-1

I found some malicious code on my webserver which is exactly similar to this. My questions are:

  • How can I know from where this code was injected?
  • How can someone inject code on my server without my server credentials?
  • How to prevent future injections?

Note: I checked steps given on other similar answers but could not find a solution yet.

Anders
  • 64,406
  • 24
  • 178
  • 215
Imran Qamer
  • 99
  • 2
  • 2
    It's not quite an exact duplicate, but the steps listed on that answer are what you need to do next - potentially along with having a professional security assessment of your system carried out, to find the hole and help you fix it. The general problem is that without performing detailed assessment, there are too many possible ways for us to identify which applies in your case. – Matthew Feb 08 '17 at 09:16
  • http://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now/138617#138617 – CaffeineAddiction Feb 08 '17 at 14:14
  • If you want to know how to remove it, the answer is in the duplicate: Nuke from orbit. If you want to know how the compromise happend and how to fix the hole, then your question is to broad since it is impossible for us to know without examining the server. – Anders Feb 08 '17 at 14:42

1 Answers1

0

How can someone inject code on my server without my server credentials?

Using SSH stolen keys, FTP anonymous connection, or server-executed files (ie: PHP files that write in server's FS)

How can I know from where this code was injected?

See logs (bash/FTP/your server code logging system if there is one). You can seek for when it was written (using file's modification date or comparing backups), and check your server's access logs to find out what IP and how they injected code. Also, since servers are now bound to database, maybe it was a two-step injection: inject code in DB, and let another call (CRON or HTTP visit) write the DB content to a file.

How to prevent future injections?

Renew the server's credentials (including DB) and don't write any file from your executed code. Also, don't call any shell-execution function from your server code (ie: a PHP calling exec may write stuff to files). Favor community work (ie: open-source solutions) rather than custom stuff: they often are more secure.

Xenos
  • 1,331
  • 8
  • 16