Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PHP Insertion Hack on Our Sites

Posted on 2011-02-12
Medium Priority
Last Modified: 2012-05-11
Last night I get an email from our staff who handles email to the web master saying that  directories in our publication folder /public_html/resources/

Were unavailable the web. I went there and the home page seemed fine, but then trying to navigate to any sub-directories failed. we got 404's, look at the error logs I could see a number of other top directories in public_html were also delivering 404's

I logged in and to my dismay discovered a .htaccess fill had been added  to about ten different top level directories

directoryIndex  index.php

and two other files had been added to the folder


which myself and none of my team had put there.

the index.php file was a copy of the index.shtml file which was and has been the *real* home page

the index.php   had at the top of this file a PHP include:

<?php include('/home/himalayan/public_html/art/top.php');?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

Now, the "top.php" file was this wierd thing related  viagra sales:

ini_set('display_errors', "0");

$hostname = gethostbyaddr ($ip);

if (
strpos($agent, 'Googlebot') !== false ||
strpos($agent, 'Slurp') !== false ||
strpos($agent, 'msnbot') !== false ||
strpos($agent, 'msnbot-media') !== false ||
strpos($agent, 'spider') !== false ||
strpos($agent, 'Baiduspider+') !== false ||
strpos($agent, 'Yahoo') !== false ||
strpos($ip, '209.185.108') !== false ||
strpos($ip, '128.2.140') !== false ||
strpos($ip, '209.185.253') !== false ||
strpos($ip, '209.85.238') !== false ||
strpos($ip, '') !== false ||
strpos($ip, '') !== false ||
strpos($ip, '') !== false ||
strpos($ip, '') !== false ||
[snip   1000 lines exactly the same with different IP's]
strpos($ip, '66.249.84') !== false ||
strpos($ip, '74.6.87') !== false  ||
strpos($ip, '66.249') !== false ||
strpos($hostname,'googlebot')!== false
print $cont;exit();

if (strpos($ref, 'google.') !== false || strpos($ref, 'yahoo.') !== false || strpos($ref, 'msn.') !== false || strpos($ref, 'aol.') !== false ||

strpos($ref, 'search') !== false){
if (strpos($ref, 'q=') !== false){
if (strpos($hostname,'googlebot')== false){
if (substr_count($ref,"cialis")>0) {
if (strpos($ref, 'start=56')==false){
header ("Location: $rederict_URL"); exit(0);}

I don't think that anyone actually got in via FTP... it's almost like they figured out some vulnerability in one of  our PHP apps and did some kind of insertions

there were about ten other directories in /public_html/ and each had the same thing:  a new .htaccess file with a directoryIndex index.php  and the index.php was a copy of index.shtml with the include at the top which pointed to the "*.php" file with all the Viagra sales redirect stuff attempt.

So, I am removing those files and things are back to normal, but I don't know how to close the hole or even what it was. fortunately the attack seems to have failed at least our users did not end up at "getfastpills.com" but instead they just got a 404.

Presumably the attacker realized this and abandoned his work otherwise he probably would have continued on until *all* top directories on the site were infected.
Question by:Sivakatirswami
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
LVL 27

Expert Comment

ID: 34880442
Have you checks to prevent sql injections?


Seems to me like one was able to upload files because he got himself administrator permissions...


Author Comment

ID: 34880892
But how has this got anything to do with MySQL?  since the insertions were

     .htaccess        # [set to:] directoryIndex  index.php
      index.php      # a copy of the original home page with an include to "top.php" at the top
      index.shtml    #  (the original home page)
      top.php          # with all the php code and IPs and a final redirect to "getPills.com/cialis.html"

FYI the redirect failed, instead all that users got was a 404.

I changed the mainadmin and FTP password to the site right away with a really strong one.

LVL 27

Expert Comment

ID: 34881636
The point is he made himself admin, then did change the files and permissions.

I'm no php expert, this was just a heads up. Check the database for changes. Also check if there is an update for php available.
Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!


Accepted Solution

JayDiablo earned 2000 total points
ID: 34884257
Any sort of compromise like this should raise a lot of red flags.

Changing your passwords is a good first start, but the attacker may not have guessed your password to gain access to the system.

As Tolomir said, make sure everything is up-to-date on the server.  If you have full root access to the machine, you can do this yourself (or have someone that knows system-admin work do it for you).  If not, you'll need to contact the people responsible to do this for you.

You should also be concerned that the attacker may have installed something somewhere on your server that allows him to gain entry to your server at any time in the future.  Your server could now be vulnerable to being part of a bot-net, meaning it could be taken control to do a number of things, like sending spam emails, or participating in a DDOS attack (distributed denial of service).

Based on your question, it looks like you're running on a Linux based OS.  There are tools out there that check for "root-kits" that you can run, however, they're not always that useful if you've already been compromised.  It may be worth a shot anyhow.

It's also wise to move your SSH logins off of port 22, and to never allow the "root" user to login via SSH (both of these are configurable options of sshd, again, if you're on linux).  Also be sure that your FTP access is locked down (or removed entirely, and just use FTP over SSH instead).

Also be aware of any third party PHP applications that might be installed on your server (like forum or shopping cart software), as these packages may have vulnerabilities that are publicly known (and exploited).  Be sure all of these applications are up-to-date as well.

A compromised server should really be viewed as a security risk, and ideally should be taken out of the picture unless you're very thorough at locking it down and cleaning it up to prevent future attacks.  If you have a way to easily move live applications off of it and on to a new machine (don't copy the machine's data to a new machine, but rather re-deploy your applications on a new machine), go that route instead of trying to clean this one.

I don't want to make it sound like the sky is falling and you're doomed.  Perhaps it's as simple as a PHP vulnerability that is easily fixed with an update to PHP, but unless you know for sure that's how you were compromised, it's not wise to assume, and then find out a month later that your server has been sending 1000's of spam emails an hour for the past month and your host has to shut you down (or worse).

Author Comment

ID: 34884407
Jay, Thanks for being clear. I think I was taking it too lightly. and your strong words of wisdom are what I needed to hear. Obviously there is no way for an EE expert to come up with a definitive answer of "how did he get in."  but your points are well taken and I will do the best I can. I can't really shut down this server, so I have to work it out in place.  

I will alert the host "ServePath" that we have been compromised and pay their security analysis team to check the server.

Author Comment

ID: 34885521
OK I found the exploit... someone else recommended grepping the logs for POST on the date and look for POST's to php scripts.  Bingo:

the hacker some how had deposited two files in an obscure image directory on the 10th  "menu.php" opens with:

$login = ""; //Login
$pass = "";  //Pass
$md5_pass = ""; //If no pass then hash

I see in the logs 360 lines  POSTing to that menu.php script from a Russian server, further analysis show that it was a "black hat SEO" thing : trying to get the search engine to increase ranking of his viagra site:

so then I grepped for "menu.php" and found the point in time where he came onto the server at around 8PM on the 10th... kept working until 2 AM...

It started on the 10th and some strange GET requests I do not understand...and then the POST's start... over 300 of them. - - [10/Feb/2011:13:20:05 -0800] "GET /childrens-courses/images/menu.php HTTP/1.1" 200 6499 "-" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:06 -0800] "GET /favicon.ico HTTP/1.1" 200 766 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:09 -0800] "POST /childrens-courses/images/menu.php HTTP/1.1" 200 6034 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:16 -0800] "POST /childrens-courses/images/menu.php HTTP/1.1" 200 5189 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:17 -0800] "GET /css/main_home_pages.css HTTP/1.1" 200 2837 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:17 -0800] "GET /images/main_page_symbol.gif HTTP/1.1" 200 5365 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:18 -0800] "GET /images/social-icon-twitter.png HTTP/1.1" 200 1589 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:18 -0800] "GET /images/social-icon-facebook.png HTTP/1.1" 200 860 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:18 -0800] "GET /images/social-icon-youtube.png HTTP/1.1" 200 1366 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:19 -0800] "GET /images/header_flymenu_bg.gif HTTP/1.1" 200 1460 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:17 -0800] "GET /images/monks-debuhr.jpg HTTP/1.1" 200 36030 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:17 -0800] "GET /images/gurudeva-bodhinatha.jpg HTTP/1.1" 200 33976 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:18 -0800] "GET /images/main_pages_bg.jpg HTTP/1.1" 200 54975 "http://www.mydomain.com/childrens-courses/images/menu.php" "Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.7.62 Version/11.00" - - [10/Feb/2011:13:20:19 -0800] "POST /childrens-courses/images/menu.php HTTP/1.1" 200 5311


Expert Comment

ID: 34885609
So this menu.php script isn't something you installed correct?

Any evidence on how that file was inserted?

Did you happen to take note of which user (on your system) created that menu.php file and when?

Do you use fairly common PHP software, like wordpress, phpbb, etc...?  Is it used on the same domain that this menu.php script appeared in?

Any unusual entries in the logs prior to the first appearance of menu.php?

Author Comment

ID: 34889873
1) correct, I did not install it
2) No evidence on "how"  though menu.php was dated October 2010 (strange)  perhaps he just stumbled on it...and it was there all along since last fall?
3) yes we use WordPress on this machine, that's the only PHP CMS we use on this domain and yes it is running from the same domain in /public_html/blog/  alongside all the directories that were infected.
4) the files were owned by the admin for this site. I'm told that is to be expected if the php ran from the same domain, it would create files as the same owner, because it was "acting" as the owner of all the files.
5) running "last" to view all logins to the server, nothing unusual. SSH: a few as root (me) and two of my trusted team who log in as themselves and then SU...  no one else. FTP users who are "jailed in" to virtual domains...doing transfers for sites they manage, were all known on my team. Ergo, this was a PHP exploit via http some how... dunno how.
6) Yeah the insertion of infected redirection files (.htaccess, and two php files pointing to the viagra sales domain) occured at around 2 am on the 11th. But the access logs have these wierd GET requests for images, that are to be called by the menu.php script.

meanwhile I'm sweeping the machine, all domains with grep as this EVAL statement appears in the php scripts and will be easily uncovered. So, I can clean the server but the vulnerability is still there.

We are not letting users upload images of any kind, so it cannot be the known GIF infected file exploit.

I would like to learn how to configure the serve to prevent execution of PHP from any directory *except* the  /public_html/blog/  directory.  

We will be redoing the whole site soon, using LiveCode server and RevIgniter framework and the Word press installation will be the only place PHP is executed from, so I may as well simply block execution of PHP from *any* other location.  How can i do that?

Expert Comment

ID: 34890106
Is wordpress the only third-party PHP application that runs on this domain?

Is it up-to-date?  Are there unofficial wordpress plugins installed?  Which ones?

All signs seem to point to a vulnerability in the wordpress install, which could be an out-of-date wordpress, or out-of-date/bad wordpress plugin.

Here's a somewhat similar case (though this one was code insertion into WP templates, which I've seen before):  http://dannedelko.com/wordpress/wordpress-injection-attack.html

As for restricting PHP to only be enabled in certain directories or paths...   PHP is enabled by default across the whole server.  Depending on how you installed php, you might have a "php.conf" file in /etc/httpd/conf.d/ that may look like this:

# PHP is an HTML-embedded scripting language which attempts to make it
# easy for developers to write dynamically generated webpages.

LoadModule php5_module modules/libphp5.so

# Cause the PHP interpreter to handle files with a .php extension.
AddHandler php5-script .php
AddType text/html .php

# Add index.php to the list of files that will be served as directory
# indexes.
DirectoryIndex index.php

# Uncomment the following line to allow PHP to pretty-print .phps
# files as PHP source code:
#AddType application/x-httpd-php-source .phps

Open in new window

or you may just have the uncommented lines in /etc/httpd/httpd.conf (or wherever your HTTP config file is located, the paths I've used here are specific to RHEL/Fedora/CentOS installs).

I've never had to do this, but it should be possible to move the AddHandler and AddType lines out of your general config (comment them out wherever they may be) and then just insert them into the VirtualHost container of the domain that you want PHP to be enabled on (or possibly even in a Directory container within a VirtualHost container for just that path):

For just selected domains:

<VirtualHost *:80>
  ServerName somedomain.com

  AddHandler php5-script .php
  AddType text/html .php

Open in new window

For just a specific directory in a domain:

<VirtualHost *:80>
  ServerName somedomain.com
  <Directory /var/www/somedomain.com/httpdocs/blog>
    AddHandler php5-script .php
    AddType text/html .php

Open in new window

That should disable PHP from executing, however, if a user were to request a PHP file that exists in a directory that doesn't have the Handler/Type defined, Apache will just spit out the contents of the file, which could be a security risk if the PHP file contains any sensitive information, like passwords.

To combat that, you'd have to deny access to PHP files, here's an article that describes the directives to do such a thing:


That should prevent Apache from just spitting out the contents of the PHP file (instead it'll send a Forbidden HTTP status/error message).

Hope this helps. :)

Author Comment

ID: 34890644
I will check on the WordPress installation and plug ins.

AS for php execution, perhaps I'm not getting you clearly:

Actually I am looking to make it work the other way round

*allow* execution in /public_html/blog/

but not anywhere else.


Expert Comment

ID: 34890702
Actually I am looking to make it work the other way round

*allow* execution in /public_html/blog/

but not anywhere else.

That's what I was describing.

First you have to disable PHP execution across the entire Apache server (comment out the AddType and AddHandlers that currently exist), then you have to selectively *enable* PHP in the domains/paths that you want (by adding the AddType and AddHandler directives where you want PHP to be executed).

As a side effect of disabling PHP execution, Apache will directly output the contents of PHP files that are accessed (except where you've enabled PHP execution), so you need to deny access to those files (except where you want PHP execution to be enabled).

I'm not sure if that helps clear it up at all, let me know and I can try to be more specific.

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question