I've been struggling with malware iframe injections into html and php scripts on my web site. The attacker knows to inject into files like header.php in the includes directory.

The file protections ARE locked down. In fact I have it so locked down I have difficulties doing normal duties myself and have to relax protection then restore it after I'm done (like on header.php. The Hacker can even change protection on files !!!

Finally I locked PHP from being able to write any files. And no more attacks.

The only PHP code I have is UBB Forum 7.2.2 !!!

The hosting company (host excellence) has a scanner script that gives warnings in tons of UBB php files. Like those at the bottom. Note sure if this is a valid warning or not.

Things are otherwise running smooth but I'll upgrade to latest version if known security issues are fixed.

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $g_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t\t @eval( $hits_file );'

FYI Found eval( in mydomain.com/ubbthreads/importers/classic_import.phpskip:
'\t@eval( $mods_file );'
We've only had 1 security issue since 7.0 was released, which this patch addresses. So make sure you have that patch applied.

Any importer scripts should be removed after they have been used, so the entire importers directory can be deleted.

Usually if it's a php script that's causing the issue then it's pretty easy to track down. What you need to do is get the timestamp that one of the files were hacked. Using that timestamp you can look through your webserver access logs for that same timestamp. You can normally see if there is some script being called in a peculiar way at that same time.

As far as being able to change the permission on files. If files are read-only and the webserver doesn't own them, then normally the only way you can change those is via FTP, domain control panel, or direct server access.
I don't think I have access to access logs. I do have FTP logs and there has been no activity during the time of break in.
Your host might be able to assist. If you have the timestamps available on any of the files, then you can see if they can give you the access logs for that particular day.
I am having the same problem with a forum I'm managing (UBB v.7.5.3). I'm new to the problem and having a terrible time isolating the hack. There have been so many cooks in the kitchen, it would be nearly impossible to isolate by looking at the access logs.

The referenced patch is from last year - is that correct?

I've considered just replacing all the UBB files.
If you're running 7.5.3 then you have the security patch in place already, so you're good there. As for tracking it by looking at the access logs, if it's being done by a web based attack then that's normally the best way.

If you have the timestamp of one of the changed files, then that gives you an exact minute to look at in the access logs, so you just need to look for activity during that minute. You also need to find out if they are only changing files that are writable by the webserver or if they are changing other files as well. If they are changing other files, then it's probably being done by FTP, domain control panel or some other server exploit. I just worked on another one of these problems that turned out to be a domain control panel issue.

Replacing all of the UBB files would assure they are clean, but it wouldn't prevent it from happening again, so you'd really need to find the source.

I didn't mean to hijack the thread.

I found the source (OpenX ad server) and shut that down.

OP - this is what I found about this problem.

If you see code for an iframe with width=“0” and height=“0” in the source code of any page on your website, you have found an invisible iframe. Iframes are most commonly inserted at the very top or the very bottom of a web page’s source code. A good first place to check for iframes is before the initial tag that starts a web page’s standard code, or after the final that ends a page’s code.

I found this code in any file containing "index" in the file name and in any HTML files on the site. Delete it - problem solved.
© 2019 UBB.threads PHP Forum Software Community