Thread

The Problem:

A “script” tag at the bottom of all my pages keeps turning up everytime I remove it from them. When I edit out the scripts, they return pointing to another server. I’ve had to edit the index.php file only to discover that the issue affects all index.php/htm files for EE…possibly more.

Is there some security patch that I can apply that will prevent this malicious script from turning up on all my site’s webpages?

I’ve suffered from this issue for a few weeks now and everytime I remove the script it returns!

Can anyone help me here?

Hi, jjosephs—

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* path.php
* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Hi Lisa,

Thanks for responding! See answers below.

ExpressionEngine 1.6.7 - Build:  20090515

I’m not sure if these scripts are installed, in use, or something else but I see them listed in the add-on section of the hosting backend login

Calendar
Calendar 8
FormMail
Hit Counters
Message Board
Photo Gallery
Photo Gallery 2
PukiWiki
phpMyFAQ
Site Search
WordPress

Note, I don’t see them when I FTP the site.

To the best of my knowledge, my client and previous developers have never used them.

I’ve tried to contact technical support for the site but they’ve been unresponsive. I’ll try again next week. I believe it is a shared hosting package but not 100% sure.

I checked the path.php and index.php files earlier today and removed strange javascript code from the bottom. After reading your post, I checked my config.php file it was clean, but the index.php file in the system folder was infected with the same foreign javascript code [I cleaned it off instantly]. Although the page loading times are picking up, I still see the exteral site loading something based on the info. in my browser’s status bar :-(.

There is only so much we can do to stop this from recurring if we don’t know the point of entry. Please impress upon your host that this was a hack and you need assistance finding how they are getting in.

I’d also recommend upgrading to 1.6.9 while you wait. It is important that you keep all scripts up to date.

If your host remains unresponsive I’d recommend moving to a host that takes security more seriously.

Thanks for the quick response Lisa.

I will contact my hosting provider of the issue and keep you updated as to its status.

Hi jjosephs,

Thank you. We’ll be here.

Cheers

Greg

I’m curious as to what the problem and resolution to this was.

Unfortunately we haven’t heard back from jjosephs. Are you experiencing issues of your own, dzr_rtw?

i had this happened to me on thanksgiving this year… didn’t notice it for a few days till someone messaged me that a pop up was trying to launch and their browser warned them that my site was infected. not happy.

i asked my ISP for help and they looked thru my FTP logs and since i’m the only one who FTP’s to my site, it was easy to spot a different ip address than mine, that had logged in the same day as my index.php was modified.

the cure was reloading the index.php and changing my FTP Password to something a little more robust, combo’s numbers/letters. the rogue ip address was from Netherlands.

so far, hasn’t happened again.

that was with v 1.69 Build:  20100415

Thanks for the assist, rokker.

dzr_rtw, do you require assistance?

could it be that a chat or messaging software has a security hole?

i was looking at a chat software and read the following and wondered how prevalent this was among third-party scripts.

This was a Jquery chat i was researching, i have not used it.

http://css-tricks.com/chat2/

“UPDATE: It turns out there was a SECURITY PROBLEM with one particular aspect of it, which can get grant access to any file on the server. A reader was able to show me how they could publicly access my wp-config.php WordPress file, which is of course super sensitive. The vulnerability is in the update.php file, which accepts a “state” and “file” parameter. Accessed directly, and with a relative file path, you can get access to protected files that way.”

when i was hacked last year, it was the same time i was testing some other chat softwares. made me have a “hmmmmm” moment as i never found the “point of entry” for the hackers.

Thanks for the update rokker. It may be useful for another user. I am closing this one out