1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How is someone placing a script into my headers?

Discussion in 'General Scripting Chat' started by Mr-Eguy, Apr 23, 2011.

  1. Mr-Eguy

    Mr-Eguy Newbie

    Joined:
    Apr 16, 2010
    Messages:
    32
    Likes Received:
    50
    I've been having an issue with someone "injecting" a script into some of my sites and I don't know how they're doing it and how to prevent future "attacks"

    This isn't anything malicious, it's more of a pain in the keester than anything.

    When I try to view some of my pages, I either get a blank page or an error message saying that the header is already sent.

    When I view the page source there's always a
    HTML:
     <script>whatever their inserting</script> 
    displayed and that's the only thing.

    So here's what I need to know.... how is someone injecting this script into my php sites, and want measures can I use to prevent it from happening in the future?

    Any help anyone can offer would be appreciated.

    Thank you
     
  2. almir012

    almir012 BANNED BANNED Jr. VIP Premium Member

    Joined:
    Feb 1, 2010
    Messages:
    556
    Likes Received:
    104
    Your cpanel password is probably hacked, don't save passwords in ftp programs, they are usually guilty ofr such stuff
     
  3. flexnds

    flexnds Power Member

    Joined:
    Jan 4, 2010
    Messages:
    643
    Likes Received:
    680
    Occupation:
    Internet Marketing, Web development, Internet Repu
    Location:
    AZ
    1.) Change all passwords after you scan your cmputer..
    2.) Scan your computer with a good anti-spyware, anit-virus (pay for webroot it's worth every penny).
    3.) Check your file permissions and make sure they are all correct..
    4.) If your using wordpress make sure your wp-config.php file is set to 0600 permissions
    5.) If you are using wordpress install plugins "secure wordpress" and "bbq" to prevent the sql injections by blocking bad quries..
    6.) Call your hosting provider and have their tech team check out your account to see what's going on and if something is misconfigured on their end..
    7.) Make sure your theme does not have any malicious code and the same goes for plugins as well.
     
    • Thanks Thanks x 1
  4. Mr-Eguy

    Mr-Eguy Newbie

    Joined:
    Apr 16, 2010
    Messages:
    32
    Likes Received:
    50
    Thank you for your suggestions.

    I did a scan a couple of days ago and my system is clean so I know I don't have any rootkits or anything that would do any keylogging.

    I use roboform for pretty much everything and do a format of my system about once a month or so, so everything is always cleared of anything that would pose to be any kind of threat.

    My cPanel password is 15 characters of mixed formats so I don't think it's been hacked. I also check to see where the last login was made by IP and it's never shown anything other than mine.

    I've taken your advice and installed secure wordpress as well as bbq and I'm anxious to see what the results are.

    The reason I was asking this, was because it's not just happening to me. I know another marketer who's hosted by a different company and he's had the same issue.

    The only thing we had in common was WordPress.

    When I found out that this was the only thing we had installed on our servers that was common, I started going through my WP and downloaded a fresh copy from the main site and did a file by file comparison and found a file called js.php that was out of place. I deleted everything from the server and did a fresh install of everything that I previously had installed. The js.php file isn't on my server.

    Everything is clean and I'm still getting this code inserted into my files.

    I don't know how it's happening and what to do to prevent it.

    I got my scan back from WebSiteDefender and it shows that my php errors are enabled but I don't know how to change it.

    I downloaded the .htaccess file to see what was in it, and it's got so much information that I don't know what to change if anything at all.

    According to WebSiteDefender, I should have

    php_flag display_errors off
    php_flag log_errors on
    You can disable display_errors from php.ini or .htaccess

    but where do I make that change? I don't have a php.ini file on the server so .htaccess is my only option at the moment.

    Any suggestions would be greatly appreciated
     
  5. flexnds

    flexnds Power Member

    Joined:
    Jan 4, 2010
    Messages:
    643
    Likes Received:
    680
    Occupation:
    Internet Marketing, Web development, Internet Repu
    Location:
    AZ
    Depending on what plugins you run your bare bones .htaccess should look like this

    HTML:
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    # END WordPress
     
  6. indieee

    indieee Registered Member

    Joined:
    Sep 11, 2010
    Messages:
    63
    Likes Received:
    18
    Location:
    Oz
    I had a very similar problem (with what looked to be like a hacked site due to injected scripts) a few weeks back which was doing my head in as I just could not work it out.

    The problem ended up being a plugin that would only cause issues on a particular theme I was using on my WP site. If I changed themes, the problem would go away.
     
  7. Mr-Eguy

    Mr-Eguy Newbie

    Joined:
    Apr 16, 2010
    Messages:
    32
    Likes Received:
    50
    Ok... I spoke to my host and they've set up my php.ini file up so that no errors are displayed and hopefully this will help keep people out.

    Thank you for your suggestions. They've been very helpful :beer:
     
  8. Mr-Eguy

    Mr-Eguy Newbie

    Joined:
    Apr 16, 2010
    Messages:
    32
    Likes Received:
    50
    Ok... just an update.

    I found out that it's a bot that's been creating havoc on my site as well as on other peoples' sites.

    It's been coming from the same IP and has been inserting 3 files onto the server which replicates the injection after you've gone through your index files and deleted the lines of script.

    The files are:

    js.php
    confdb.php
    counter.js


    These files can be found in your root directory as well as your htaccess folder and your cpanel folder.

    I don't have enough posts to send you a link to where I found this information, but if this happens to you, atleast you have an idea of what to look for.

    The place to look for the insertion is in ANY form of index file and as for php files, it's usually the very first line, whereas in html or htm files, it's most likely found right after the first body tag but it's best to search for it throughout the whole page because I was told that sometimes it can be found after the closing tags.

    I hope this helps anyone that's run into the same problems I have.

    Best of luck.