PHP malicious code – pls help

  • wpaul

    (@wpaul)


    15 years, 4 months ago

    Currently the site I’m working on is hosted on IXwebhosting.com a “US” company whose help desk, etc are located in east europe.
    Since august this year (after the Georgia conflict) the site has been subjected to several attacks.
    Basically the intruders add a snippet of JS code to HTML files and then add PHP code (see below) in all PHP files.
    Moreover all the files have ownership changed to HTTPD:HTTPD (server is Linux).
    After the last complaint, I was told by the help desk that basically the problem lies in the version of the program – not true, as I have been attacked on both v 2.0.2 and 2.6+ – and that httpd:httpd appears when the attack has been caused by a php script (sidenote: previous attacks had changed ownership to ROOT:ROOT).
    As far as the latter point is concerned I had read that this kind of ownership change is only possible if/when someone has superuser access to the whole machine.
    To come to a conclusion: can anybody pls confirm that WordPress’ code could inherently be the “cause” of these problems – especially the ownership change? Personally I don’t see how and why but I appreciate the seniority and expertise of other expert members..

    Kind regards,

    Paul

    Malicious code inserted in the php files:
    http://wordpress.pastebin.ca/1271096

Viewing 2 replies - 1 through 2 (of 2 total)
  • whooami

    (@whooami)

    15 years, 4 months ago

    you are right on both accounts as far as the ownership goes, a regular user cannot chown a file or a directory to root, and, generally speaking, files or directories created by PHP will be owned by the owner of apache and PHP.

    that said, on an insecure, unkept box, privilege escalations are possible, so getting root might not be so hard.

    A simple PHP shell, uploaded to an insecure server affords enough permissions to look for other potential problems — packages that arent upgraded etc.. and could quite easily lead to a rooted server as opposed to just a cpl rooted web sites.

    cspaid

    (@cspaid)

    15 years, 4 months ago

    I am going through the same problem with Ixwebhosting. I made so many security mistakes that it is hard to place the blame on the host but I did go ahead and request to be moved to the newest cpanel which gave me php5 and new ip addresses. I had backups and used the opportunity to get a clean start an do a better job of hardening my sites as well as my back up procedures. It sucks but sometimes we have to learn the hard way.
    ps.
    There are several good post and articles on how to harden WordPress.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘PHP malicious code – pls help’ is closed to new replies.