Is your website hacked? Website with hidden iframe to .cn website
Ok,
I recently had a couple of my websites hacked, I am not sure if they were hacked or was it some malicious program installed on my computer. Here is what I found. Most of those websites had the following iframe code in index files
iframe src="http:// superbetfair.cn/in.cgi?income43" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )
The website superbetfair.cn was often replaced by some other website. In almost all cases they were .cn website. e.g.
iframe src="http:// lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )
My first instinct was to simply clean the files. Research on net showed that the infection was almost always in index.php file which made it relatively easier. After having spent four hours cleaning some of deep structured website and wordpress blogs I thought I am over with it. But NO!
Next day or within few hours the infection was back. A few things changed though
In some of the websites the infection was again same iframe code. However, in some other websites the infection was encoded and scrambled with javascripting. In some rare cases it has gone further ahead by scrambling the javascripting with ascii codes. Yes its those weird !56!66 numbers that you see after script tag in your html code.
My first thought analysis was:
- My host is infected - but I had to disregard that possibility as the infection was on multiple sites across multiple hosts.
- My password is hacked - again a tough nut for someone to crack unless I was being targeted.
- My PC has been compromised - Well that kinda make sense, I had my antivirus disabled for last few days because it slows down my internet connection.
Luckily, my friend is a tech support for a renowned company. Gave him a call and he recommended me two softwares.
http://www.malwarebytes.org/
http://www.simplysup.com/tremover/download.html
I ran the first scan with malwarebytes and bingo - It detected over 20 malware and a few registry hacks. Clicked a button and they were gone. Ran a full system scan with malwarebytes.
Next step was to use trojan remover from simplysup - ran a quick scan and it detected a few files and quarantined them. The next step was to run a full system scan. It took around 7 hours to do, detected nothing. Oh btw, both of these softwares came with free trial so I had not spent anything.
The next step was to run up my antivirus (Kaspersky) again and perform a full system scan, this time Kaspersky came up with five possible threats and quarantined them.
The next step was to uninstall my ftp program coreftp till that point. So I installed filezilla client.
Meanwhile I had setup one of my staff members to change all passwords and login information. So by the time I had this done, all the login and password were changed. (If you are suffering from this infection, I highly recommend that you change your passwords etc from some other computer and don't login using your old ftp program)
Once all this was done, I started logging into my websites with new information without storing them in the client and started cleaning the index.php file. Its a gruelsome task but after few hours almost all sites were disinfected. 18 hours have passed and as of now I have not seen it return so I am keeping my fingers crossed.
SPECIAL NOTE TO WORDPRESS USERS
If you are a wordpress blog owner and have this infection, you will have to clean the following files
- Index.php in root folder
- index.php in wp-content folder
- index.php in wp-admin folder
- index.php in all the themes (all folders in wp-content/theme folder )
- default-filters.php in the wp-include folder (this is only in some installations)
- Make sure you change your username and password for wordpress and ftp separately once you have cleaned your blog, also check for any plugin that has any file named index.
SPECIAL NOTE TO DRUPAL USERS
If you are seeing a parsing error on opening your drupal based website, that might be because of this infection. Just log in to your ftp account and download the index.php file. Remove the malicious line of code and you should be good to go again.
Please note you will have to change all passwords.
So far all looks good.
Special Note:
I am posting this because a friend of mine called up and asked if I know about this, his website is apparently infected too. I might seem to go through a complex route to solve an easy problem but anyhow that is what worked for me. If you have an easier solution to this, let me know in comments. Also as usual I will suggest you to take backup wherever possible before going through these steps. I won't be liable for any damages, this is just a free advice :)
PS: If this posts helps you in anyway, let me know :)