Comments on: Another Type of IFrame Hack (PHP Exploit)

By: Eric Sebasta

Eric Sebasta — Thu, 03 Nov 2011 15:37:26 +0000

Listen folks, for you games, keep windows. For work, use Linux or OS X. And for the love of God, do NOT use Adobe Acrobat reader. It has a worse track record then Fat Albert. If you must use windows use Sumatra PDF or FoxIt pdf, which both have a far better security record when it comes to PDF exploits.

By: Vishal Sharma

Vishal Sharma — Fri, 04 Jun 2010 01:51:33 +0000

We have removed the script. The site was uploaded with IP Address and domain was pointed a day after . Now If I am using search by name its absolutely fine but other pages are still showing with IP which were crawled when domain was not pointed.

However , at some places its showing okay. I am not sure..

Does it takes some time ?

By: Denis

Denis — Mon, 31 May 2010 07:04:27 +0000

No, you didn’t. The malicious script is still there.

And I provided you with the link to the article that contains everything you need to know to detect, clean up and prevent reinfection.

By: Vishal Sharma

Vishal Sharma — Mon, 31 May 2010 04:03:17 +0000

Whats the permanent solution to this ? We have removed the script ..

By: Denis

Denis — Sun, 30 May 2010 21:34:09 +0000

Vishal,

I had to remove your site link from your signature, since it is infected with Gumblar:
http://www.UnmaskParasites.com/security-report/?page=www.realtygurgaon.com

You can read about Gumblar infection here:
http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/
this article contains some solutions

By: Vishal Sharma

Vishal Sharma — Sun, 30 May 2010 12:25:54 +0000

I have been facing Iframe and virus injuctions .

We have changed the front end from Asp to PHP with my sql support .

Could you suggest with a permanent solution to this problem ?

Look forward to hearing from you.

Regards,
Vishal Sharma
Email : realtygurgaon@gmail.com

By: Dabbled » Blog Archive » iframe Hack – A Warning for readers and other bloggers

Fri, 02 Oct 2009 12:27:48 +0000

[...] http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/ http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ [...]

By: Vinz

Vinz — Thu, 17 Sep 2009 10:51:16 +0000

Hello,
I suffered from the same. I’m copying my M.O. here, which worked.
I got
/homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
1) re-install all your Wordpress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
2) Now you should be able to login. Go to your dashboard and install plugin “Script Exploiter”.
3) Run the plugin and look for malicious script. In my case, I had this baby:

copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
4) Download the files with the added script, open them with an editor and erase all the garbage.
5) FTP them back on the server, change your password, you should be all right.
Cheers, hope this helps,
Vinz

By: DNS_Serva

DNS_Serva — Mon, 14 Sep 2009 05:50:11 +0000

Technically that is incorrect,
ActiveX scripting is used to exploit (Blame Microsft, Why oh why do they assume every ActiveX scripting call is safe? :sigh:)

Simple answer to internet users. Ditch Internet Explorer (if you use it) and goto Firefox, Install the No/Script add-on. Now you have control over scripting and nothing can exploit you via your browser!

By: Mary

Mary — Thu, 03 Sep 2009 19:47:08 +0000

If your system is completely free of viruses and spyware (I use a firewall and used four different scanners including a rootkit scanner)…

If you change your FTP passwords often…

If you have deleted your website and uploaded a clean version of all your files…

But you are still being hit by iframe injections…

Chances are you are not using Secure FTP because you either didn’t know it existed or your host doesn’t provide it. This is exactly what happened to me. All of the helpful websites that provide information about iframe injections blame viruses, trojans or insecure passwords, and most do not point to another obvious solution. GO WITH A GOOD HOST that provides secure FTP and the option to use mod_security automatically on your domain panel. I switched to DreamHost, immediately switched ON Secure FTP, switched OFF regular FTP, and switched on extra security, and the attacks have finally stopped.

IXWebHosting was of no help and was the cause of my problem. Even after I blocked all other IP addresses than mine to FTP, I continued to get hacked. I suspect that the problem was due to insecure FTP (password easily sniffed during transmission) and insecure hosting (hacker able to access my site even though they were disallowed from FTPing to it).

When all else fails – do some really good research and change hosts.