malicious code added to index file, help

Portal Home > Knowledgebase > Articles Database > malicious code added to index file, help

Posted by Mike006, 07-09-2008, 11:24 AM
I've been having an issue with one of my sites were someone has been adding malicious code to the index file. I don't know what has been compromised and am looking for a way to stop this. I have a dedicated server have already upgraded MySQL to the latest version as I though that might work but it hasn't. Any suggests on what I can do to stop this?
Posted by WebbyCart, 07-09-2008, 11:28 AM
Hi, Upgrade your other scripts such as CMS, Forums, etc as usually old versions of these programs are the backdoor of these hacks/injections. Bobby
Posted by Mike006, 07-09-2008, 11:30 AM
my site is already the latest version and so are the forums. My forums are also on a subdomain and separate database, so I don't think my site was compromised through the forums.
Posted by Mr Terrence, 07-09-2008, 11:31 AM
What type of scripts are located under that account?
Posted by Syd_M, 07-09-2008, 11:35 AM
Do you use a CMS or similar software? If yes, then have you upgraded that software to the latest version? What scripting language is your website in (HTML, PHP, ASP, etc.)? What exactly is the nature of the attack? The info you have provided so far doesn't really tell us anything — we need more info if we are to help.
Posted by Mike006, 07-09-2008, 11:37 AM
3 scripts total on the server. All scripts are PHP language and have been upgraded to latest version except for Mysimple ads. Nature of the attack is that malicious code is being injected into the index.php file of my site. This is the 3rd time in the last 2 months it has happened. Main site - Auction Script - http://phpprobid.com Forums - On subdomain, seperate database. VB Forums Ad Management - mySimpleAds, Seperate database
Posted by Syd_M, 07-09-2008, 11:51 AM
Hmm... what's the latest version number of PHP Pro Bid? AFAIK, PHP Pro Bid has some vulnerability to XSS attacks, as well as SQL injection via advancedsearch.php and viewfeedback.php. Check out the related Secunia advisory for more info. Have you contacted PHP Pro Bid about this?
Posted by Mike006, 07-09-2008, 11:59 AM
Currently its 6.03 and I'm also talking to them about it. I just wanted to get a 2nd opinion as they have yet to resolve the issue thanks for the link
Posted by SPaReK, 07-09-2008, 12:17 PM
Try changing the FTP password for your account. I have seen a lot of cases where hackers logged in via FTP and injected code into index pages. If your password is easy to guess or has been compromised then that is one way they can gain access. I would also recommend reviewing the entire structure of your account. Look for files that should not be there. Ultimately the best solution is to completely wipe the account clean and start over from scratch. If you are running an outdated script or ran an outdated script at some point in time, then it might be possible for hackers to exploit a vulnerability in that script version and place a backdoor somewhere on your account. Then even if you do upgrade all of the scripts, the backdoor still remains and still allows them to hack into your account. This is why it is so important that you keep your scripts up-to-date and update them quickly whenever a new version is released. I think more emphasis needs to be placed on this need throughout the webhosting industry.