Problem with continuous injections of code in my sites

Portal Home > Knowledgebase > Articles Database > Problem with continuous injections of code in my sites

Posted by aragorn21, 12-12-2011, 10:04 AM
Hello, I found my way here trying to solve a problem that has been around for a long time and giving me serious headaches; I administer a few websites, and I login by ftp very often. At some point I have been finding malicious code injected into all of the index.php and index.html files of the websites. The code inserts some kind of iframe/html inside those files (the url i see inside this code is htpcapital.com if this helps). I clean it up, after a few days it comes back. Also, I see new folders being created with funny names ("asdfl") that contain index.html files with this code. What can I do? Is this something i might be accidentally injecting MYSELF in the websites, if my PC has a virus or something? Or is this a server security issue? I have checked my pc with Microsoft Security Essentials and ESET Smart Security 5. Help!
Posted by mike86, 12-12-2011, 10:19 AM
You probably have a security flaw somewhere in your website allowing people to inject this code. Check your webserver log files to see if you can find any references to the files being created. What OS and webserver are you using? *edit Are you using a web hosting panel? Last edited by mike86; 12-12-2011 at 10:22 AM.
Posted by aragorn21, 12-12-2011, 10:54 AM
Thanks for the reply. Most of these websites use vBulletin, could it be a vbulletin vulnerability allowing this? I have CENTOS 5.7 x86_64 and root access I have through WHM, I don't know if that helps. The sites themselves have cpanel. Which logfiles should I check? Apache access logs? EDIT: unfortunately the logfiles don't track that back (last time this happened was about 15 hours ago and I only found entries in the apache logfile up to 10 hours ago). Last edited by aragorn21; 12-12-2011 at 11:00 AM.
Posted by mike86, 12-12-2011, 10:55 AM
Yes, check your apache access logs. What version of vBulletin are you running? You should always keep up to date and make sure you are using the latest versions.
Posted by Jeff Bee, 12-12-2011, 11:01 AM
Forum software is notorious for allowing injections. Often this is caused by either out of date forum software (have you updated recently?) or insecure modifications that you have added.
Posted by fshagan, 12-12-2011, 11:09 AM
I was hacked a few months ago due to passwords being stored in FileZilla (bad web host, bad!) FileZilla will store your passwords even if you have it set to "ask for password" for all accounts unless you put it into "Kiosk mode". Details upon request. This most recent hack used .htaccess to re-infect files each time they were served. Check your .htaccess file (including the one in the forum directory, if different from the web root) for code like this: In this case, the file "google_verify.php" had the iframe / javascript code that was appended to each file that was served. Cleaning all the .htaccess files and deleting the multiple copies of the file was sufficient to stop reinfection. I now do a deep scan for the string "auto_append_file" each night with CXS.
Posted by aragorn21, 12-12-2011, 11:10 AM
Thanks for your replies guys. Anyone running a big community will tell you that it's almost impossible running always the latest version, due to large customizations etc. So the answer is no, I am not running latest version, but I have 4-5 sites that are running different versions (from old 3.7 versions up to new vb4) and all of them had similar issues. I even had similar issue to a STATIC index.html file in a site that has only html files and nothing else. Is there any way I can check what's happening by some other way since the logs don't seem to help here?
Posted by mike86, 12-12-2011, 11:14 AM
I suggest you update all sites to the latest vBulletin to avoid this happening again. If you google "vBulletin exploit", there are loads of results. For example: http://www.saintcorporation.com/cgi-...abilities.html These exploits could account for what is happening on your site. You should upgrade immediately before someone does something more malicious than just changing files.
Posted by PlotHost-Max, 12-12-2011, 11:25 AM
First at all change your FTP passwords. What FTP software are you using ?
Posted by aragorn21, 12-12-2011, 11:31 AM
I'm using FireFTP through Firefox, and sometimes FileZilla.
Posted by Dr_Michael, 12-12-2011, 11:38 AM
My advice: Change your sites passwords by using the Password Modification from WHM, and use the random password generator. Each time you want to login on FTP, login to whm, change and copy the password, login to ftp and then again change the password! Such way you get high protection.
Posted by terraGirl, 12-12-2011, 11:51 AM
Have you discussed this with your hosting provider? If a plain htlm site was hacked then it could be a hack originating from within the server OR if there's a common element such as an FTP program used to access all sites, the FTP client could have been compromised.
Posted by Dr_Michael, 12-12-2011, 11:58 AM
This kind of injection usually comes from hacked FTP passwords. That's why I suggest the password generator and new password everytime!
Posted by aragorn21, 12-12-2011, 12:40 PM
Thankyou all for your replies. I will try and use another ftp client, change the passwords and see what happens. I spent 3 hours cleaning up the injected files.
Posted by Dr_Michael, 12-12-2011, 12:44 PM
Thats not enough. If you have now the password: "12345678" and you change it to: "hello12345" this is not enough. Use the whm password generator as it offers very complex passwords. And change the password before you login to ftp and again after you logout. Trust me
Posted by MumbaiHosting, 12-12-2011, 01:01 PM
You can take precautions to prevent your site from being hacked. Avoid casual browsing on the Internet from your PC. Ensure that your PC will only connect to your server, billing and email system and trusted websites. Never click on links within emails that are sent from unknown senders. Do not store FTP login details within Clients such as FileZilla. Ask your host to enable Modsecurity and CSF. Keep your applications updated. Never remember history in browsers. Finally Install ccleaner on your PC and run it after every browsing session.
Posted by Dr_Michael, 12-12-2011, 01:03 PM
What do you mean? Why bad host? Can you share the info with us?
Posted by bear, 12-12-2011, 01:17 PM
I only use Filezilla on occasion to check if a client has issues and wasn't aware of kiosk mode. Pretty glaring security issue, that. Fixed mine and will pass that along to those I know use it.
Posted by SafeSrv, 12-12-2011, 07:11 PM
You know vBulletin have XML shells ? they tried to fix the problem in V4 but there is a workaround for skiddies so i would be making sure the admincp/ is restricted either by VPN or HTTP Auth - in your case it could be many things though ! Too many to list..
Posted by fshagan, 12-13-2011, 01:47 AM
I am the web host, and my log in passwords were stolen. I was bad. Very bad. Filezilla stores passwords saved in the Site Manager in plain text. The files are not removed when you remove the program and reinstall it, or if you manually change all the entries to "Ask for Password" mode. In addition, FileZilla stores the last accessed site's password in plain text in a file called "recentservers.xml" no matter what "login type" you select. The files can be found by searching for "%appdata%/filezilla" in Windows. To prevent the storage of passwords any time, create a "fzdefaults.xml" file in your My Programs/FileZilla FTP Client/ folder with the following content: There is an example "fzdefaults.xml" file in the My Programs/FileZilla FTP Client/Docs folder with more settings. But that setting is all that is needed to force FileZilla to never write a password to disk.

Add to Favourites Print this Article