index.php code injection problems

Squiggles

Hi guys,

I noticed for the past couple of days that some of my projects in php have been injected with <u style> codes at the end of the page:

SAMPLE

<u style=display:none><a href="http://canadaquebec.info/adapt/shans/tramadol/buy-tramadol.html">buy tramadol</a></u>

It practically bloats my index.php pages by posting itself over and over again, to the point that it becomes unmanageable under text editors. Any insights on how to deal with this problem?

Many thanks in advance.

MarkR

Does this happen on your dev server? Have you considered that your workstation may be infected with some malware?

Does it happen on another, freshly installed development machine?

Do you use self-modifying code in the project (Hint: don't) ?

Mark

void_function

Aside to what Mark said, if you want to clear the file and you can't load it into the editor, write a script that will open the file and do a preg_replace:

$str; // contains contents of your file
$str= preg_replace('/<u style=display:none>(.*)<\/u>/im', '', $str);
// write $str in filename_cleaned.php

Squiggles

MarkR wrote:
Does this happen on your dev server? Have you considered that your workstation may be infected with some malware?

Does it happen on another, freshly installed development machine?

Do you use self-modifying code in the project (Hint: don't) ?

Mark

Actually, the problem occurs on live servers. So far, it has happened on 3 separate instances, on 3 separate servers (all linux).

Squiggles

void_function wrote:
Aside to what Mark said, if you want to clear the file and you can't load it into the editor, write a script that will open the file and do a preg_replace:
$str; // contains contents of your file
$str= preg_replace('/<u style=display:none>(.*)<\/u>/im', '', $str);
// write $str in filename_cleaned.php

Thanks, Chief! will take note of that. 🙂

MarkR

I guess that your workstation or your production server could have been compromised. Notify the hosting provider immediately.

Try it on a standalone dedicated server shared with nobody else, and run no other dodgy third party apps (e.g. *Nuke, PHPB😎 on the server. If the problem keeps occuring, it's definitely your code.

I assume you have a backup of the code (or at least, on your dev server the code is not corrupted in this way so you can just re-deploy it to the new clean server).

Maybe the hosting provider will accept that their machine is compromised and move your site to a clean box?

Mark

Squiggles

MarkR wrote:
I guess that your workstation or your production server could have been compromised. Notify the hosting provider immediately.

Try it on a standalone dedicated server shared with nobody else, and run no other dodgy third party apps (e.g. *Nuke, PHPB😎 on the server. If the problem keeps occuring, it's definitely your code.

I assume you have a backup of the code (or at least, on your dev server the code is not corrupted in this way so you can just re-deploy it to the new clean server).

Maybe the hosting provider will accept that their machine is compromised and move your site to a clean box?

Mark

There are no third party applications on the server. Thing is, it's not just my programming that was attacked. It attacks any index-labeled file on the system, be it index.php or index.htm located on the root system.

Weedpacket

Well, once it's compromised the system from any particular source, it's not going to care what it attacks.... sounds like your hosting provider has a lot of cleaning up to do.

rikmoncur

change your passwords - it's a good bet that a low-life has hacked them.