PHP script: malicious JavaScript code at the end

Question

The problem:

On my webspace there are PHP files which all end with this:

Before

Answer 1

We have experienced a problem similar to this a while ago with one of our major web properties. What your web host said was correct: it was likely due to not FTP access, but an insecure script that somehow allowed modification of arbitrary files. In our case, a vulnerability in an old phpMyAdmin allowed changes to some PHP scripts.

If you haven't done so already, you may want to make sure that the web server has only read privileges to all scripts and HTML files. It turns out that Apache could also write to scripts in our case. Simply

cd web_files_directory
chown -R some_not_web_server_user:some_not_web_server_group .
find . -type f | xargs chmod 644
find . -type d | xargs chmod 755

Answer 2

I would suggest changing any FTP or SSH passwords to be very secure. If you use a hosting provider you should also notify them of the breach. If you do not have logs to investigate the matter then they may. You should also Google the code that was added to your page to see if you can find anything else.

Answer 3

If you has static ip - you can forbid ftp-access from not yours IP

Answer 4

phsource is the closest.

If you're on a shared server, other people have access to the server itself. This is sort of the definition of a shared server. The problem is that if you have files with permissions of 777, they are world-user-group writable. Which means anyone with access to the box can write to them. See the problem?

All it takes is one person on that box to have a weak password, poorly configured script, or a horrible bit of code, and a mediocre script kiddie can cause all kinds of problems all over the box. Most of these attacks are purely automated. They get access, scan for attack-able files, and append as needed.

Most likely, you should change all of your files to 755 or 644 permissions. You'll sleep better at night.

And after you're done cleaning it up, make sure Google hasn't flagged you as a malicious site. It's not horrible to clean up, but it can decimate your traffic in the meantime.