sooty2006 Posted July 10, 2011 Share Posted July 10, 2011 Good afternoon all, For the past few days i have been battling my skills to overcome someone injecting javascript into my index pages and the file permissions changed to 777.i dont know how to put this as i dont want to put any injected code or anything in this forum post.My sites are been hosted on a VPS server with unlimited hosting domians.I have over 20 domians on this host and 4 of those sites on the index page are having javascript links to a php page injected at the top of the page.these are the only 4 sites being injected never any others no metter what i pput on the directory.Firstly i thought this may have something to do with my coding so i shut one site down and removed everything from the domain folder httpdocs and put one file called index.php with nothing on. so nothing could be submited etc... but the site still ends up having a javscript link injected and file permissions set to 777.i now need to know what my next step is. is this a browser fault or is somehacking my server each time i remove the injected source from the 4 domians i change the server logins ftp logins and database logins so this also takes some time to complete.what should i do now?If you require more infomation please ask, i need to fix asap.Many Thanks. Link to comment Share on other sites More sharing options...
boen_robot Posted July 10, 2011 Share Posted July 10, 2011 If all sites are hosted on the same server, a security breach in one of them could affect the other ones (or not, depending on what permissions the PHP executable has).The easiest way to fix the problem is to use htmlspecialchars() over everything that you're outputting from a DB or comes from a client. However, if you have features like BBCode for example, doing just that is going to render your BBCode useless. You'd have to investigate further where in the BBCode parser the problem is. If you're using a 3rd party BBCode parser, your best bet is to get its latest version. Link to comment Share on other sites More sharing options...
sooty2006 Posted July 10, 2011 Author Share Posted July 10, 2011 boen_robot thanks for your quick reply.currently the four domains have been backed up and all files images etc. removed and all have only a index.php page with nothing on or in but still has been injected again. there is know where a user can add any xss scripts, not textboxes or forms.could this injection and file permissions changed from the browser url bar?many thanks. Link to comment Share on other sites More sharing options...
boen_robot Posted July 10, 2011 Share Posted July 10, 2011 The injection can happen from anywhere you receive input from. Whether that's files, forms, query strings (i.e. the URL), cookies, even request headers.What matters is what kind of input are you accepting, and how are you dealing with it. In particular, if you have any eval() calls, those can very easily be misused (the part about the permissions is the more awkward one... the one which would require a thing of this category). Link to comment Share on other sites More sharing options...
sooty2006 Posted July 10, 2011 Author Share Posted July 10, 2011 ok how would i use htmlspecialchars() on the basis that anything could be sent in the browser url?at the moment the only way a hacker could inject anything is via the browser bar.Cheers. Link to comment Share on other sites More sharing options...
jeffman Posted July 10, 2011 Share Posted July 10, 2011 Wait, now, let's be clear.What I got out of Post #3 is that the only documents on your server accessible by HTTP are the index pages, and the index pages do not have any scripting logic that would cause data to be written.Is that it? Link to comment Share on other sites More sharing options...
sooty2006 Posted July 10, 2011 Author Share Posted July 10, 2011 the only file on the 4 domains are index.php with 0KB no text or nothing so it can only be browser relatedi removed all files to make sure that there was nothing wrong with my code or pages added deep in my directories that would inject there. i have read up on google. there is not much infomation on how to solve the problem Link to comment Share on other sites More sharing options...
boen_robot Posted July 24, 2011 Share Posted July 24, 2011 Ohhh... no content. When you said "index.php", I assumed you've simply "cut off" the application down to its bare necessities, without granting it access to DB, mail or anything like that. Having an empty page is a whole other issue.First stop, are any other files actually accessible on your server? The fact you have an empty page suggests you've removed all links, but if an attacker already knows the location of a problematic file, they can still execute it if it's still accessible to them.Second, what JavaScript exactly are we talking about? It's not by any change this, is it? Link to comment Share on other sites More sharing options...
ShadowMage Posted July 25, 2011 Share Posted July 25, 2011 Second, what JavaScript exactly are we talking about? It's not by any change this, is it?I always knew Norton was bad business.... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.