Response from Fasthosts:
<hr />“Thanks for contacting us with your support enquiry.
It seems that you have been script injected by some one online entering malicious script through your site.
I recommend you take a look at the scripts and then work to a solution be removing it and making it secure to prevent it from happening in the future"
<hr />I’ve replied and asked for information about switching to SFTP/FTPS.
Do you have access to the logs from right before your site was infected until now?
If so, we’d like to run them through our analyzer to see what “script injection” they’re talking about.
Let us know and you can contact us off list to provide access to your logs. The clue might be in the log files.
Thank you for the update.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thank you.
We ran the log files through our analyzer and also inspected them manually and we see nothing that would indicate an injection attack. Just for your information, an injection would have to be delivered via an HTTP POST or via a GET if it were a remote file include. Your log files show no such action. Nothing but GETs and HEADs but no POSTs or PUTs and the GETs were for files local to your website with no extraneous query strings so it wasn’t a remote file include.
On this page: http://www.php.net/manual/en/features.remote-files.php
It states, “You can also write to files on an FTP server (provided that you have connected as a user with the correct access rights). You can only create new files using this method; if you try to overwrite a file that already exists, the fopen() call will fail.”
Again going back to compromised FTP credentials.
If you can disable allow_url_fopen then you should.
I’m curious, does your host offer SSH access to your site? That is quite odd that they wouldn’t offer SFTP or FTPS.
I’m not saying that this couldn’t be an injection attack I just wonder how people can claim that’s what it is without any proof.
If anyone can shed light on this, please enlighten me.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thomas is right. If it were a code injection attack, albeit a rudimentary one, it would show up on your log files. And yes, it does surprise me too that your host is not suggesting ssh based access.
Is your ISP fashosts.co.uk? they see to have been hacked some time back. They are one of the big guys and if they don’t offer a more secure way than vanilla ftp, it is very surprising indeed.
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
Thomas – Thank you for looking at my log files and for your feedback. As I mentioned in my initial post, this is all a bit new to me! So am I right in thinking that (in layman’s terms) an ‘injection’ is an attack where they get the server to run a malicious PHP script but in my case I’ve just had my FTP log-in details stolen by one of the many, many trojans on my computer?
At any rate, I’ll take your advice and do some more research into how I can turn off allow_url_fopen via HTaccess and hopefully that’ll improve my security.
Anirban – Fasthosts.co.uk host my site, I queried them specifically about SFTP and FTPS as alternatives to straight up FTP, I’ve pasted their response below:
“Thanks for contacting us with your support enquiry.
Unfortunately not as this is not something we currently have in place.
However in future we are considering these are an improvement.
Regards
Thanks again for contacting us."
