PDA

View Full Version : Emergency - malicious script detected!

-okapi-
05-18-2009, 08:02 PM
Today i visited my photoblog (pixelpost version 1.7.1) and AVG Antivirus detected a malicious script!
Taking a look at the source code of http://www.a-visual-notebook.at i noticed a javascript code at the first line, just before the doctype declaration of pixelpost.

And that was not from the template files! Therefore it must have been generated by pixelpost code. Got my site hacked?

These are the suspicious lines:

EDIT: I have now deleted these lines here for security reasons, because I noticed that this thread was not accessible any more on a PC with the latest AVG updates, even with the javascript tags removed. So if anybody is interested in the expoit, please contact me per PM!

Have anybody actually got a similar problem?

EDIT: Looking deeper at that issue, i found out that the index.php has been altered on april 26th. Comparing that index.php with a clean one from the installation files i found exactly those javascript lines on top of the php script.

I have replaced the infected index.php by the original one.
Just wondering how that attack could have happened...! Of cource, i have not touched the index.php at all since the last update to 1.7.1!


Michael
Dennis
05-19-2009, 01:03 PM
Depending on your settings it is likely the computer your site runs on was hacked. Only with a CHMOD of 777 on the index file it is actually writable. If that is not the case, the attack originated from somewhere else.

It is likely your server runs several sites (also known as a shared box). Lot's of people use the server and might use outdated or insecure software, vulnerable to exploits. It is also possible the hacker used a well-know exploit in the software used by your hosting company to gain access to the system. If one of these exploits is severe enough the hacker could gain access to the other sites as well, since they are on the same box.

My guess would be an automated script is run, adding malicious code to every file starting with index. These can be HTML, PHP and so on. Could it have been caused by Pixelpost? Yes, there is always a possibility due to the fact you can use addons. We don't know if every addon is safe or if it contains vulnerabilities for these kind of attacks. The Pixelpost core code, which we do have under control, has undergone several independent security based cleanups to ensure the core code is very secure.
-okapi-
05-25-2009, 12:09 PM
Many thanks for your reply, Dennis!

Michael