Security concern: Injected JS

Hey, was hoping someone might lend me a thought on a security matter. I know its not the direct privy this forum, but a lot of knowledgeable people here. I tried searching through previous threads, but didn't really find anything.

Recently (a week ago), on two different sites I run, on two different servers, I noticed malicious javascript was injected into every file "index.php" and any file ending with a .js extension. Unfortunately, I'm no pro at these things, and I'm trying to figure out what happened and how to avoid it in the future.

I tried looking through ftp/access logs, and to the best I can find, there were no unusual accesses. My passwords are all at least two dozen characters long, random alpha-numerics, and I'm fairly certain I don't have a key logger, as virus scans with AVG and MBAM haven't come up with anything (plus other sites I also run are not infected). I've checked permissions on all files (read for everyone, write only for the owner). There's no code that allows for sql injection on one site, and on the other, there is no malicious SQL inserted. Neither site makes any use of GET variables, though both do use POST for various things.

I understand this is what security professionals are hired for, but I guess I just don't notice other programmers going through these same problems and I wonder if my inexperience is getting the better of me. Could anyone relay any words of wisdom?

Shared server? Have you contacted the host?

There's no code that allows for sql injection on one site, and on the other, there is no malicious SQL inserted. Neither site makes any use of GET variables, though both do use POST for various things.

Whether it's GET, POST etc is irrelevant if input isn't sanitised correctly, (or at all). bdl's suggestion should be your first port of call, but it could also be numerous other things. Old versions of software with security holes or bugs, older backup copies of software you have running which are buggy and still accessible, etc, etc.

One is a shared host, though only one site on that host was infected. The other is a virtual server, which isn't really a shared host is it?

Regardless, yes, contacted both hosts, but say its benign.

Neither site uses a packaged software (all my own code), and I sanitize as best as I know how (html special characters, add slashes, etc). Can someone actually edit a file though a POST variable?

Can someone actually edit a file though a POST variable?

Nope, but it can allow accessing information which leads to being able to access other resources. For example, if you're allowing file includes based on user input and not sanitising the path, they could theoretically request any available file, including ones outside of the web root. SQL injection is another plausible possibility.

If this was your hosts response, btw:


Regardless, yes, contacted both hosts, but say its benign.


I'd definitely be suspecting the hosts security first. There's no such thing as a benign security breach. If anything has been tampered with in any way or form, they shouldn't be brushing it off, regardless of whether the code had any serious effect or not. A breach of any kind is a breach.

Nope, but it can allow accessing information which leads to being able to access other resources. For example, if you're allowing file includes based on user input and not sanitising the path, they could theoretically request any available file, including ones outside of the web root. SQL injection is another plausible possibility.

I don't think thats the case then, as I don't allow user input into anything more then the mail function, and even then, only after being sanitized. As for SQL, could SQL injection attacks rewrite a file without affecting the SQL DB? (ie, nothing new in the database). I haven't heard of it, but like I said, I'm green in these matters.

I'd definitely be suspecting the hosts security first. There's no such thing as a benign security breach. If anything has been tampered with in any way or form, they shouldn't be brushing it off, regardless of whether the code had any serious effect or not. A breach of any kind is a breach.

Well, they said they're looking into it, but it looks benign, but yah, I see what you mean. But thats the other weird thing, I've gone through the ftp/user panel access logs, and there's nothing there from around the time of the file change.

But thats the other weird thing, I've gone through the ftp/user panel access logs, and there's nothing there from around the time of the file change.

Keep in mind that it is a trivial matter of changing the last modified date and time of a file. While that can be a starting point, it isn't definitive.