[FairwayandIsle]

Quote:

Originally Posted by yoyo

I'm wondering if the iframes were inserted into your html code before it was uploaded onto your server...

I don't think so because the site ran fine for almost a year without any trouble, and I am the only one that works on the code. Since this has happened I have been checking every link every morning to make sure that there are no more viruses or iframes.

I just find the entire things so strange, I don't understand how a hacker can add code to a site that does not belong to them.

[yoyo]

Quote:

Originally Posted by FairwayandIsle

I don't think so because the site ran fine for almost a year without any trouble, and I am the only one that works on the code. Since this has happened I have been checking every link every morning to make sure that there are no more viruses or iframes.

I just find the entire things so strange, I don't understand how a hacker can add code to a site that does not belong to them.

But you've made changes to the site within the last year, right? Is it possible that the files were infected locally and then FTP to your site when you made changes? It wouldn't hurt checking your locally stored files...

(I'm assuming that you work on the files locally, and then FTP it to your webserver)

[bogart]

Quote:

Originally Posted by FairwayandIsle

I don't think so because the site ran fine for almost a year without any trouble, and I am the only one that works on the code. Since this has happened I have been checking every link every morning to make sure that there are no more viruses or iframes.

I just find the entire things so strange, I don't understand how a hacker can add code to a site that does not belong to them.

I just had a wordpress site hacked. The hackers were able to load approx 300 mb of files onto the site.

Hackers are able to use contact forms and inject code if you are using sql.

[FairwayandIsle]

Absolutly, at least once or twice a week I am doing something to the site.

I edit and ftp via DW and I am the only on with a copy of DW I had never seen this bit od code untill I was alerted to the propblems.

[yoyo]

Quote:

Originally Posted by FairwayandIsle

Absolutly, at least once or twice a week I am doing something to the site.

I edit and ftp via DW and I am the only on with a copy of DW I had never seen this bit od code untill I was alerted to the propblems.

Did you have a chance to check the files that you work on locally to see if the iframes appear there as well?

The reason I mention this is because a coworker whose computer was infected with malware/viruses sent me an html file to load onto our site. That html file had iframes linking to a .js file on an attack site BEFORE we uploaded onto the webserver.

[tcr]

Quote:

Originally Posted by bogart

Hackers are able to use contact forms and inject code if you are using sql.

which is easily avoided with a few simple lines in your code.

for example, always limit your input boxes in your forms, ie.

Code:

<input type="text" maxlength="some appropriate number here" />

@FairwayandIsle:

how often do you update your site via FTP? you said a couple times a week?

upon updating your site, do you soon thereafter notice your site becomes infected? if so, your FTP connection has been compromised.

there's an easy fix, but it requires your server/host to allow for SSH2 connections.

you're probably connected using an unencrypted port 21 right now, which is the same as surfing the web without any firewalls, spyware/virus protection.

i had a similar problem ages ago where all of a sudden, out of the blue, my site started acting funny...some pages weren't showing up, etc.

turns out, any time i uploaded a file via the unencrypted port 21, some bot or something was altering my files by injecting hundreds of 'viagra' type links into the source code, but was using CSS to hide the links. this was causing Google to index my page as per the hundreds of ridiculous links that it found hidden in the source, ultimately leading to my being banned from Google (had i not fixed the problem in time, which i did).

not saying it is the problem, but it definitely could be.

what you need to do is contact your host and request a secure FTP connection (SSH2), and then plug in those credentials into your FTP client, and your set.

[FairwayandIsle]

@tcr - It really all depends on the level of activity they have. I mostly ftp via dreamweaver, but ocasional will use a free ftp program.

Its strange were I keep finding this Java code though, yesterday I found in the 401,500 etc files.

I am going to take to the host about using a secure ftp... I am sure it will help even if that is not the propblem.

thanks for the idea.

[tcr]

ya, it'll show anywhere .. sounds to me like that is the problem.

once you connect to your FTP server insecurely, the bot finds any file(s) it can.

i was getting code injection in the oddest file(s) .. ones i hadn't updated in months, and pretty much forgot i even had on the server.

i would highly recommend further investigation into the securing your FTP client/connection.

[FairwayandIsle]

I plan on it. I have found code in my blog files that I never open.

I spoke to my host and I have to show my license for them to give me SSH2... is that normal?

[tcr]

your driver's license? i can't say that that's normal.

SSH2 is just another method of FTP server connectivity.

did you use your driver's license when you signed up your account? otherwise, what would they need it for in terms of cross-referencing.

sorry, but that's your call. when i asked my host (HostGator.com), all they did was flip a switch (hypothetically), and i had SSH2 on my package. took all of 10 minutes.