SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    iframe injection in static page

    hi guys,

    I was looking at an old website I did ages ago, and it's been the victim of iframe injection. The injection is happening at the end of a static page (called home.php) - there is no database code on this page, it's just included via a regular include_once as part of an overall page template.

    I've changed the name of the file (home2.php) and modified the calling script to include the home2 file - again the iframe injection is happening in exactly the same place now on the home2.php file. Obviously, I deleted the infected home.php file and uploaded a clean version.

    The file is called from index.php where there are a couple of database queries but these are hard-coded and have no user-defined parameters.

    No other page on the website has this problem, it's just the index file calling that home/home2.php (obviously, since that's where the injection is happening).

    My question is - how can this injection be occurring, such that it is modifying a static page on the webserver? The page is not controlled by any form or database query, it's just a simple file containing text (HTML).

    It's on shared hosting - could another website on the host be infected which is affecting other sites (including mine)?

    Any help appreciated.

  2. #2
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    just an update - index.php is also 'infected', that is it has had content added to it (the same iframe that shows up in home.php).

    how can a file on a server be modified in this way?? is a rogue process using FTP to log in and alter index.php??

  3. #3
    SitePoint Addict Trent Reimer's Avatar
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    228
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sounds like your server is hacked.

  4. #4
    SitePoint Addict
    Join Date
    Dec 2007
    Posts
    348
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    yeah.. I've changed my FTP password and searched the database for malicious code.. found none so far.

    how else could this have occurred ?

  5. #5
    SitePoint Addict Trent Reimer's Avatar
    Join Date
    Sep 2005
    Location
    Canada
    Posts
    228
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sometimes a hacking ring will find a host with a vulnerability they can exploit to gain access to accounts which they then use to insert code into the home page which takes advantage of a client side vulnerability.

    e.g. Perhaps there is a Windows Media Player vulnerability which enables them to install a trojan to build up a botnet or perhaps they just use javascript's information gathering abilities to snoop a bit or try to pick up a password or credit card number.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •