Hi guys,
I noticed for the past couple of days that some of my projects in php have been injected with <u style> codes at the end of the page:
SAMPLE
<u style=display:none><a href="http://canadaquebec.info/adapt/shans/tramadol/buy-tramadol.html">buy tramadol</a></u>
It practically bloats my index.php pages by posting itself over and over again, to the point that it becomes unmanageable under text editors. Any insights on how to deal with this problem?
Many thanks in advance.
Does this happen on your dev server? Have you considered that your workstation may be infected with some malware?
Does it happen on another, freshly installed development machine?
Do you use self-modifying code in the project (Hint: don't) ?
Mark
Aside to what Mark said, if you want to clear the file and you can't load it into the editor, write a script that will open the file and do a preg_replace:
$str; // contains contents of your file
$str= preg_replace('/<u style=display:none>(.*)<\/u>/im', '', $str);
// write $str in filename_cleaned.php
MarkR wrote:Does this happen on your dev server? Have you considered that your workstation may be infected with some malware?
Does it happen on another, freshly installed development machine?
Do you use self-modifying code in the project (Hint: don't) ?
Mark
Actually, the problem occurs on live servers. So far, it has happened on 3 separate instances, on 3 separate servers (all linux).
void_function wrote:Aside to what Mark said, if you want to clear the file and you can't load it into the editor, write a script that will open the file and do a preg_replace:
$str; // contains contents of your file $str= preg_replace('/<u style=display:none>(.*)<\/u>/im', '', $str); // write $str in filename_cleaned.php
Thanks, Chief! will take note of that. 
I guess that your workstation or your production server could have been compromised. Notify the hosting provider immediately.
Try it on a standalone dedicated server shared with nobody else, and run no other dodgy third party apps (e.g. *Nuke, PHPB
on the server. If the problem keeps occuring, it's definitely your code.
I assume you have a backup of the code (or at least, on your dev server the code is not corrupted in this way so you can just re-deploy it to the new clean server).
Maybe the hosting provider will accept that their machine is compromised and move your site to a clean box?
Mark
MarkR wrote:I guess that your workstation or your production server could have been compromised. Notify the hosting provider immediately.
Try it on a standalone dedicated server shared with nobody else, and run no other dodgy third party apps (e.g. *Nuke, PHPB
I assume you have a backup of the code (or at least, on your dev server the code is not corrupted in this way so you can just re-deploy it to the new clean server).
Maybe the hosting provider will accept that their machine is compromised and move your site to a clean box?
Mark
There are no third party applications on the server. Thing is, it's not just my programming that was attacked. It attacks any index-labeled file on the system, be it index.php or index.htm located on the root system.
Well, once it's compromised the system from any particular source, it's not going to care what it attacks.... sounds like your hosting provider has a lot of cleaning up to do.
change your passwords - it's a good bet that a low-life has hacked them.
