I’m finding the following pattern in hacked, static content-only sites on my Mediatemple account. Some of these compromised sites aren’t getting flagged by Google.
1. .htaccess file is created / modified with the following line:
AddHandler php4-script .php
PHP files are created, sometimes up to several months later, in sub-directories containing images. Sample filenames include: content.php, flirmin.js.php, neuks.php, eregi.php, is_file.php, and leses.php
index.html files are then edited with the usual code placed immediately after the body tag.
One of the websites hosted on my MediaTemple account has had two of these injection issues in the recent past. The first was the “var st1=…” vulnerability and the second one is exactly that mentioned on this site.
In the first case, I went ahead and set the directory permissions for the JS folder to 755. The directory permissions for the affected JS file was also 755. In the second attack, that JS file was nonetheless modified again to include the following line:
What should I be setting my JS file permissions to. The attacked site contains no PHP and is reasonably small so I was able to do a PHP search and found a file named “lamb.php” in one of the image folders.
Since MediaTemple is quite secretive about details of hackers attacks, we can only guess what security holes are exploited and what can prevent such hacks.
I would like to explain why it is that we are secretive about certain details. While we are more open and transparent about this attacks than most other webhosts, we cannot disclose many details for security reasons.
I’m sure you understand that by explaining which, if any, security holes are being exploited we risk opening ourselves and our customers up to further attack.
We appreciate the blogging that you do on this topic as it provides quality information for both prevention and understanding.
Please let our customers know that, should they ever find themselves subject to attacks, they can contact Support at (mt) Media Temple and we should be able to assist with scanning and cleaning any infections from their websites.
Below Malware script attacked my sites . i removed it more that 15 times but it is coming again and again . Changing the ftp passwords in 2 hour once but no use . help me to remove this script and stop its routine attack .