Results 1 to 16 of 16
  1. #1

    Need urgent help about iframe code ( i've got infected )

    Hello Friends,

    my website got infected with an iframe code . Fine
    but the problem is how i got infected ??


    1- was is due an bugs in my ftp client ( leapftp )

    2- was in server itself ( impossible cause it is world known )

    3- was due to IE and my pc got infect , How if i use only FF last version and have ESET Business eddition


    please please this is number 15 i got infected
    i got so tired every time i clean my website and reupload


    i just needs to know how how how how does it happen !!


    Listen friends shall i use for example a java ftp client or for example a fireftp ( firefox add-on ) cause i thinking all ftp clients have bugs make some hacker able to send a commands with the iframe code.



    please i need your help how does it happen ?

  2. #2
    Join Date
    Aug 2009
    Posts
    13
    I just actually responded to a similar thread. Someone(you) who has access to your FTP probably has a keylogger (virus) on their PC. Scan the PCs who have access to your FTP then change your passwords.

  3. #3
    Quote Originally Posted by thenewguy View Post
    I just actually responded to a similar thread. Someone(you) who has access to your FTP probably has a keylogger (virus) on their PC. Scan the PCs who have access to your FTP then change your passwords.

    i don't think so , cause i've scanned my pc and got nothing also

    * if we suppose i got infected due to .exe tool

    i've never used any external exe file since i setup my windows xp sp2 few days ago


    * if we suppose i got infected due to visiting an website already infected , also it almost impossible cause i've been using the last version of FireFox and never used IE

    * no network no pc connected to my pc


    i doubt too much at

    1- the ftp clients itself
    2- ads ( flash ) which is shown in yahoo chat cause the only external tools which is connected to the interent and shows ads was yahoo and such ads may be injected with some codes since it easily to enject any swf file


    oh i'm going to be crazy how does it happen if i was doing my best to not got infected at all .

  4. #4
    Join Date
    Aug 2009
    Posts
    13
    hmm. Do you have access to the ftp logs? If so looks for IP addresses that you may not recognize. Also look for file uploads at times you did not upload anything. I actually have a lot of experience with this type of issue and it was almost always an infected PC

  5. #5
    Join Date
    Jul 2002
    Location
    The Big Easy -New Orleans
    Posts
    341
    What scripts are you running on the site? Do you directories that are insecure, chmod'ed 777? The infection does have to come directly from your pc. In fact, I'd say more often than not it doesn't. Have you looked at the access logs between when it was cleaned and when it was re-infected? The other part is unless you have re-imaged the server, it would be very hard to determine that a known infected server is now completely clean. Rarely does a single infection stay that way. Once they find a way in, they will often put secondary ways for them to get back in should you attempt to close the first door, so to speak. I'd start looking at the server or any scripts running on your site for holes.
    Lagniappe Internet L.L.C. - Wholesale Reseller and VPS Hosting.
    Lagniappe (lan-yap) - An extra or unexpected gift or benefit.
    HostEntrepreneur - Hosting news, reviews, tips, tricks, help and the occassional rant

  6. #6
    Quote Originally Posted by thenewguy View Post
    hmm. Do you have access to the ftp logs? If so looks for IP addresses that you may not recognize. Also look for file uploads at times you did not upload anything. I actually have a lot of experience with this type of issue and it was almost always an infected PC

    oh look guys i found that ,

    at the access error logs


    Code:
    [Wed Aug 26 11:24:24 2009] [error] [client 66.249.71.53] File does not exist: /home/egturnke/public_html/******.com/404.shtml
    [Wed Aug 26 11:24:24 2009] [error] [client 66.249.71.53] File does not exist: /home/egturnke/public_html/******.com/ima<iframe src=
    ****** = my website
    it is the same day and time when i got infected

    it has an IP not is mine and it tried to write an iframe code into the index.php

    it that the one who did to me

    OH MY LORD... I went to ip2location.com to lookup the ip adress and i've found the following informations


    66.249.71.53
    US
    UNITED STATES
    Region : CALIFORNIA
    City:MOUNTAIN VIEW
    ISP :GOOGLE INC

    so what does it means ....grrrrrrrrrrrrrrr

  7. #7
    Join Date
    Aug 2009
    Posts
    13
    Quote Originally Posted by egturnkey View Post
    66.249.71.53
    US
    UNITED STATES
    Region : CALIFORNIA
    City:MOUNTAIN VIEW
    ISP :GOOGLE INC

    so what does it means ....grrrrrrrrrrrrrrr
    It means someone has your ftp login information.

  8. #8
    Join Date
    Apr 2007
    Posts
    3,513
    There has been some talk on the register about people been infected due to mySQL (database) injection.
    Worth checking any code that you may have.
    - Buying up websites, side-projects and companies - PM Me! -

  9. #9
    Join Date
    Aug 2006
    Location
    Ashburn VA, San Diego CA
    Posts
    4,571
    You just set up XP with SP2? There's your problem...SP3 has been out for ages. You are most likely highly infected with all kinds of malware if you're indeed running SP2 with IE.
    Fast Serv Networks, LLC | AS29889 | Fully Managed Cloud, Streaming, Dedicated Servers, Colo by-the-U
    Since 2003 - Ashburn VA + San Diego CA Datacenters

  10. #10
    Quote Originally Posted by thenewguy View Post
    It means someone has your ftp login information.
    that is right , i guess so , hence i will change all


    Quote Originally Posted by ZanyHost View Post
    There has been some talk on the register about people been infected due to mySQL (database) injection.
    Worth checking any code that you may have.
    the website is very simple and has 2 tables only and created by me with the help of w3school and dynamic and other open source php forums


    Quote Originally Posted by FastServ View Post
    You just set up XP with SP2? There's your problem...SP3 has been out for ages. You are most likely highly infected with all kinds of malware if you're indeed running SP2 with IE.

    i've changed everything but never changed my windows sp2 or updated ....


    thanks for the advice

  11. #11
    Join Date
    Apr 2001
    Location
    Montana USA
    Posts
    673
    We have seen this dozens of times at Modwest recently.

    Check your FTP logs for successful logins to your account. If I am right, "you" have logged in from IP addresses all over the world recently.

    We wrote about this in the Modwest Blog on July 13th. I don't think I am allowed to provide a link.

    Good luck,
    John Masterson
    Former Hosting Company Owner

  12. #12

  13. #13
    Join Date
    Mar 2009
    Location
    /home/khunj
    Posts
    432
    Quote Originally Posted by egturnkey View Post

    * if we suppose i got infected due to .exe tool

    * if we suppose i got infected due to visiting an website already infected , also it almost impossible cause i've been using the last version of FireFox and never used IE
    In most case, it's none of them but a flash vulnerability. Adobe products really suck !

    If you have any of the following soft, then upgrade asap :
    Reader and Acrobat 9.1.2
    Flash Player 9 and 10

    I cleaned up yesterday a customer server. FTP logs clearly show that his computer was connecting to the server, downloading the files and re-uploading the modified ones. He was using Chrome with an old flash version and only Avast was able to detect the virus.

    So it really doesn't matter which browser you are using.

    Another and better solution here
    NinTechNet
    ★ NinjaFirewall : Web Application Firewall for PHP and WordPress.
    ★ NinjaMonitoring : Monitor your website for suspicious activities.

  14. #14
    Join Date
    Nov 2002
    Posts
    62
    I know a few people have mentioned it. But i will say it again

    I had the same problem with a few clients..

    1.)Turn off FTP
    2.)Scan for infected files.I used the code below (assuming your using cpanel, if not then mod for your needs)

    Code:
    mkdir ~/iframe/; cd /var/cpanel/users; for x in *; do find /home/$x -type f -exec grep -H 'iframe' {} \; > ~/iframe/${x}-iframe_results.txt; done
    then

    Code:
    cd ~/iframe/; for x in *; do grep ":8080" $x; rm -iv $x; done
    You will see every account with iframe in their page with reference to port 8080 (usually due to this virus).
    If you find anything suspicious then say no to the delete..

    3.)Change passwords
    4.)Turn FTP on
    5.)Notify users

    Hope this helps

  15. #15
    generally regarding a possible MySQL injection attack do you know about php varialble escaping? If not you need to read up on that because if your tables are insecure then it doesn't matter if you have 2 or a thousand it's still insecure and they can get back in at any time.

  16. #16
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,686
    please please this is number 15 i got infected
    If you've been infected 15 times, it's time to call in a professional, not deal with this yourself. Have your website and server secured and audited by someone who knows what they're doing, not a bunch of forum people who will give you conflicting advice.

    Pony up the $$$, find yourself someone knowledgable in the issue, get them to look at it and have it resolved.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

Similar Threads

  1. Urgent Sale | Unique template valid code
    By jellyfishesrock in forum Design Offers
    Replies: 0
    Last Post: 01-31-2009, 05:17 AM
  2. Need someone to slice a PSD and code it - urgent
    By nax9 in forum Design Requests
    Replies: 3
    Last Post: 05-06-2007, 12:48 AM
  3. *URGENT* - Iframe replacement
    By ThatScriptGuy in forum Web Design and Content
    Replies: 4
    Last Post: 08-06-2006, 03:40 PM
  4. Replies: 4
    Last Post: 03-17-2006, 12:58 AM
  5. <IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
    By rychen in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-12-2004, 01:29 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •