Jump to content

injecting script?


Recommended Posts

Good afternoon all, For the past few days i have been battling my skills to overcome someone injecting javascript into my index pages and the file permissions changed to 777.i dont know how to put this as i dont want to put any injected code or anything in this forum post.My sites are been hosted on a VPS server with unlimited hosting domians.I have over 20 domians on this host and 4 of those sites on the index page are having javascript links to a php page injected at the top of the page.these are the only 4 sites being injected never any others no metter what i pput on the directory.Firstly i thought this may have something to do with my coding so i shut one site down and removed everything from the domain folder httpdocs and put one file called index.php with nothing on. so nothing could be submited etc... but the site still ends up having a javscript link injected and file permissions set to 777.i now need to know what my next step is. is this a browser fault or is somehacking my server each time i remove the injected source from the 4 domians i change the server logins ftp logins and database logins so this also takes some time to complete.what should i do now?If you require more infomation please ask, i need to fix asap.Many Thanks.

Link to post
Share on other sites

If all sites are hosted on the same server, a security breach in one of them could affect the other ones (or not, depending on what permissions the PHP executable has).The easiest way to fix the problem is to use htmlspecialchars() over everything that you're outputting from a DB or comes from a client. However, if you have features like BBCode for example, doing just that is going to render your BBCode useless. You'd have to investigate further where in the BBCode parser the problem is. If you're using a 3rd party BBCode parser, your best bet is to get its latest version.

Link to post
Share on other sites

boen_robot thanks for your quick reply.currently the four domains have been backed up and all files images etc. removed and all have only a index.php page with nothing on or in but still has been injected again. there is know where a user can add any xss scripts, not textboxes or forms.could this injection and file permissions changed from the browser url bar?many thanks.

Link to post
Share on other sites

The injection can happen from anywhere you receive input from. Whether that's files, forms, query strings (i.e. the URL), cookies, even request headers.What matters is what kind of input are you accepting, and how are you dealing with it. In particular, if you have any eval() calls, those can very easily be misused (the part about the permissions is the more awkward one... the one which would require a thing of this category).

Link to post
Share on other sites

ok how would i use htmlspecialchars() on the basis that anything could be sent in the browser url?at the moment the only way a hacker could inject anything is via the browser bar.Cheers.

Link to post
Share on other sites

Wait, now, let's be clear.What I got out of Post #3 is that the only documents on your server accessible by HTTP are the index pages, and the index pages do not have any scripting logic that would cause data to be written.Is that it?

Link to post
Share on other sites

the only file on the 4 domains are index.php with 0KB no text or nothing so it can only be browser relatedi removed all files to make sure that there was nothing wrong with my code or pages added deep in my directories that would inject there. i have read up on google. there is not much infomation on how to solve the problem

Edited by Scott Milner
Link to post
Share on other sites
  • 2 weeks later...

Ohhh... no content. When you said "index.php", I assumed you've simply "cut off" the application down to its bare necessities, without granting it access to DB, mail or anything like that. Having an empty page is a whole other issue.First stop, are any other files actually accessible on your server? The fact you have an empty page suggests you've removed all links, but if an attacker already knows the location of a problematic file, they can still execute it if it's still accessible to them.Second, what JavaScript exactly are we talking about? It's not by any change this, is it?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...