When I came home today I found all my PHP files infected on Godaddy linux hosting. The following code was inserted at the beginning of all files:
/**/ eval(base64_decode("aWYoZnVuY3....")
According to the logs the infected code failed to run:
eval()’d code line 1: gzinflate() [function.gzinflate]: data error
Nevertheless, I want to prevent this from happening again, but I have no idea how they came in the first place. I have an FTP access (no SFTP), so theoretically they were able to sniff out the password, but there is probably a simpler explanation.
They could also exploit an insecurity in Godaddy’s setup, but in that case I cant’t do anything to prevent it.
Could there be a typical error in my PHP code or configuration which makes it possible to hack the php files like this?
Seems like the reason was I included a php file which name came from a url parameter and they supplied their own script in the parameter.
I thought it was safe, because it was in the form
require “data/$param”;
so I assumed it can only be a local include which they can’t modify. Looks like they gave a URL as a value of $param which pointed to an external php file which contained the attack code. I’m not sure how the URL was resolved properly with the data/ part before it, but this seems the most likely explanation.
Does anyone know how the URL is handled in the case?