How JustAnswer Works:

  • Ask an Expert
    Experts are full of valuable knowledge and are ready to help with any question. Credentials confirmed by a Fortune 500 verification firm.
  • Get a Professional Answer
    Via email, text message, or notification as you wait on our site.
    Ask follow up questions if you need to.
  • 100% Satisfaction Guarantee
    Rate the answer you receive.

Ask Brandon M. Your Own Question

Brandon M.
Brandon M., Web Designer
Category: Programming
Satisfied Customers: 6972
Experience:  Web Design for 10 years, HTML, XML, PHP/MySQL, Perl, JavaScript, CSS
Type Your Programming Question Here...
Brandon M. is online now
A new question is answered every 9 seconds

We have a number of PHP sites where the following line of code

Resolved Question:

We have a number of PHP sites where the following line of code is inserted in the top two lines of code on the site which causes it to change from read-only to write and back to read-only. It then redirects the mobile version of the site to porn sites. Do you have a fix for this?



Thanks!
Submitted: 11 months ago.
Category: Programming
Expert:  Brandon M. replied 11 months ago.

Brandon M. :

Hello and thank you for contacting us, a paid expert support site. My name is XXXXX XXXXX I'd be glad to assist you with your issue.

Brandon M. :

Can you please provide me a link to the site/page in question?

Customer:

The last attack affected http://campnicolet.com/ we have cleaned the files since.

Customer:

It was affected this AM.

Customer:

Here are more specifics:

Customer:

The line that causes this to happen is the file and hash is different in each occurrence


 


<?php


@include_once 'C:/inetpub/wwwroot/7sigma.com/wp-admin/calendar.php'; #17268ff29bbc2e2563b89b780c61bb8d


?>


 


 


This calls a file that is server side script that is reversed base 64 encoded. Transferring a mobile device to whatever site the attacker indicates with the hash. Whatever is putting this in place is changing file permissions from read only to writable and then back to read only.


The line that causes this to happen is the file and hash is different in each occurrence


 


<?php


@include_once 'C:/inetpub/wwwroot/7sigma.com/wp-admin/calendar.php'; #17268ff29bbc2e2563b89b780c61bb8d


?>


 


 


This calls a file that is server side script that is reversed base 64 encoded. Transferring a mobile device to whatever site the attacker indicates with the hash. Whatever is putting this in place is changing file permissions from read only to writable and then back to read only.

Brandon M. :

Interesting. So, then one of your files is insecure enough to allow for an injection of code. This may simply be a permission issue on a single file in your install.

Brandon M. :

But you said multiple sites - are they all on the same system?

Customer:

All of them are Wordpress sites. That is the only commonality they share.

Customer:

They are all on a Windows Server and we know that can affect this as well.

Brandon M. :

Are they all hosted on the same Windows server?

Customer:

Yes. They're all hosted on the same Windows Server.

Brandon M. :

Ok, so we might be looking at an insecure IIS server, out of date PHP install or permissions.

Brandon M. :

Let's check PHP first - how familiar are you with PHP?

Customer:

I'm not that familiar however, I have 3 programmers that are. I can have them answer what we need.

Customer:

What you need.

Brandon M. :

I need a PHP Info page - they will know what that is but if you wanted to do it, you simply need to create a file in the root of any of the sites and call it something with a php extension. Inside the file put this: <?php php_info(); ?>

Brandon M. :

Then access (or provide me a link to) that page

Customer:

We're doing it now. I will send the link in just a sec.

Brandon M. :

Great, thanks.

Customer:

We're just about done.

Brandon M. :

Take your time, no rush.

Brandon M. :

Ok, part of the problem is that your PHP install is very out of date: Build Date Mar 17 2011 10:46:06

Brandon M. :

You should (or your developers) should update to the latest PHP which is 5.5.3. Which has a build date of 8/21. http://windows.php.net/download/#php-5.5

Brandon M. :

Now, you can stay on the 5.3 thread (which is currently at 5.3.27 which has a build date of 7/11) if you wish but I always recommend staying with the latest versions. 5.3 is available here: http://windows.php.net/download/#php-5.3

Brandon M. :

There are also some things that need to be changed in your php.ini (configuration file) file.

Brandon M. :

You should update your PHP install first, then we can look at the values as the latest version may have set them to proper values.

Customer:

Ok. I'll get them to do this ASAP.

Brandon M. :

Great. If you want to review this in the meantime: http://www.iisunderground.com/securing-php-with-the-php-ini/

Brandon M. :

It is a good article on securing your PHP install.

Brandon M. :

Sadly, to know if it helped, we need to wait for another attack.

Customer:

Thank you. We're reading it now.

Brandon M. :

No problem. Let me know if you need anything else for the time being.

Customer:

We're updating our PHP version as we speak. We don't have http://www.iisunderground.com/securing-php-with-the-php-ini/ implemented, but will be doing this ASAP. Can I keep our chat open with you for questions? How long may I speak with you?

Brandon M. :

Of course. As long as you need. I will be here.

Customer:

Great. We'll implement these two now and I'll be in touch if we have questions. Thank you!

Brandon M. :

No problem.

Customer:

One more question- we have search engine results for WP sites that are displaying results with foreign language and spam. Do you know how to stop this?

Brandon M. :

Can you provide me an example?

Customer:

If you Google Camp Nicolet for Girls you get this result:

Brandon M. :

Oh wow, that is interesting. The description is in Russian.

Customer:

Yes. We have the Akismet plug-in that is suppose to catch things like this, but it isn't working.

Brandon M. :

That doesn't look like spam - it looks like a bad sitemap or Google crawled the site at a bad time.

Brandon M. :

Do you have a sitemap plugin?

Brandon M. :

Also, if you have a caching plugin, you might want to clear/flush the cache.

Customer:

Camp Nicolet does not have a site map plug-in. I'll check on the cashing plugin.

Brandon M. :

Sometimes SEO plugins have sitemap features - check that as well.

Customer:

SEO Yost is one that we work with.

Brandon M. :

Yup, that one does sitemaps. You might want to see about re-generating one. I have no personal experience with it but it should be in settings somewhere.

Customer:

Ok. Thanks!

Brandon M. :

No problem. Let me know if you need anything else.

Customer:

Are we charged the flat quoted fee that I was given only? Or after a period of time do we get assessed more?

Brandon M. :

No, it's a flat fee.

Brandon M. :

Is there anything else I can help you with? If not, please be sure to rate the service in the bottom right corner.

Customer:

Thank you for the update and all of your assistance! Have a great rest of your day!

Brandon M., Web Designer
Category: Programming
Satisfied Customers: 6972
Experience: Web Design for 10 years, HTML, XML, PHP/MySQL, Perl, JavaScript, CSS
Brandon M. and other Programming Specialists are ready to help you

JustAnswer in the News:

 
 
 
Ask-a-doc Web sites: If you've got a quick question, you can try to get an answer from sites that say they have various specialists on hand to give quick answers... Justanswer.com.
JustAnswer.com...has seen a spike since October in legal questions from readers about layoffs, unemployment and severance.
Web sites like justanswer.com/legal
...leave nothing to chance.
Traffic on JustAnswer rose 14 percent...and had nearly 400,000 page views in 30 days...inquiries related to stress, high blood pressure, drinking and heart pain jumped 33 percent.
Tory Johnson, GMA Workplace Contributor, discusses work-from-home jobs, such as JustAnswer in which verified Experts answer people’s questions.
I will tell you that...the things you have to go through to be an Expert are quite rigorous.
 
 
 

What Customers are Saying:

 
 
 
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer New York
< Last | Next >
  • My Expert answered my question promptly and he resolved the issue totally. This is a great service. I am so glad I found it I will definitely use the service again if needed. One Happy Customer New York
  • Wonderful service, prompt, efficient, and accurate. Couldn't have asked for more. I cannot thank you enough for your help. Mary C. Freshfield, Liverpool, UK
  • This expert is wonderful. They truly know what they are talking about, and they actually care about you. They really helped put my nerves at ease. Thank you so much!!!! Alex Los Angeles, CA
  • Thank you for all your help. It is nice to know that this service is here for people like myself, who need answers fast and are not sure who to consult. GP Hesperia, CA
  • I couldn't be more satisfied! This is the site I will always come to when I need a second opinion. Justin Kernersville, NC
  • Just let me say that this encounter has been entirely professional and most helpful. I liked that I could ask additional questions and get answered in a very short turn around. Esther Woodstock, NY
  • Thank you so much for taking your time and knowledge to support my concerns. Not only did you answer my questions, you even took it a step further with replying with more pertinent information I needed to know. Robin Elkton, Maryland
 
 
 

Meet The Experts:

 
 
 
  • ATLPROG

    Computer Software Engineer

    Satisfied Customers:

    7463
    MS in IT.Several years of programming experience in Java C++ C C# Python VB Javascript HTML
< Last | Next >
  • http://ww2.justanswer.com/uploads/SP/spatlanta2010/2011-6-23_12450_photo.64x64.gif ATLPROG's Avatar

    ATLPROG

    Computer Software Engineer

    Satisfied Customers:

    7463
    MS in IT.Several years of programming experience in Java C++ C C# Python VB Javascript HTML
  • http://ww2.justanswer.com/uploads/ComputersGuru/2010-02-13_051118_Photo41.JPG LogicPro's Avatar

    LogicPro

    Computer Software Engineer

    Satisfied Customers:

    5603
    Expert in C, C++, Java, DOT NET, Python, HTML, Javascript, Design.
  • http://ww2.justanswer.com/uploads/unvadim/2010-11-15_210218_avatar.jpg unvadim's Avatar

    unvadim

    Computer Software Engineer

    Satisfied Customers:

    1158
    Good knowledge of OOP principles. 3+ years of programming experience with Java and C++. Sun Certified Java Programmer 5.0.
  • http://ww2.justanswer.com/uploads/lifesaver333/2010-10-17_191349_ls.jpeg lifesaver's Avatar

    lifesaver

    Computer Software Engineer

    Satisfied Customers:

    950
    Several years of intensive programming and application development experience in various platforms.
  • http://ww2.justanswer.com/uploads/EH/ehabtutor/2012-8-2_202016_1.64x64.jpg ehabtutor's Avatar

    ehabtutor

    Computer Software Engineer

    Satisfied Customers:

    864
    Bachelor of computer science, 5+ years experience in software development, software company owner
  • http://ww2.justanswer.com/uploads/RA/rajivsharma086/2012-6-6_17128_displaypic.64x64.jpg Raj's Avatar

    Raj

    Computer Engg.

    Satisfied Customers:

    860
    BE CS, 4+ Experience in Programming and Database (ERP)
  • http://ww2.justanswer.com/uploads/eljonis/2010-01-06_130406_eljon2.jpg Eljon's Avatar

    Eljon

    Consultant

    Satisfied Customers:

    590
    11 yrs of programming (PHP, WordPress, XSL, SQL, JavaScript)