BUG help

[drilonb]

i need to know for this bug in file index.php i found this code at line 189

CODE 

<img heigth="1" width="1" border="0" src="http://[removed]/t.php?id=15804192">

this code stop working the index and site looks like to have error 500 when i remove this code everything is working , or maybe is any bug in my VPS, because someone put it in index.php ? i move now the test page to other host at iweb server to look if someone can du it again,

thanks.

[Adam Kiss]

I wonder... have you tried using correct code, i.e. closing the <img> tag?

[ryan]

What is that doing in your index.php? You said you found it there. If that's the case, you need to find how it got there as it may indicate a compromised system. There should not be anything like that in index.php. Your template files are where there should be markup. No markup should be in /index.php.

[ryan]

Looking at this again, I do think this is clearly indicative of a compromised system. That <img> tag was located at the very bottom of index.php. A technique used by many hacks is to append or prepend some code to your main /index file -- exactly what you are describing. Since you indicated you "found" it there, I'm going to assume you've been hacked.

The question is how did they get write access to it? First you should make sure that your FTP/SSH passwords are changed and to strong passwords. Your web host may be able to help you determine what the entry point is, as well as let you know whether it was specific to your account or multiple accounts (which would indicate a problem at the host rather than your account).

Are you running a not-so-up-to-date WordPress on the same account? If so, your WordPress is likely hacked. I mention that particular instance, because I've experienced this exact issue on a WordPress installation before. WordPress is also a common target for automated attacks due to it's widespread usage. What other software do you have running on the same account? (whether CMSs or anything else)

When you get your account back online, install a copy of Firebug in your Firefox browser. Browse pages with Firebug open and look at your cookies and DOM. Do you see anything you don't recognize? Look at the network tab and see if any requests are being sent to places other than your server.

Unfortunately, you can't assume that anything is safe once the system has been compromised. But having seen something like this before, I do think there is a chance that it was an automated defacement attack rather than a particular individual trying to wipe your data. At least the 500 server error was a red flag that might have prevented the problem from propagating further. You need to find out the entry point, and then get fresh copies of any software you have installed. You can also assume that your databases are compromised, so you'll need to export them and do some forensics with a search tool (I can describe further if you'd like). When ready to install a fresh ProcessWire, let me know and I can walk you through what you need to do to install without deleting your site. If you are running WordPress, I suggest moving it to a non-web-accessible quarantine area.

[drilonb]

Thanks RYAN and adamkiss  i found this its coming from WP i scan today all my server and found to many incorrect codes in php files all incoming from wp folder i mean where is a wordpress installed folder i delete all of them i dont know why wp but i delete it now everything is working fine i correct server and clean it and from now wp is just a past of my memory,

thanks for supporting and for everything.