product.php file hijacked!

Brightbuyer (http://www.brightbuyer.co.uk)


Somehow someone has managed to plant this script onto the product.php file on my server, it goes on a bit apologies . All file and folder permissions are set correctly product.php permission 644, the hosting company i use have no idea how it got there, has anyone any experience of this type of problem?

<?php @register_shutdown_function("__sfd1220604300__");function __sfd1220604300__() { global $__sdv1220604300__; if (!empty($__sdv1220604300__)) return; $__sdv1220604300__=1; echo <<<DOC__DOC
<div style="position:absolute; top:-2221px; left:-2151px"><ul><li><a href="http://web.blair.edu/videos/search.php?p=43" title="discount buspar no rx">discount buspar no rx</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=434" title="buspar without a prescription">buspar without a prescription</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=81" title="no rx buspar cheap">no rx buspar cheap</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=904" title="buy buspar overnight delivery">buy buspar overnight delivery</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=751" title="discount buspar">discount buspar</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=866" title="order buspar online">order buspar online</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=255" title="discount buspar overnight delivery">discount buspar overnight delivery</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=152" title="buspar c.o.d">buspar c.o.d</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=369" title="purchase buspar without prescription">purchase buspar without prescription</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=417" title="order buspar overnight delivery">order buspar overnight delivery</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=862" title="discount buspar cod">discount buspar cod</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=142" title="buy buspar cod">buy buspar cod</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=63" title="cheap buspar overnight delivery">cheap buspar overnight delivery</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=1121" title="cheap buspar online">cheap buspar online</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=118" title="buspar online without prescription">buspar online without prescription</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=668" title="buspar 60 pills x 5 mg">buspar 60 pills x 5 mg</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=2" title="order buspar no rx">order buspar no rx</a></li> <li><a href="http://web.blair.edu/videos/search.php?p=66" title="buspar 90 pills x 10 mg">buspar 90 pills x 10 mg</a></li> </ul></div>
DOC__DOC;
} ?>

No, buit whoever did it has also managed to hijack http://web.blair.edu/
in order to seed their smappmy pages...
Parasite hosting and parasite links!
I've no idea how - but this guys ability is scary.

It's caused by people guessing your ftp details.

it happened to me one and my isp logs everything so could tell me it was someone from hungary.

Is it on 123 hosting?
I built a site for a guy a few years back on his 123 hosting (he bought it before hiring me). A fortnight in and the whole account was wiped because someone had hacked the server and planted a phish for egg.com.

I seem to remember that they turned out to be just a reseller with a very poor backend system.

Brightbuyer (http://www.brightbuyer.co.uk)




The site was hosted with web mania (very cheap and nasty ) .
My site got hijacked every few days after i discovered the first problem, and they insisted i must have given my ftp details to someone!!! They were no help whatsoever. Had to change hosting after a couple of weeks of this.

Changed hosting and now everything is fine plus been able to upgrade site to v2 on new hosting account. ( with eukhost now, still cheap but not so nasty )

Ah, webmania

I have a quite few accounts there for little pisant sites and hosting redirected domain names.
I got an email a few weeks back from a web designer who claimed he could hack the webmania admin interface through his clients login. he'd log in, then using that session ID and cookie, could apparantly get into anyones account.

As you'll know, all ftp details, email passwords etc are easily accessed once in your account.

Web Mania are aware of this issue, but don't seem to be too bothered by it.
see how bothered they are when they lose my 30+ accounts

well they certainly have lost my business. Been with eukhosts a month now seem ok , apart from a few niggles like not being able to log into my cpanel!!
Suppose its a case of you pay for what you get



brightbuyer (http://www.brightbuyer.co.uk)