemo[/eluser]
That might be irrevelant but... what editor are you using? Is it 100% legal? If it is cracked... index.php file might get corrupted while writing it...