Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,546
    Thanks
    45
    Thanked 259 Times in 256 Posts

    Unhappy Security concern: Injected JS

    Hey, was hoping someone might lend me a thought on a security matter. I know its not the direct privy this forum, but a lot of knowledgeable people here. I tried searching through previous threads, but didn't really find anything.

    Recently (a week ago), on two different sites I run, on two different servers, I noticed malicious javascript was injected into every file "index.php" and any file ending with a .js extension. Unfortunately, I'm no pro at these things, and I'm trying to figure out what happened and how to avoid it in the future.

    I tried looking through ftp/access logs, and to the best I can find, there were no unusual accesses. My passwords are all at least two dozen characters long, random alpha-numerics, and I'm fairly certain I don't have a key logger, as virus scans with AVG and MBAM haven't come up with anything (plus other sites I also run are not infected). I've checked permissions on all files (read for everyone, write only for the owner). There's no code that allows for sql injection on one site, and on the other, there is no malicious SQL inserted. Neither site makes any use of GET variables, though both do use POST for various things.

    I understand this is what security professionals are hired for, but I guess I just don't notice other programmers going through these same problems and I wonder if my inexperience is getting the better of me. Could anyone relay any words of wisdom?

  • #2
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Shared server? Have you contacted the host?

  • #3
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by Keleth View Post
    There's no code that allows for sql injection on one site, and on the other, there is no malicious SQL inserted. Neither site makes any use of GET variables, though both do use POST for various things.
    Whether it's GET, POST etc is irrelevant if input isn't sanitised correctly, (or at all). bdl's suggestion should be your first port of call, but it could also be numerous other things. Old versions of software with security holes or bugs, older backup copies of software you have running which are buggy and still accessible, etc, etc.

  • #4
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,546
    Thanks
    45
    Thanked 259 Times in 256 Posts
    One is a shared host, though only one site on that host was infected. The other is a virtual server, which isn't really a shared host is it?

    Regardless, yes, contacted both hosts, but say its benign.

    Neither site uses a packaged software (all my own code), and I sanitize as best as I know how (html special characters, add slashes, etc). Can someone actually edit a file though a POST variable?

  • #5
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by Keleth View Post
    Can someone actually edit a file though a POST variable?
    Nope, but it can allow accessing information which leads to being able to access other resources. For example, if you're allowing file includes based on user input and not sanitising the path, they could theoretically request any available file, including ones outside of the web root. SQL injection is another plausible possibility.

    If this was your hosts response, btw:

    Regardless, yes, contacted both hosts, but say its benign.
    I'd definitely be suspecting the hosts security first. There's no such thing as a benign security breach. If anything has been tampered with in any way or form, they shouldn't be brushing it off, regardless of whether the code had any serious effect or not. A breach of any kind is a breach.

  • #6
    Senior Coder
    Join Date
    Jun 2008
    Location
    New Jersey
    Posts
    2,546
    Thanks
    45
    Thanked 259 Times in 256 Posts
    Quote Originally Posted by MattF View Post
    Nope, but it can allow accessing information which leads to being able to access other resources. For example, if you're allowing file includes based on user input and not sanitising the path, they could theoretically request any available file, including ones outside of the web root. SQL injection is another plausible possibility.
    I don't think thats the case then, as I don't allow user input into anything more then the mail function, and even then, only after being sanitized. As for SQL, could SQL injection attacks rewrite a file without affecting the SQL DB? (ie, nothing new in the database). I haven't heard of it, but like I said, I'm green in these matters.

    Quote Originally Posted by MattF View Post
    I'd definitely be suspecting the hosts security first. There's no such thing as a benign security breach. If anything has been tampered with in any way or form, they shouldn't be brushing it off, regardless of whether the code had any serious effect or not. A breach of any kind is a breach.
    Well, they said they're looking into it, but it looks benign, but yah, I see what you mean. But thats the other weird thing, I've gone through the ftp/user panel access logs, and there's nothing there from around the time of the file change.

  • #7
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by Keleth View Post
    But thats the other weird thing, I've gone through the ftp/user panel access logs, and there's nothing there from around the time of the file change.
    Keep in mind that it is a trivial matter of changing the last modified date and time of a file. While that can be a starting point, it isn't definitive.
    OracleGuy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •