iframe hacks
There has been a lot of activity recently with websites displaying malicious code (iframes), in many cases, every default document in all folders across a website may have been corrupted. The are a few things you can do to mitigate any future damage, here are some steps you can take:
Firstly, you should change your FTP password, the code is being placed onto websites via hacked ftp passwords, then it injects malicious code into default documents in all folders across your entire ftp site.
In the cases that I have seen, they are using java to install even more malicious code onto your computer, you disable java support completely in firefox. I would recommend that you do the same in Internet Explorer too.
Run some decent antivirus software and spyware removal tools, I use AVG and Spybot S+D, but they didn’t catch any of the more recent variants, use of AVAST with it’s resident shield helped, plus the great tools from SysInternals (RootKitRevealer, ProcessExplorer, etc) to identify rogue programs.
One last thing you could do is change your default document to something else, this will redirect users away from the infected server files if they get infected again, which they will do if you don’t change your FTP password. This is easy on linux as you just have to add another line into your htaccess file, there are no other configuration changes required.
I’ve also got a list of dodgy ip addresses that tried to connect to my ftp servers (but failed), I can only assume that these are infected computers, the list details computers located in 29 different countries, making it a widespread infection if you ask me! In this case, set an ip filter on your ftp server to allow connections only from trusted ip sources, alternatively, you could also start to implement SFTP (or FTPS), which is basically SSL over FTP, encrypting your data before it gets transmitted, making it impossible to decrypt (or at least take a very long time).
Let me know how you get on!
Leave a Reply