SitePoint Sponsor |
|
User Tag List
Results 1 to 5 of 5
Thread: iframe injection in static page
-
Jun 7, 2009, 03:00 #1
- Join Date
- Dec 2007
- Posts
- 348
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
iframe injection in static page
hi guys,
I was looking at an old website I did ages ago, and it's been the victim of iframe injection. The injection is happening at the end of a static page (called home.php) - there is no database code on this page, it's just included via a regular include_once as part of an overall page template.
I've changed the name of the file (home2.php) and modified the calling script to include the home2 file - again the iframe injection is happening in exactly the same place now on the home2.php file. Obviously, I deleted the infected home.php file and uploaded a clean version.
The file is called from index.php where there are a couple of database queries but these are hard-coded and have no user-defined parameters.
No other page on the website has this problem, it's just the index file calling that home/home2.php (obviously, since that's where the injection is happening).
My question is - how can this injection be occurring, such that it is modifying a static page on the webserver? The page is not controlled by any form or database query, it's just a simple file containing text (HTML).
It's on shared hosting - could another website on the host be infected which is affecting other sites (including mine)?
Any help appreciated.
-
Jun 7, 2009, 07:47 #2
- Join Date
- Dec 2007
- Posts
- 348
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
just an update - index.php is also 'infected', that is it has had content added to it (the same iframe that shows up in home.php).
how can a file on a server be modified in this way?? is a rogue process using FTP to log in and alter index.php??
-
Jun 8, 2009, 10:28 #3
- Join Date
- Sep 2005
- Location
- Canada
- Posts
- 228
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Sounds like your server is hacked.
-
Jun 8, 2009, 13:07 #4
- Join Date
- Dec 2007
- Posts
- 348
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
yeah.. I've changed my FTP password and searched the database for malicious code.. found none so far.
how else could this have occurred ?
-
Jun 8, 2009, 16:12 #5
- Join Date
- Sep 2005
- Location
- Canada
- Posts
- 228
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Sometimes a hacking ring will find a host with a vulnerability they can exploit to gain access to accounts which they then use to insert code into the home page which takes advantage of a client side vulnerability.
e.g. Perhaps there is a Windows Media Player vulnerability which enables them to install a trojan to build up a botnet or perhaps they just use javascript's information gathering abilities to snoop a bit or try to pick up a password or credit card number.
Bookmarks