0

I know there have been a lot of similar questions, but none of them covered this specific question:

I found on almost all PHP files on a clients server script injections, it was actually the script mentioned here: https://stackoverflow.com/questions/20658823/hacked-site-encrypted-code.

Now i know that it is difficult to pinpoint the point of entry, but there are a few facts that i am sure can make sense to someone better suited than me.

SITUATION

  • Almost alll PHP files were infected

  • There was a folder with some infected files in it but it did not have ANY permission for the FTP user which i am using to upload files to the server

  • Even files that are not publicly viewable or indexed by google were infected

  • in the non-indexed folder there were some files infected and some not. The ones that weren not infected were most likely never or very rarely called by anyone

QUESTION

Taking into account the aforementioned facts, is it likely that the whole server was compromised (apache, ...) or is it likely just an insecure PHP script. Would it even possible to see such a scenario when only a PHP script was abused?

Is it enough right now to just update the PHP scripts, remove the virus code and hope assume that the server itself is not compromised? (changing SFTP account credentials of course)

EDIT: COMMENTS ABOUT IT BEING A DUPLICATE

As i said before, i DID read the other posts, i do NOT need to know a course of action, i am just curious about the PHP files being modified inside of a folder that is NOT writable by the FTP user and if this is possible with a PHP script / MYSQL exploit or only if the attacker had an FTP pass or deeper server accesss.

Community
  • 1
Larzan
  • 105
  • 4
  • 3
    See the duplicate question for more details, but in short, if your server has been compromised, the only responsible course of action, and your only path back to a known-good point is to nuke the server and restore from a known-good backup. – EEAA Oct 01 '14 at 13:08
  • `I know there have been a lot of similar questions, but none of them covered this specific question` - Actually they have. Ad nauseam. The depth and scope of the compromise is irrelevant. – joeqwerty Oct 01 '14 at 13:16
  • Well, the specific question here is NOT about a course of action, but IF the fact that PHP files inside of a folder that was non writable by the FTP user is indicating that it was a simple PHP or MYSQL exploit, OR if the hacker had access to the server directly. – Larzan Oct 01 '14 at 13:17
  • 1
    From personal experience with a shared hosting provider, 1 PHP file on the server had a vulnerability written in the code (trusted the user's input with no validation) that was exploited. As such the exploit itself allowed the virus to replicate in every PHP file. Nothing was manipulated through FTP. – Travis Oct 01 '14 at 13:25
  • @Travis Thank you, that is exactly the type of information i needed to have. So while only using the PHP Users permissions it can be possible to have such a scenario. Could you write an answer with that info so that i can accepti it please. – Larzan Oct 01 '14 at 13:30

2 Answers2

1

A PHP file on the server could have a vulnerability written into the code. One such example would be code that takes user input and does not do any sort of validation checking of the input.

There are bots typically used to find this type of code and validates that it can exploit it. The virus will then replicate itself to every PHP file that is can find.

It does not need to authenticate to access files, say through FTP, as the exploit itself bypasses any needed authentication.

Travis
  • 870
  • 8
  • 23
  • The point is that the PHP files are probably writeable by the web server, and that's a bad idea. Once a vulnerability in a PHP script is found, the attacker can do anything that the webserver can. There's no reason for web content to be writeable by the webserver, besides obvious things like user-uploadable avatar images (just make sure those really are images and not PHP files!). – wurtel Oct 02 '14 at 07:53
0

The only thing that can reasonably be inferred from the fact that files were modified in a directory where no FTP access is allowed, is that they were not modified using FTP.

Which means something else in the server has been compromised other than FTP.

Which means you should be even more eager to nuke it ASAP.

Massimo
  • 68,714
  • 56
  • 196
  • 319