Forum Moderators: coopster
I found a disconcerting thing out this morning. I was looking through a php script I have to send emails out via a form on a site I manage and noticed that at the bottom of the script, someone had inserted a whole load of javascript and HTML with links to #*$! sites etc.
The script is called formmail.inc.php, has CHMod settings of 644 and is in a directory that has CHMod settings of 755. You can't look in the directory from a browser and even if you could, you shouldn't be able to see the php code for the include. Having a closer look, I see that there are a load of HTML files in my site that I didn't create containing similar links. I presume I've been hacked?
As I'm the only one managing this site, how might this have happened and how can I stop it from happening again? It's freaked me out...
Thanks
It is a standard formmail script and standard scripts have standard exploits. You may be able to search and see how to better secure your script from specific examples.
It's a static site, no CMS involved. What's happened is a whole load of html files have been created with names that are similar to existing pages and scattered throughout my site in almost every directory.
I'm assuming the formmail.inc.php must have been the entry point for the bot that did it as that seems to be the only original php file that has had HTML and javascript injected into it.
I've just finished clearing out the malicious html files from the site, but want to secure the site so this doesn't happen again. Could it be formmail.inc.php that was the problem/vulnerability?
I would start by changing names for commonly distributed filenames to something unique to your site. This way at least it breaks one part of the recognition.
You could contact your host and see if they have any insight as well.
the how would be nice to know.
who else has ideas?
[edited by: Anyango at 3:30 pm (utc) on Oct. 14, 2008]
I looked at the access logs, but it only has my entries from today I believe (unless all this happened today and I managed to catch it the same day). Are the access logs what I should be looking at?
The date changed is from me unfortunately - I edited the file to get the bad code out of it.
Thanks for your help
It's happened again - I renamed the formmail script to something random, but maybe it's not that script? What can I do to stop this f***er hacking my site?
After cleaning up the site and removing all the inserted links and looking through my php scripts for any interfering etc., I saved a 'clean' version of the site in a zip in case it did happen again. Whoever did this the first time has done the same thing again...
I really need to stop it from happening! What can I do? The FTP log shows nothing but my activity and then there's another log that is called my mydomainname.com which appears to show what content on the site has been accessed - will that give me any clues?
Any help, please.
Good luck.
