Unexpected changes to index files?

One of the more common forms of websites being hacked that we are seeing at the moment is a 1×1 pixel iFrame being added to the bottom of all types of index pages either?. The iFrames normally load a page which attempts to install Malware on the visitors PC, which also leads to the site with the infected iFrame being blocked in browsers by services such a Google Safe Browsing () which is built into FireFox and Chrome.

Removing the code is quite easy and can either be manually done by re-uploading the infected files, or creating a bash script to search for infected files and remove the line of the code. However, depending on how the files were infected in the first place you might find yourself quickly becoming infected again, A lot of recent incidents we have seen have had the files altered using legitimate FTP details, rather than an exploitable piece of code on the site.

These passwords are harvested from PC’s using variations of PWS-FerTP (), not only does it harvest passwords they also download index files, add code – which is usually encoded – and then re-upload it from the infected machine. Normally the infected machine sits on a network which has been allowed access through a firewall.

The only way to really combat this problem is to ensure that all PC’s which have any level of access to your web server are regularly virus checked using up-to-date profiles, or that passwords are stored away from your FTP software.

This entry was posted in Web Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>