Results 1 to 14 of 14
  1. #1

    Website continuously hacked

    Guys i m hoping anyone of you will help me i few sites are continously been hacked, these sites i m working on, whenever i connect the sites through FTP client(i m using Flash FXP) and upload the files the very next day the index file have the Iframe code written after the body tag by someone else of some malware site.

    i have tried everything, changing the password on daily basis,even reinstall my system completey(thinking if there any backdoor trojan) firewall and antivirus, everything, i cant do it all the time, please please somebody help me

    Thanx

  2. #2
    Join Date
    Mar 2004
    Location
    Chennai India
    Posts
    115
    They are geting the password from your FTP program easily by decripting the stored passwords , don't save the passwords in the FTP client and key in when ever you want to connect.
    miOOt Chat Solutions
    live chat Software for web hosting Customer Service
    Importance of Live Chat Software for Web Hosting Business

  3. #3
    Join Date
    Mar 2004
    Location
    Chennai India
    Posts
    115
    1. Before you begin this, please make sure you make a backup copy of the original file in case you make a mistake, this way you can always go back to the original configuration - always backup before you begin doing something like this.)

    2.Find the httpd.conf file (usually you will find it in a folder called conf, config or something along those lines. In Fedora you can find it at /etc/httpd/ directory.)

    3.Inside the httpd.conf file find and uncomment the line LoadModule rewrite_module modules/mod_rewrite.so (remove the pound '#' sign from in front of the line - the # sign is for comments, by removing the # sign, you are uncommenting the line)

    4.Also find the line ClearModuleList is uncommented then find and make sure that the line AddModule mod_rewrite.c is not commented out. (I didnt find these in Fedora, yet my mod_rewrite works great)

    5.After you have made the changes and saved them, restart your httpd (apache) server for the changes to take affect. The easiest way to do this is to go to the shell command and type: /etc/init.d/httpd restart (this works for Fedora, might be different for other distributions!)
    miOOt Chat Solutions
    live chat Software for web hosting Customer Service
    Importance of Live Chat Software for Web Hosting Business

  4. #4
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    6,999
    You might be affected with Gumblar or a Gumblar type virus (there are a few variants9:

    http://news.cnet.com/8301-1009_3-10244529-83.html

    It steals your FTP info when you connect via FTP. Have you reset your FTP passwords since you reinstalled your local system? If you have then you have a server side issue.
    Laurence Flynn @ atOmicVPS LTD
    Linux & Windows Cloud Hosting Solutions Powered by OnApp
    Fully Managed [Shared][Reseller][Cloud VPS] [Dedicated]
    Featuring the atOmicSTACK ● Speed ● Performance ● Reliability

  5. #5
    Are you running any scripts on your site like Wordpress etc? These types of attacks almost always happen due to exploits in a script. Make sure your scripts and all plug-ins or modules are updated to the latest versions. Also research any scripts and modules you have to find out if there are any known exploits. Be sure to check your logs for FTP connections from IPs other than your own as well.
    cPanel Hosting
    Site5.com - Best support in the hosting business!

  6. #6
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I agree with NexDog, this sounds like YOUR machine is infected, and has stolen your ftp user / pass(s) from your local machine. Note that the usual way Gumblar works is your local machine (the one you ftp TO your server with) is infected, it steals the user / pass and uploads the iframe crap, or whatever they want, really.
    This gives web site owners the run-around, as they are busy looking for the hack on the server, when it's actually on the computer they use to upload files TO to the server.

    Try connecting to your server from a known clean machine, change your ftp passwords, then go about disinfecting your ftp client workstation.

    This infection is rampant and gaining right now, many folks are being hit, so a good chance this is the issue.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #7
    Join Date
    Feb 2007
    Location
    USA, UK, Singapore
    Posts
    3,325
    I'd rather recommend you to completely delete your FTP user account and use a fresh one with different password. If using FTP is not mandatory, I'd prefer to manage file system using some of the powerful file managers that are available with control panels <<snipped>>.
    Last edited by bear; 06-27-2009 at 08:04 AM.
    ██ Softsys Hosting ██ - 9 Years In Business - 24/7 In-House Support - Enterprise DDoS Protection Available!

    Enterprise Dedicated Servers - WHT Exclusive Windows & Linux VPS (US/UK/Singapore) - Failover Ready Cloud VM's

  8. #8
    thanx guys for the help, for the help of NexDog buddy, thats the problem i did check my file as that article said, my machine is not affected now, because i reinstall my machine, and as mugo buddy said its the same, i reinstall my machine but didnt change the FTP username password, i think last attack was because of it,

    my hosting have cpanel based, but i use FlashFXP for transfering the files, what should you suggest me, should i change the FTP client too

    Thanx for all of the guys to reply me, i m really thankful to them also

  9. #9
    Join Date
    Oct 2005
    Location
    Austin, TX
    Posts
    260
    I don't like FlashFXP it's just personal preference. You were for sure infected with that virus though, and that was the cause it's very common. How it works is, it infects your system then waits for you to connect via FTP and steals your username / password and saves it in memory. Then when it feels like it later, adds the iframe code to another site. Now the iframe leads to a dns that changes often and has a ton of exploits on there. Currently theres a few Flash, PDF, Microsoft Word ect.. exploits that allow arbitrary code injection and will infect people, so it infects them with this virus again. Just be careful next time, it only costs somebody 30 bucks to make a virus undetected by all anti-virus' so .. careful what you download. Always scan it for safety and for more safety use Sandboxie when in question.
    Cody McLain
    Founder of PacificHost / AptHost

  10. #10
    Join Date
    Dec 2001
    Location
    Above The Clouds
    Posts
    6,999
    As long as you're system is clean and you have changed the password you will be fine. This virus has frustrated many a host and many a user. It really is quite nasty because if Google notices it it flags your page and it can take a while for Google to remove it. That is done via your Webmaster Tools account by the way.
    Laurence Flynn @ atOmicVPS LTD
    Linux & Windows Cloud Hosting Solutions Powered by OnApp
    Fully Managed [Shared][Reseller][Cloud VPS] [Dedicated]
    Featuring the atOmicSTACK ● Speed ● Performance ● Reliability

  11. #11
    Yes but i have change all the passwords of the site hacked and now i m using cpanel uploader, and my system is clean and i check the CNET link and check my system, my system is not infected now, its clean Thanx for ur help guys

  12. #12
    Join Date
    May 2009
    Location
    SLASH ROOT
    Posts
    853
    Dear Fraz Khalid,

    Usually iframe attacks/injections are done via FTP (as in your case).

    These Iframe attacks are usually seen with two instances,

    1. Account password harvesting.

    2. Mass modification of index page.

    I would suggest the following be done asap:

    1) Switch FTP to passive mode.. If its in active, hackers can easily sniff the data port and thereby hack your account.

    If its passive, sniffing isn't possible since data is sent through port > 1024.

    2) Reset FTP passwords to more complex ones (which I think you have already done)..

  13. #13
    Join Date
    Apr 2009
    Location
    Dallas/FortWorth TX
    Posts
    1,677
    Try using some reliable FTP clients like cuteftp or something.
    IPStrada When uptime counts.
    Warren Buffet: Honesty is very expensive gift do not expect it from cheap people.

  14. #14
    Join Date
    Mar 2009
    Location
    Chicago, IL
    Posts
    219
    I'm actually surprised that I haven't seen this mentioned. In short, FTP as a protocol sucks. Since you're transmitting your username and password in plaintext, it's pretty easy to snag without much hassle (relatively speaking).

    You should seriously consider using an application that supports SCP/SFTP as the authentication methods are handled in an encrypted session.

Similar Threads

  1. Website has been hacked!
    By sir_han in forum Hosting Security and Technology
    Replies: 10
    Last Post: 05-01-2009, 05:44 AM
  2. Is my website hacked
    By ferhanz in forum Hosting Security and Technology
    Replies: 1
    Last Post: 09-07-2005, 09:13 AM
  3. My website was hacked
    By paulsully in forum Web Hosting
    Replies: 22
    Last Post: 10-26-2004, 08:42 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •