All hacked PHP files

Question

All hacked PHP files

As always, I just want to say thanks for all the help and input in advance.

I have a specific site for which I am a web developer, and I encountered a unique problem. It seems that something is included in every PHP file on my site and adds some malicious code. I removed the code from each page several times and changed the FTP and DB passwords, but to no avail.

The added code is as follows: eval (base64_decode (string)), which contains 3024 characters.

Not sure if anyone else has run into this problem or if anyone has ideas on how I can protect my PHP code.

Thanks again.

+4

security php malware

nsearle May 17, '10 at 20:16

source share

10 answers

You should use "disable_functions = eval, exec" in your php.ini or .htaccess as the first dimension.

+2

mario May 18, '10 at 4:55

source share

Yes, I myself ran into this problem, as I understand it, are you on a shared host? Are you possibly on rackspacecloud?

this is where I came across this problem, the first thing you need to do right away is to report it to the host, this is a hosting problem, and I suspect that the malware has accessed your server at ftp level.

make sure that you do not have anything writable by chmod 777, if it should be writable by your application, make it 775

Hope this helps, good luck.

+1

David morrow May 17, '10 at 20:19

source share

You must change the file permissions so that only you can write these files. 0777 (the default, in my opinion, on some hosts) is just asking for trouble. See File permissions.

In addition, it is recommended not to put files that should not be accessible at a URL outside the public_html folder, for example, configuration files.

+1

Lotus notes May 17, '10 at 20:19

source share

I had a similar problem. However, my problem was that I ran a python code evaluator on my site. As far as I remember, you need to use the eval () function to execute the python code. In one of my php files, I had a strange eval statement. What kind of script are you developing? I mean, is this related to evaluating any other code?

+1

elasolova May 17, '10 at 20:21

source share

You should also note that (provided that you use a hosting solution to host your site) that it is almost never to blame. An example of this is that a server was recently hacked in the network of a hosting company and more than 1,000 web pages were damaged, not because of security holes on each particular site, but because of the poor configuration / monitoring of what was placed on the specific server on which these sites are located. If you don’t see any security error that you are sanitizing everything correctly, or you are using the non-vulnerable version of any CMS that you use (if you use CMS), then this is probably not a problem with your site, just the server as a whole.

+1

user318747 May 22, '10 at 17:45

source share

You must switch to another server. It seems that the attacker has access to the server or runs some code as a background process that overwrites files. It may be possible to identify and fix the problem, but smart attackers will hide additional scripts, etc., in order to then end you.

0

Brian lyttle May 17, '10 at 20:19

source share

I came across viruses that read filezilla conf files. I swear to GOD. at first I was: WOW, then I was: mom f *** sneaky b * stards.

Check your computer for viruses.

0

mhughes May 17, '10 at 20:46

source share

One possible scenario is that someone managed to get write access in some way, as well as change the password, etc., but he left a php file that can still work.

See if there are any unknown files. Or delete all the damned things and restore the backups.

0

naugtur May 17, '10 at 21:07

source share

Get the last modified time of your files, then go to your access logs (FTP, HTTP whether it’s open if you don’t know where they ask your host) and find out who was on your system at that time.

The attacker probably installed a script that they can call periodically to re-infect any files that you fix.

0

Curtaindog May 18, '10 at 5:18

source share

leepowers · Accepted Answer · 2010-05-17T20:46:47+0000

The server itself may be compromised. Report the problem to your web host. What is their answer?

An unsafe PHP script combined with incorrect file permissions can give an attacker the ability to modify your PHP files. To eliminate this possibility, I could delete the site, delete all files, re-upload, and then switch permissions to the entire site to prevent any entry to the file system.

Edit: As a short-term fix, try asking your web host to disable eval() for your account. If they cost salt, they must run Suhosin , which has to disable eval .

All hacked PHP files

More articles: