Indexhibit Support

For the second time in a week my friend's indexhibit site has been been hit by attackers who alter most php files on indexhibit site.

What is interesting that the attacks have been very similar but from two sources (one Russian one Chinese).

Both times the attacks have chopped off last few lines of php code and added their iframe line, but forgot to add ?> at the end.

This way of attacking indicates it is from some sort of script floating around, exploiting some vulnerability. Question is where is that vulnerability? Could it be ftp exploit (password for ftp was provided by host and looks very hard to crack by brute force). Some vulnerability in PHP?

Hosting is shared hosting with no shell access, just ftp and PHPmyadmin.

Any other indexhibit users experience anything similar?

Seen it before...it happened to us as well. There is a bunch of evidence out there that this is actually a server hack. Many hosts are having problems with this (not only people with Indexhibit sites).

Apparently what is happening is that people have infected FTP applications that are transmitting the login info to bots. These bots login and then attack as many sites on the same server as is possible. In many cases, all it takes is just one person on the shared server to be infected and all users on that server could be attacked.

What's the site...who is the host?

Thanks for the quick reply!

My friend's site is niedre.lv (niedre.com redirects) and his host is skynet.lv, a small Latvian host. I told him to talk to his host and ask for access logs plus change ftp password.

Right now I've fixed niedre.lv by copying original indexhibit .php files (index.php, ndxz-studio/default.php, common.php). I did not manage to fix ndxz-studio/index.php, that file seems to hang around this line:
$OBJ =& load_class('router', TRUE, 'lib');

Maybe the 'router' file is missing from /ndxz-studio/lib/?

When you are done back it all up for more rapid recovery...a good practice anyways.

Change all the passwords to any logins for control panels, ftp, websites, etc. And if you are using a PC run some virus scanning...I've heard the big problem ftp app was Filezilla. But if somebody else is the problem then there is little you can do.

It's not really the fault of the host if somebody's ftp account is being hacked. Our host managed to solve it with some IP to Geolocation tools built-in to the server and scanning software that watches ftp activity more closely.

Good tip about filezilla(that was what was being used for ftp). It seems, it stores passwords in plaintext... so if my friend(or ahem maybe my laptop too..) had malware, that could explain it.

More info: http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/