Great, just what I needed... a hot HTML injection.
January 8, 2008 11:18 PM   Subscribe

Pages on my website are getting strange javascript, iframes, & links placed in them... This isn't affecting the other sites I host... what's going on?

I have several websites I host from a reseller account, though I don't actually sell any of my space. Most of the sites are just placeholder pages or projects I started and never finished, so they sit alone and unloved most of the time.

Looking around online, I see things about "Injected" Links, and of course the incident with Al Gore's site. But, how is this happening? It doesn't seem to affect the pages that are updated via Moveable Type and it doesn't seem to affect the sites "under" the main one.

I uploaded an HTML file on Monday afternoon for a friend and by Tuesday morning when he went to save it, it had an iframe injected into it.

Please note that this doesn't appear to be a Movable Type problem, as these are files that seem least likely to have the iframe or random links.

It would seem that the webserver is insecure. Is this something that is my own fault or is this the problem of my webhost? What can I do to stop/prevent/fix this?
posted by aristan to Computers & Internet (12 answers total) 1 user marked this as a favorite
 
An update... It appears that whatever is happening, the people aren't exactly careful. I have found at least two webpages that were in the wrong place. The index file out of one section of the site replaced the index in an entirely unrelated folder and in the second incident, an index file was replaced by my webhost's "Account Suspended" page!
posted by aristan at 11:24 PM on January 8, 2008


Yeah er. more data.
posted by iamabot at 11:44 PM on January 8, 2008


Sorry to be Captain Obvious, but you did immediately change your FTP password to something not subject to dictionary attack, didn't you?
posted by flabdablet at 11:45 PM on January 8, 2008


iframes usually aren't used when somebody has FTP access. I am guessing somebody has exploited a form or something on the site, rather than your FTP.
posted by B(oYo)BIES at 12:05 AM on January 9, 2008


If static pages (plain old HTML) are gettting 'infected', someone probably has file level access to the server. They could have compromised your account or they could have gained access through someone else's account. If this is the case your webhost has to get involved, they'll need to move everyone to a new secured server and make sure the attacker doesn't get back in.

If dynamic pages (MT, PHP, CGI, etc) are getting hit then they may be exploiting a vulnerability in the application running on the server. You will need to backup and clean off the site and install an upgraded and secure version of whatever program it is. You may also need to involved your webhost, as they may have done more than inject the iframes and links.
posted by mutagen at 12:34 AM on January 9, 2008


Could your host have gotten infected by the recent wave of virus attacks? You don't say what type of OS.
posted by yerfatma at 4:33 AM on January 9, 2008


Mutagen: The files affected are all normal HTML pages, except for one. That file was dormant though, and the changes were done in the HTML file, not the MT template.

Flabdablet: The Password on the account is a random string of letters and numbers.

yerfatma: the server uses centOS.

imabot: Yeah er. what more data do you need?
posted by aristan at 5:28 AM on January 9, 2008


A script on your host has a security bug, and it's being exploited. You need to find it. Search for the domains which are being injected as links or src parameters for clues. Or post them here.
posted by genghis at 6:46 AM on January 9, 2008


But, how is this happening?

The idea is that one of your forms is not doing any sanity checking and that allows someone to write all sorts of things to your database. Its called SQL injection. Also, if your host has everyone using the same database, another account's exploitable form could have done this. I'd contact the host asap.
posted by damn dirty ape at 9:16 AM on January 9, 2008


Static files were modified, so it'd have to be a shell-level exploit rather than an SQL injection attack, but yeah, it does sound like one of your web apps is vulnerable, or the web apps of someone else on the shared host are. :-/
posted by breath at 9:39 AM on January 9, 2008


Contact your server administrator YESTERDAY. Explain everything that you're telling us. This is less of your problem, and more THEIR problem for insecure, poorly maintained servers.

I had this same, essential thing happen to me, and the folks who run my (now former) hosting company had no goddamn clue what was happening. If they're unaware or can't help, find another hosting provider ASAP.

I'm not kidding.
posted by SansPoint at 11:42 AM on January 9, 2008


>If dynamic pages (MT, PHP, CGI, etc) are getting hit

If by MT you mean Movable Type, they're not actually dynamic, unless huge changes have occurred. They're static, although dynamically generated by perl.
posted by AmbroseChapel at 2:30 PM on January 9, 2008


« Older push th' little actress...   |  I am contemplating on pursuing... Newer »
This thread is closed to new comments.