Files appended


#1

All index.php and main.php files on my site have been appended with spam.
If you view http://gallery2.ca/ and view the source you will see the hidden div with some spam.
I have looked at these files and they all have the same time-stamp. Files that i even forgot about not accessible via http are effected as well.
I looked at the logs but cant seem to find anything that correlates to the time-stamps.

There is backups but I would like to get at the cause. (yes passwords have been changed)
Can another script on the same server change files?

Dave


#2

You might be interested in reading this topic, as it relates to the same thing happening to some other users on DH. No one is aware of why/how it’s happening yet, and DH hasn’t made any official comments on it (that I’m aware of).


Chips N Cheese - Custom PHP installs and the like!


#3

Your site appears to have suffered from the same hacking attempt as many others (including myself). Report this to the abuse department immediately.


si-blog | Keystone Websites
Save $97 on yearly plans with promo code [color=#CC0000]SCJESSEY97[/color]


#4

Just to get it on file, this has happened me to. And after heavy reviwe of logs both the dH ones and my own checking custom scripts and more I can’t find any way someone has possibly been able to append and inject the spam urls to animal pr0n into both php, perl, text and binary files.

I have contacted support about it, but they say no tripwires on my server were trigged.

I have anon ftp but files changed aren’t accesible from it. My account resides on .bass.

A mediawiki of version 1.7.1 was running with the same user.

proftpd is at 1.3.0rc2

custom php5.2.2

Maybe people can find some similarities as there doesn’t seem to be that many people affected. also if you don’t think you are affected try to search your files for parts of the following content: (go to this url to see the contents I have mentioned) http://utilitybase.com/paste/3541


#5

I am on the ‘western’ server.
I greped for http://utilitybase.com and found nothing. However ‘cialis’ is a different story.

I have replaced the files and changed passwords and still effected.
Support showed me a bunch of IPs that have gained access and only one of the 6 was me. At the end of the mail they said:
" also I have forwarded this to the admin
that is handling this issue as it appears that you have been affected."

I hope that it gets solved soon, as it could be much worse.

Dave