PHP code injected into 5.6.0.2 update files

Permalink
I recently went to log into my site and had gotten an error message that there was and unexpected '<' in one of the update files which I found odd, so upon further investigation it turns out that there was a large section of PHP code that had been injected into the file. I did a find and replace to see where else it was turning up, and the same exact code was showing up in about 40 different files, all within the update folder. Not knowing what to do, whether this code was malicious or not, I proceed to remove the code from each page. Now I am able to log into the site but am concerned that there are bigger issues at hand. The attached file includes the injected code.

If anyone has had a similar experience or any advice on what to do to safeguard against this occurring in the future I would appreciate it.

Also, was I right in just deleting this code?

1 Attachment

shondy
View Replies:
Phallanx replied on at Permalink Reply
Phallanx
shondy replied on at Permalink Reply
shondy
It doesn't look like this vulnerability has been addressed in the current version. Maybe update to the current beta? Short of changing passwords, is there anything else I can do to close the door? I checked the .htaccess file and didn't see any hacks present and I am not sure what else to look for.
Phallanx replied on at Permalink Reply
Phallanx
Well. If you've found all the infections and there is nothing suspicious in your htaccess. You may have got it all. So the next thing is to try and stop it happening again.

A lot of script kiddies and exploits can be defeated with simple checks in your htaccess.

e.g.
# Query String Blacklists
RewriteCond %{QUERY_STRING} PHPSESSID [NC,OR] 
RewriteCond %{QUERY_STRING} allow_url_include [NC,OR] 
RewriteCond %{QUERY_STRING} auto_prepend_file [NC,OR] 
RewriteCond %{QUERY_STRING} auto_append_file [NC,OR] 
RewriteCond %{QUERY_STRING} vtigercrm [NC,OR] 
RewriteCond %{QUERY_STRING} \.\/ [NC,OR] 
RewriteCond %{QUERY_STRING} \.\.\/ [NC] 
RewriteRule ^.*$ - [F,L]


You should also turn off allow_url_include, auto_prepend_file and auto_append_file in the php.ini if they are enabled.
http://www.php.net/manual/en/ini.core.php#ini.auto-prepend-file....

These will stop most URL injection attacks, but not necessarily XSS.
shondy replied on at Permalink Reply
shondy
Well, I did as much as I could do and went with your suggestions. I hope this locks it down.

I really appreciate your help!