| Posted by bigdm, 01-24-2011, 04:30 AM | | Hey, WHT members, long time reader first time poster..
I am suffering with a code injection problem, the code injected is adding a line of javascript to the head of my pages..
the ODD thing is that it doesnt do it everytime, to the point i have been trying to hunt it down so i can see it for myself and have only found it twice.. both times it was gone within 1 page refresh??
I have yet to find any modified files via FTP,
i have checked that all .php files are 644 and directorys are 744
I have upgraded the OS (centos 5.5)
I have updated all packages via Yum Update
I have rebuilt apache and upgraded to 2.2
the one MOST OBVIOUS thing i havent done is upgrade the site script to the latest version, mainly becuase its something i have avoided for years..as i had made some many custom tweaks to the code.. and has never caused any problems at all, even when we the site was FAR more popular then it is today, so i am currently running an old version of Vbulletin
any advice? any freelancers need some work?
|
| Posted by WeWatch, 01-24-2011, 08:43 AM | | You definitely need to upgrade to the latest vBulletin. Do a Google search on vbulletin exploits and see how many pages come up.
Also, check phpmyadmin if you're using it. It has been a real target for hackers.
You can't rely on datetime stamps to see what files have been modified. The backdoor shell scripts we remove from sites all have the ability to modify the datetime stamp of a file, a group of files or even a folder. Typically if we see a entire folder with files that all have the exact same datetime stamp, we begin to become suspicious.
We've seen a number of Apache servers with infectious processes. What happens is that the hackers obtain access, then create a new Apache process. Whenever that process is serving a web request, it serves up the infectious code. If the legitimate Apache processes are serving the web request, everything works cleanly.
If that's the case, you may have to rebuild your server from scratch.
|
| Posted by bigdm, 01-24-2011, 10:17 AM | | Thanks for replying, really appreciate it.
I am well aware that Vbulletin has had lots of exploits over the years and due to how popular it is its very venerable to attack. I can’t for one min be sure my code is fine, but it has served me well for a number of years without an issues
I did suspect that date stamps could easily be modified by the right code. But hoped it wasn’t the case.
I do use phpmyadmin, well I say I use it. Its installed I rarely go near it unless I am making modification that requires it.
To me its feeling more sinister, like it could be an infection at Apache level, which is why I upgraded and rebuilt apache in the hope of fixing it
Any advice on to how to check if it in an infected apache process?
Please excuse my n00bness, although I have been both making websites and running web servers for the last 10years, this has really taken me to my wits end.
|
| Posted by WeWatch, 01-24-2011, 02:01 PM | | Don't discount phpmyadmin as the infection vector, even though you don't use it very often, doesn't mean hackers won't find it and exploit it as a way in.
Here is a good write-up on the infectious Apache processes.
http://smaert.com/apache_mischief/writeup.txt
|
| Posted by bigdm, 01-24-2011, 04:04 PM | | thanks for the info, i have a server admin taking a look at it for me in the morning, but will take a read of this all the same
|
| Posted by WeWatch, 01-24-2011, 04:09 PM | | Let me know if you find it or not.
Just trying to help.
|
|
 Add to Favourites
 Print this Article
|
