My Yii2 web was injected with code

jai3232 · December 1, 2023, 2:30am

My yii2 app was injected with additional code in web/index.php like below.

<?php
echo "Zoroo";
// comment out the following two lines when deployed to production
defined('YII_DEBUG') or define('YII_DEBUG', true);
defined('YII_ENV') or define('YII_ENV', 'dev');

It caused all json response page is invalid and captcha is not displayed and may be a few more which I don’t notice. I don’t know the reason behind this hack caused by Yii, Web Server or etc.
Do have any idea to avoid this attack again ? TQ

evstevemd · December 1, 2023, 10:13am

Please explain your problem. Those line are mostly useful in debug mode and causes no issue other than activating debug/dev time features.

You must have an issue somewhere else with your code!

samdark · December 1, 2023, 4:52pm

echo "Zoroo";

Intereting stuff. Either you have your credentials leaked or there’s something that’s writing input into a file path to which is customizable and isn’t validated.

evstevemd · December 1, 2023, 6:13pm

Missed this out. I thought he was complaining about the dev lines.
If he didn’t write the Zoroo thing then he better find a capable person to audit his environment

jai3232 · December 2, 2023, 5:58am

I think most possibly is writing input into a file path. Can you elaborate further about this ? TQ

jai3232 · December 2, 2023, 5:58am

The line echo “Zoroo” was written by hacker without my notice.

evstevemd · December 2, 2023, 6:30pm

Then your file system is compromised. index.php should ONLY be readable not writable