Hacked and Confused

I am on shared hosting my account has multiple websites
there are many wordpress installations, couple of joomla and one Vbulletin

now the thing is that something is injecting all my index.php files with iframes and even if I replace the index file with a fresh copy it gets injected again in 5-10 minutes

how do it solve this problem? is there a way to localize the issue and see that from where the iframe is being inserted in files?

I would download all the important content, like text and the inner pages, and delete the whole file and start over. It can take you forever to find the source of the solution.

what is confusing me that how they are able to replace all my index.php files within minutes of me uploading them ? there must be a way to find that out? how do I proceed?

Do you have Adwords, or other Google code, or social bookmarks links like Facebook etc? They all inject iframes into your page. Just wondering.

I know, I am talking about malicious code which is being inserted in my websites for spammy and adult websites

You should inform your host - it may be a server wide issue. You can also check the write permissions (chmod) of your altered files and ensure these are correctly set, change your ftp password and see if these make a difference. If not, disable each domain in turn (.htaccess or via control panel) to see whether there’s a malicious file on a particular site that is acting as a conduit for injection.

This could be any number of things, but it sounds like a hacker has found some security hole in one of your sites, and then managed to get access to the whole account. If they have edited the .htaccess of the public_html folder, or even the root folder above that - then they can inject and replace whatever files you change whenever they like.

I had a similar problem recently, when one of my wordpress installations got hacked because of the security bug in timthumb that appeared a month or so ago and I hadn’t patched. Even after completely deleting everything in the public_html directory - the hackers still managed to redirect my visitors. What had happened is they had put a .htaccess file in the root directory (above public_html), which means they could get access and change anything they like. Once I removed all the files in public_html and the .htaccess in the root directory everything is now fine.

just check your pc too for key logger malware. They can stole your FTP passwords.

  1. fix your .htaccess file
  2. set chmod permissions to 755
  3. check public_html folder for the file which is not your.
  4. delete index.html first and then upload fresh index.html
  5. report the issue to your host.
  6. request host to change the password of your account through WHM

Good luck

Sounds like a mySQL injection attack. All of the attacks were done on his PHP scripted site which are database based with mySQL.

My bet would be timthumb.php or something similar - they probably have code on your site that is reinjecting whenever you remove the iframes.

As an approximate stab in the dark, since you’ve really told us very little, I’d try changing all passwords, set permissions on your .php config files to 400, maybe set perms on your index files to 400 as well for now (that guards against one type of hack).

Also ensure no directories or PHP files are writable - your host should be protecting you against running those anyway, but many hosts don’t.

I’d also get the host to grep your username out of /var/log/messages and see what ftp activity has been going on - this will let you know whether they have your account password or not (ie as ftp requires it). Was the account password the same as any of the ftp passwords?

Unfortunately we can really only guess here as there’s not much investigation been done yet.

Lots of good advice above as well - but also really only guesses.

Let us know what you find.

check for writable files from PHP:

<?php passthru("find . -perm -2 -print | xargs ls -ld"); ?>

Oh - PS: also check your .htaccess and php.ini files for php_auto_append – see http://au2.php.net/ini.core - that’s another source. Also check that the files themselves actually are being infected as sometimes they hack the web server itself which inserts iframes on the fly, without changing the code.

You were known that your website is hosted on a shared server?

I think it’s better to start from the start.Are you using any dezended /nulled scripts.