preventing hack of external JS

[ProblemHelpPlease]

I have had one of the sites I manage hacked twice with javascript being inserted into an existing external javascript file. The javascript file being attacked is simply used to check the browser type and display the relevent css file. I have implemented all normal security measure to prevent the hack but it occurred again despite this. The site does not use sql, allow_url_fopen is turned off, all files have correct permissions, FTP is only allowed through a fixed static IP address on a secure PC. I am unable to find the hack point in the access logs for the server and both the FTP log and the file modification date show no sign on any access or update form the hacker.Has anyone got any recommendations on the best way to prevent this type of hack.

[ApocalypeX]

If all they are doing is changing the CSS on the page, who cares? If you want to know there browser use PHP to check their browser and write the correct CSS to the page.

[ProblemHelpPlease]

the css is my code, the code that is being injected is redirecting users to a site with a trojan

[ApocalypeX]

Ok now I understand what this thread about, it wasn't clear before. If the JS file is external, why don't you host it yourself. That way the person who owns it can't edit it when ever they want...

[ProblemHelpPlease]

It didnt make sense when i read it again myself :)What I mean is the JS file is a seperate JS file on my server, it isnt JS included in a page header or body. My JS file is used to control my CSS but it is this seperate JS file that is being hacked.

[thescientist]

how? can we see what this page looks like?

[niche]

Are you changing your usernames and passwords frequently? If so, are they still getting through?

[Fmdpa]

Was the hack data injected into a textbox? Are all textboxes on your site passes through a sanitization function?

[niche]

I've always wondered about how someone can replace an entire file with some code in an input box. What would be a simple example of that?

[ProblemHelpPlease]

Thanks for the replies.The site does not have any standard entry point for a hacker, if it did they would be sanitized anyway. The site is extremly simple, not using any code that should be hackable from an injection point of view.Usernames and passwords are changed monthly, however they would not do a hacker much good as FTP access is locked other than from a set static IP address.I cant send you a link to the site for various reasons. I suppose I am just asking for confirmation that a site such as this should'nt be able to have an external JS file hacked. I am wondering if a trojan of some kind is residing on the server itself.

[End User]

The site does not have any standard entry point for a hacker, if it did they would be sanitized anyway. The site is extremly simple, not using any code that should be hackable from an injection point of view.

That's a pretty broad statement. If you're accepting user input, exactly how are you sanitizing it?

I am wondering if a trojan of some kind is residing on the server itself.

That would be my guess at this point, if the input data is truly being sanitized properly. Might want to run a rootkit hunter on the box and see what turns up.

[wirehopper]

I cant send you a link to the site for various reasons. I suppose I am just asking for confirmation that a site such as this should'nt be able to have an external JS file hacked. I am wondering if a trojan of some kind is residing on the server itself.

If the external js is processed by the server, and that processing is vulnerable, it could be modified.http://www.secologic.org/downloads/web/051..._JavaScript.docCheck your log files, and the timestamp on the external file.