What will you feel after you come back from a wonderful birthday dinner and find out your sites are gone? Sure, you’ll not feel good. Guess what – it just happened to me! Fortunately, I send an emergency email immediately to my Hosting Support Desk, within less than 10 minutes, the issues got fixed and problems solved.
Below is the reply I got from the hosting help angle, which I would like to share with you, a MUST read!
Hello Ann,
I’m very sorry for the situation that you have encountered on your sites. The issue you have experienced is what is called an ‘iframe attack.’ This attack works by placing an undesired page within your website’s root directory, which then overtakes your existing homepage. This can cause both a “500 Internal Server Error” or just simply a blank page.
This issue is perpetrated through an unusual vector that many times is overlooked when it comes to compromised websites. The primary vector is through the client’s computer, or your computer. How this works, is you may have, unexpectedly or unknowingly, visited a site that was infected by malware – spyware, viruses, adware or otherwise. This malicious software is then installed without your permission, and then proceeds to collect information regarding certain things. In this particular instance the filtered information is your FTP details, user name and password. Using this stolen information they then upload the file directly to your site, causing this issue. This is why sometime when you delete that file, it simply comes back.
To resolve this issue, you must do the following:
Immediately install and scan with virus and spyware removal software.
Change ALL passwords, including email and database passwords.
Remove the file.
To prevent this in the future, unfortunately the best way is to sport best practices on the internet. Do not open emails with attachments that you do not recognize. Keep updated security software – virus and spyware removal tools, at all times. Make sure your operating system is up to date at all times. Be careful of the links that you click from friends and family. Doing this, you will save yourself from many issues, beyond simply the problem above.
There is another form of iframe attack, that has been circling the internet as well, that is not so easily fixed. This attack will modify files found within your web directory directly using exploits that do not require any issues to exist on your personal computer at home. These exploits are also not caused by insecurities in the server.
In these cases, the situation is caused by insecurity on running scripts such as Joomla or WordPress. These scripts can be exploited to create or edit index pages or .htaccess files creating this issue. Most of the time, these exploits are found in external, user created content like Themes and Plugins that are not developed according to the standards found by the primary developers and community of those applications. When this is the case, it is best to disable all plugins, and either upgrade or restore your script installation from backup.
While we understand this is frustrating, we appreciate your patience while we work to help you through this issue. If you need assistance in removing files or need advice or recommendations on this issue, please let us know and we will be more than happy to assist you in the future.
Thank you,
GVO – Abhilash,
Server Administrator,
GVO Support.
