Common trend is website hacks by FTP, through a virus infected PC
Bottom line: a PC or a MAC gets infected by a virus that sends all FTP logins from that compromised computer to a collector.
The collector will use those FTP credentials to put malicious code in a website.
Last weekend a customer complained about his PHPbb3 forum suddenly having problems.
This site ran by FastCGI and constantly generated an “Internal Server Error”.
Inspecting the website error-log file displayed following errors:
[Sun Jul 29 19:24:41 2012] [warn] mod_fcgid: stderr: PHP Parse error: syntax error,
unexpected T_STRING in /var/www/vhosts/<domain-name>/httpdocs/includes/template.php
on line 236
This indicates that from line 236 on there is a problem. Inspection of the file learned that some malicious code had been inserted at the bottom of the file:
After inspecting all files in this website, it seems that following files were also compromised with this code:
Properties of those files were also changed to: rwxr-xr-x
So I restored backup of these files from before the date of the hack. (which automatically changed file properties back to 644
Inspecting xferlog showed that the hack was done Sunday July 22nd at 23:15
The xferlog also shows exactly which files had been compromised and that it came from following IP: 220.127.116.11
This definitely proofs that this was an FTP login hack.
Calling the client learned that his Windows PC had been compromised by a virus one month ago. He re-installed and forgot about it, untill now.
How to fix:
Best of all is to completely remove the hosting for this domain and restore a correct backup. Because you never know what else they did or left behind.
If you cannot do that, then:
1. run my SSH-oneliner to search for the code throughout the entire server:
grep -ilr ‘google serch bot’ /var/www/vhosts/ –include “*.php” | while read arq; do echo $arq; echo $arq >> /root/infected.txt; done;
This search will take a while and will write te result to your screen and a file /root/infected.txt
2. Changes FTP login/password for the sites that are infected. Or even better: for ALL FTP accounts on this server.
3. Remove the code from the found files and CHMOD 644 (or put back a clean backup)