Web Hosting Talk : Web Hosting Main Forums : Web Hosting : Windows Hosting : BEWARE -Sudden Iframe injection attacks, catastrophic results - Help!

[xuzo]

All my sites on both my hosting accounts are infected with an iframe.


At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.

The host blamed Joomla so I took the appropriate steps:

Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.

It stopped the injection for a few days but then it came back.
I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.

The iframe also infected a Drupal install I did as a test.

So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?

This situation is ruinning me and I strongly suspect it's a Hosting problem and not Joomla.

Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.

I am attaching the iframe exploit. It installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.
Thanks

[RSNET-John]

Hmm, sounds like the permissions have been set incorrectly. An exploit on 1 site shouldn't be able access another site on a Windows box because the user accounts have different permissions.

Have you tried a clean install of Joomla?

[Website Rob]

This is a concern to many of us Hosters and after some in-depth research of my own, it would seem the most likely cause is that your personal computer is infected. Strange as that may sound, hackers are using a variation of Trojans to infect personal computers and then use your own FTP login information, to change the Index page and/or other targeted pages on your own site.

Please use your Anti-virus program to check your personal computer and advise if anything was found -- including links to Web sites with more information specific to the Virus/Trojan found, like this article. I can only presume (hope) that you have an Anti-virus program but if you don't, you can have computer checked for viruses for free -- using the free HouseCall from TrendMicro. They are a very respected company when dealing with Virus related problems. You can feel secure in using their HouseCall program to access/clean your computer.