Announcement

Collapse
No announcement yet.

ifram injection

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rock
    replied
    Originally posted by WeWatch View Post
    Often times hackers leave backdoors on websites. They know that the first thing you're going to do is to change the FTP passwords so they leave themselves a way of re-infecting websites after the FTP password has been changed.

    I've found that often times the hackers will "touch" all the files so that you can't just look at the date on the file to determine which files were hacked.

    They, the hackers, typically place a line of code in various php files, or they're create php files with very common names: common.php, data-conn.php, etc.

    One of the most common files we find is in any and all images folders and it's file name is gifimg.php. This file is their backdoor.

    They also insert some php code either in php files or sometimes html files as well. This code usually starts with:

    <?php eval(base64_decode

    We've seen a few cases, usually on Wordpress sites, where this string is used legitimately, however it does give you a good starting point.

    If you need further help, please post back here.
    These can be controlled/avoided by disabling the PHP functions

    Leave a comment:


  • WeWatch
    replied
    Often times hackers leave backdoors on websites. They know that the first thing you're going to do is to change the FTP passwords so they leave themselves a way of re-infecting websites after the FTP password has been changed.

    I've found that often times the hackers will "touch" all the files so that you can't just look at the date on the file to determine which files were hacked.

    They, the hackers, typically place a line of code in various php files, or they're create php files with very common names: common.php, data-conn.php, etc.

    One of the most common files we find is in any and all images folders and it's file name is gifimg.php. This file is their backdoor.

    They also insert some php code either in php files or sometimes html files as well. This code usually starts with:

    <?php eval(base64_decode

    We've seen a few cases, usually on Wordpress sites, where this string is used legitimately, however it does give you a good starting point.

    If you need further help, please post back here.

    Leave a comment:


  • eUKhost.com
    replied
    Originally posted by colin View Post
    Hi

    Looks like it came from my web guy.

    All back to normal now.

    Thanks for your help

    Colin
    Tell him not to visit those xxx websites.

    Leave a comment:


  • colin
    replied
    Hi

    Looks like it came from my web guy.

    All back to normal now.

    Thanks for your help

    Colin

    Leave a comment:


  • NickJ
    replied
    Hello,

    Its seems that the index files were downloaded via FTP injected with malicious code and uploaded again.
    I would request you to email us at [email protected], I will provide you with complete logs.

    Regards,
    Nick J.

    Leave a comment:


  • colin
    replied
    Site is mrfuzzy.co.uk

    Thanks

    Colin

    Leave a comment:


  • eUK-Victor
    replied
    Hello Colin,

    Please provide us with the exact domain name which was iframe injected so as to find the exact cause of it. Generally, iframe injections occurs through FTP service.

    Leave a comment:


  • colin
    started a topic ifram injection

    ifram injection

    Hi

    Just had a ifram injection removed from my website.
    Can anyone tell me how it could have got there and what I can do to make sure it does not happen again?

    Thanks

    Colin
Working...
X