today I was doing my daily check to make sure all my sites were working and happened to glance at the status bar of ie while a page was loading...
the browser was retrieving data from a site I had never heard of and when I checked the source, there were two i-frames inserted into my code.
I posted a support ticket and out of curiosity checked my other sites...
so far five of my eight have also had these i-frames inserted
please check your sites... the i-frames load an amateur porn site!
Full Version: URGENT: You'd all better check your sites
QUOTE(apsoda @ Jan 19 2004, 01:34 AM)
the browser was retrieving data from a site I had never heard of and when I checked the source, there were two i-frames inserted into my code.
I posted a support ticket and out of curiosity checked my other sites...
so far five of my eight have also had these i-frames inserted
please check your sites... the i-frames load an amateur porn site!
I posted a support ticket and out of curiosity checked my other sites...
so far five of my eight have also had these i-frames inserted
please check your sites... the i-frames load an amateur porn site!
Did you do a 'view source' to see this iframe?
Did you ftp or shell to your web site and actually
see the iframes there?
what server are you on?
if the offending code is actually on your web site
then you have been hacked.
if not it sounds like you have some scumware on your computer.
if you are running windows then
search for a program called spybot
it will get rid of this problem and more.....
thanks artrocity...
I'm on server 10 and the sites in question haven't been modified for months
this was definitely a hack... the iframes only existed on the server, none of my working copies or backup copies of the affected sites had the iframes
thanks for the advice about scumware/spyware but i've got all that covered
I should add too, that the iframes were 1px x 1px... barely noticeable in ie (I'm running v6) but thankfully firebird v0.7 defaulted to a maybe 5px border around them, which (in addition to 'retrieving data from www.*x*x*x*.com') is what drew my attention
I'm on server 10 and the sites in question haven't been modified for months
this was definitely a hack... the iframes only existed on the server, none of my working copies or backup copies of the affected sites had the iframes
thanks for the advice about scumware/spyware but i've got all that covered
I should add too, that the iframes were 1px x 1px... barely noticeable in ie (I'm running v6) but thankfully firebird v0.7 defaulted to a maybe 5px border around them, which (in addition to 'retrieving data from www.*x*x*x*.com') is what drew my attention
so far we checked all files on server10 and did not found any more sites with those iframes except sites that belong to apsoda.
changes were made from user name of the sites.
So I assume that:
- either apsoda has or had some scripts that could be exploited (looks unlikely because not all his sites that had those iframes had scripts)
- or password to the sites were weak or the same and just were bruteforced by the hacker.
changes were made from user name of the sites.
So I assume that:
- either apsoda has or had some scripts that could be exploited (looks unlikely because not all his sites that had those iframes had scripts)
- or password to the sites were weak or the same and just were bruteforced by the hacker.
Hey, Hostony!! You better take another look at server 10. I just checked the source for THREE of my websites and they ALL HAVE THOSE IFRAMES.
This is disgusting!!!!!!!!!!!!!!!!!!!!!!!
I am going to have to RE-upload all of my content. Another day SHOT!!!
This is disgusting!!!!!!!!!!!!!!!!!!!!!!!
I am going to have to RE-upload all of my content. Another day SHOT!!!
Only index.html is being altered.
All of my sites were hit 01-18-04 at 1:04 am.
I have cleaned all of them.
All of my sites were hit 01-18-04 at 1:04 am.
I have cleaned all of them.
What is your domain name?
More info sent by email to support@hostony.com
Add one of my sites to the list of hacked sites. I too had a porn site added in an iframe on the index.php page.
I noticed that /var was at 96% full when this started, or at least when apsoda alerted all of us.
Could there be any connection between the two events?
Could there be any connection between the two events?
Where are these Iframes located in the HTML and what does it look like?
I just checked mine and it looks ok, but I want to make sure I'm looking for the right thing.
I just checked mine and it looks ok, but I want to make sure I'm looking for the right thing.
Ack!
I have em too. They look like this:
<IFRAME SRC="http://www.best-miss.com/" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://www.best-miss.com/" WIDTH=1 HEIGHT=1></IFRAME>
They're right after the BODY section on the page :-(
I have em too. They look like this:
<IFRAME SRC="http://www.best-miss.com/" WIDTH=1 HEIGHT=1></IFRAME>
<IFRAME SRC="http://www.best-miss.com/" WIDTH=1 HEIGHT=1></IFRAME>
They're right after the BODY section on the page :-(
Mine were still there when I uploaded my site again too. They're definitly not in the code. How do I get rid of them? :-(
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.