Malicious Code in My Website

Forum Moderators: phranque

Message Too Old, No Replies

Malicious Code in My Website

Found <iframe> included within index.html

noodleman

12:58 am on Sep 19, 2007 (gmt 0)

Sorry but had to start a new thread on this topic because the previous one from August was closed.

I, too, just came across some malicious code that was attached to an index.html file of a client's web site. (The raw HTML read it as an <iframe> but the browser showed it as a <script>.) The site does not run WordPress, so I'm curious to know how something like that could have found its way onto the site. None of the other sites I manage that are served from the same server host seem to have this problem.

Any ideas?

pageoneresults

1:00 am on Sep 19, 2007 (gmt 0)

None of the other sites I manage that are served from the same server host seem to have this problem.

It could be that they were only targeting that particular client.

Any ideas?

From my experience, the only way for something like that to happen is when some has access to make it happen. Have you been comprimised? Change all your passwords now if you think you have. Its always a good practice anyway, especially after stuff like this occurs.

physics

4:15 am on Sep 19, 2007 (gmt 0)

Is FTP used to update the sites? Passwords used for FTP can be intercepted so if it is then disable FTP and switch to using SCP or SFTP...

noodleman

6:11 am on Sep 19, 2007 (gmt 0)

Thanks for the tips! I'll also pursue it with the hosting company. I might not be the only one who has experienced a similar problem even though none of my other sites there seem to be affected. (I'll keep a copy of the infected file for future reference, too.) From the date stamp on the file, it looks like it happened sometime Monday evening. I had uploaded a revision Sunday afternoon.

old_expat

4:40 am on Sep 20, 2007 (gmt 0)

I posted on this awhile back. I'm not sure why it gets so little attention .. maybe because it doesn't "do" anything to the site .. except sometimes generate a Google SERP warning like "this site may harm your computer" (or similar)

One report on the hack said that an estimated 10,000 sites were infected.

Several servers had to be rebuilt at my hosting company.

Blame for the attack .. I have read;

-Fedora 2
-RH4
-CPanel
-PHP Scripts
-Intercepted passwords

On my server .. after I had removed all the code, I turned on "ask on all cookies" .. and CPanel 11 was asking to set a cookie from the site referenced in the iframe code.

NOTE: Look for the code in Apache manual index.html pages as well. :(

Hilary

6:30 pm on Sep 20, 2007 (gmt 0)

I'm not a technical expert so this may not be relevant, but I've had...

- new files added to directories on my site when those were left with 777 permissions
- individual files edited/ overwritten when they were left with 666 permissions

Any chance this index page could at any stage have been set to 666? There seem to be lots of scripts out there with instructions to set unsafe permissions.

old_expat

4:18 am on Sep 21, 2007 (gmt 0)

Any chance this index page could at any stage have been set to 666? There seem to be lots of scripts out there with instructions to set unsafe permissions.

The index pages were not. Also I found the code in foot.php (include) as well as "signup".

But I was told that since this was a server wide hack, it could have come via another user account.

My Putty client showed a root login (not my own) on the day the files were hacked, so they had to get my password somehow. I wish I knew more abut it.

I've changed hosts and passwords and am still clean for now.