My site hacked?

Question

Possible Duplicate:
My server's been hacked EMERGENCY

I just discovered that my site has, I believe, been hacked. Along with a couple of other sites on my host. If you go to the bottom of the site you'll see an iframe. I don't know what that is, it shouldn't be there.

I deleted all the code from my site and it's still there.

I checked htaccess thinking maybe someone added auto_append. Nothing.

Any clue as to how else something can be added to the bottom of my site?

I'm currently downloading some log files to look through.

Are you using a CMS or anything else where the admin features may not be locked down? Could be a permissions problem but it's hard to say without more information. I may be pointing out the obvious but password protecting admin directories is always a safe way to go. — , Jun 05 '09 at 01:22

Josh Brower · Answer 1 · 2016-04-04T16:27:27.750

3

First thing to do is alert your hosting company. They will be able to look at logs you don't have access to.

Secondly: I see your using Wordpress. You need to:
-Check and see if Wordpress is up2date
-Check and make sure that all of your Wordpress Plugins are also up2date

If any of the above are not up2date, you need to check and see if the version you are running has a known vulnerability. (Check the software's site, etc)

Start going through your webroot to find any out of place files. Make sure to look in temp dirs also.

If it is found to be a bad hack, you will want to restore from a known good backup.

This should get you started in the right direction.

**Edit: Please Ignore / Thumb Down XTZ's answer. It is reactionary and dangerous, not to mention inaccurate.

edited Apr 04 '16 at 16:27

answered Jun 05 '09 at 01:27

Josh Brower

1,659
3
18
29

hosting company alerted. hopefully theyll be able to see how they got in. – Galen Jun 05 '09 at 02:27
If you want more info about the pdf exploits it looks like you are hosting, check out the internet storm center's posts over the past while on them: http://www.google.com/search?rlz=1C1CHMA_enUS327US327&sourceid=chrome&ie=UTF-8&q=pdf+site:isc.sans.org – Josh Brower Jun 05 '09 at 02:57
haha yeah ill ignore him. earlier i had a download box popup that tried to make me download a pdf. i was curious what that was. thank you – Galen Jun 05 '09 at 03:14

score 2 · Answer 2 · edited Oct 08 '10 at 10:54

2

If they were able to edit php.ini, I believe they could add a footer to every PHP page (which obviously, you wouldn't see in your own code). Make a test.php file and see if it still happens.

edited Oct 08 '10 at 10:54

Peter Mortensen

2,319
5
23
24

answered Jun 05 '09 at 01:55

Mike Conigliaro

3,105
2
24
24

it's not happening on every php file – Galen Jun 05 '09 at 02:05
1

try viewing the source of a hacked page and grepping your home directory for some of footer. – Mike Conigliaro Jun 05 '09 at 02:10
yeah i've been grepping. i found it in a couple of sites, but i cant figure out why i cant remove it! – Galen Jun 05 '09 at 02:15
i don't know what you mean when you say you cant remove it. does it prevent you from editing the file, or does it just come back after you remove it? maybe there's a process scanning for files with well known names? did you try running chkrootkit? – Mike Conigliaro Jun 05 '09 at 02:44

score 1 · Answer 3 · edited Oct 08 '10 at 10:53

1

I went to the site in question, it tried to install a trojan like:

http://www.martinsecurity.net/2008/09/04/analyzing-a-malicious-pdf-trojpdfjs-a/

Loading a malicious PDF file with JavaScript. Viewing the code, it also looks very similar. Probably should be avoided unless you've locked down your computer. As for solutions, I think contacting your hosting company, as Anapologetos said, would be the essential first step.

edited Oct 08 '10 at 10:53

Peter Mortensen

2,319
5
23
24

answered Jun 05 '09 at 02:29

i thought i got rid of the bad code. akdslfjlasdkfj;akfds – Galen Jun 05 '09 at 03:23
You might have; I was originally looking at this when it was on SO, took me awhile to learn about de-obfuscating JS to find what it was. – Jun 05 '09 at 03:38

score 0 · Answer 4 · edited Oct 08 '10 at 10:59

Answering these questions should help you find the solution.

Is there a proxy between you and the server?
Have you ruled out browser plugins adding something?
Have you ruled out malware on your workstation?
Have you tried retrieving the page with telnet/netcat instead of using a browser?
Is this a server you maintain? You mention other sites, do they also have this problem?
What is the contents of the iframe?

score 0 · Answer 5 · edited Oct 08 '10 at 10:56

What is that JavaScript code in your page source after the closing HTML tag?

Also I would get the extenstion that hides your WordPress version from the page source since it shows it as a meta tag (<meta name="generator" content="WordPress 2.7.1" />), for example, I can see you're running "WordPress 2.7.1" (which is the current version :claps:) but once a expoilt for that is found people will be able to search for it.

Also check the other files that your WordPress installation uses. I know that it can inculde and require (won't show up in page source since they are PHP based) from other files and I know that extenstions/themes can also do so make sure those are up to date.

Also check to see what extensions and themes are installed/enabled and get rid of any you don't know.

that javascript is the hack. i jsut dont know how to remove it — Galen, Jun 05 '09 at 02:18

Ben Dunlap · Answer 6 · 2009-06-08T16:30:50.243

Aren't WordPress pages, like those of most CMSes, generated from a database?

If so, here's the dirty little secret of open-source CMSes, PHP, and shared web hosting: on many shared hosting servers, everyone's PHP scripts run with the same privileges (i.e. with the UID and GID of the Apache daemon).

This means that, if PHP can read your scripts, it can read the scripts of every other customer on the server. And vice versa.

But, many open-source CMSes store high-privilege database credentials in their PHP scripts. Drupal does this; Joomla does this; I haven't looked at the WordPress source but I'd be surprised if it didn't do this.

In short: It's extremely likely that fully-privileged access to your WordPress database is within trivial reach of every other user who shares the server with you.

I sort of hate to write that in bold but I feel like I've been banging my head against a wall with this issue for a few months now, during which time I've run into two, possibly three apparently-reputable hosting companies that use this setup, and just can't be bothered by the enormous security problem it presents.

My site hacked?

6 Answers6