Site got hacked - javascript injection - JavaScript and AJAX forum at WebmasterWorld

Forum Moderators: open

Message Too Old, No Replies

Site got hacked - javascript injection

apauto

5:04 pm on Jun 28, 2010 (gmt 0)

I have a few different sites all with the same host.

All of my index.php or default.asp (both my own code and also Wordpress, and MyBB) files were modified and at the end of the default or index page there was about 500 lines of javascipt added to download a PDF.

I read about form javascript injection, but all of these were on my default pages only and only after the </html>

i changed all of my passwords, but no idea how they managed to inject all of this javascript.

I searched online, but everything is so vauge.

Anyone have any experience with this?

Thanks

Tommybs

7:49 pm on Jun 28, 2010 (gmt 0)

Are you saying that some files got altered that aren't even data driven? If that is the case it sounds like an FTP account was hacked. The other cause could be the host got hacked if you'r on shared hosting. You should make sure you change your ftp passwords, check your local machine to make sure you haven't got anykind of malware or keylogger and also make your host aware so they can check their logs and make sure they aren't running any kind of out of date software

subexpression

9:01 pm on Jun 28, 2010 (gmt 0)

apauto,

Like Tommybs said, something else may be at work here, and it's probably a good idea to follow up with his advice about FTP accounts and server logs.

XSS - cross-site scripting accounts for the majority of website mangling that happens. Javascript can certainly be a security vulnerability if form fields and textareas aren't cleaned and validated. It's best to be aware of character input which might slip by validation scripts. Event handler attributes are also used since several browsers allow characters between the handler and the equals sign.

A few often-overlooked security holes are input fields and the browser's address bar.
If inputs don't have both client-side and server-side validation, a "hacker" could submit scripts to your server with simple form submissions...and not necessarily Javascript...these attacks can be written in many languages.

Modifying the URL query string in the browser's address bar is often a problem. PHP's $_GET superglobal retrieves values which are set in the query string need to be validated and "cleaned" of special characters to limit input.
SQL injection is a common mode of attack. Appending SQL commands with a semicolon ";" after the id's value will be executed if the SQL query is simple:

http://www.example.com/index.php?id=23;insert into table ...etc.etc.

The injection starts with the semicolon:

$q = 'SELECT * FROM table WHERE id = ' . $_GET['id];

Your script expects $_GET['id'] to be '23' or something similar, but instead it is something like:
23;insert into table ...etc.etc.
If you write SQL with command line, you'll understand this a little better.

Header injection exploits CRLF (carriage return, line-feed) characters and injects foreign code by remotely modifying HTTP headers. It's quite frightening how many websites are vulnerable to this.

If the code on your host uses includes or requires (include();require();) based on GET or POST variable input, then someone could modify the value of form inputs with Javascript, and create havoc on your server.

I won't post all the methods I know of, but this should help you track down what sort of fix(es) you need to employ.

You can find several good Javascript form field validation scripts, along with server-side validation scripts which will clean up any malicious code before it can be executed on your server. Additionally, you should probably look into XSS and how to protect against it.