A Must Read: iFrame Attack the Sites
What will you feel after you come back from a wonderful birthday dinner and find out your sites are gone? Sure, you’ll not feel good. Guess what – it just happened to me! Fortunately, I send an emergency email immediately to my Hosting Support Desk, within less than 10 minutes, the issues got fixed and problems solved.
Below is the reply I got from the hosting help angle, which I would like to share with you, a MUST read!
Hello Ann,
I’m very sorry for the situation that you have encountered on your sites. The issue you have experienced is what is called an ‘iframe attack.’ This attack works by placing an undesired page within your website’s root directory, which then overtakes your existing homepage. This can cause both a “500 Internal Server Error” or just simply a blank page.
This issue is perpetrated through an unusual vector that many times is overlooked when it comes to compromised websites. The primary vector is through the client’s computer, or your computer. How this works, is you may have, unexpectedly or unknowingly, visited a site that was infected by malware – spyware, viruses, adware or otherwise. This malicious software is then installed without your permission, and then proceeds to collect information regarding certain things. In this particular instance the filtered information is your FTP details, user name and password. Using this stolen information they then upload the file directly to your site, causing this issue. This is why sometime when you delete that file, it simply comes back.
To resolve this issue, you must do the following:
Immediately install and scan with virus and spyware removal software.
Change ALL passwords, including email and database passwords.
Remove the file.
To prevent this in the future, unfortunately the best way is to sport best practices on the internet. Do not open emails with attachments that you do not recognize. Keep updated security software – virus and spyware removal tools, at all times. Make sure your operating system is up to date at all times. Be careful of the links that you click from friends and family. Doing this, you will save yourself from many issues, beyond simply the problem above.
There is another form of iframe attack, that has been circling the internet as well, that is not so easily fixed. This attack will modify files found within your web directory directly using exploits that do not require any issues to exist on your personal computer at home. These exploits are also not caused by insecurities in the server.
In these cases, the situation is caused by insecurity on running scripts such as Joomla or Wordpress. These scripts can be exploited to create or edit index pages or .htaccess files creating this issue. Most of the time, these exploits are found in external, user created content like Themes and Plugins that are not developed according to the standards found by the primary developers and community of those applications. When this is the case, it is best to disable all plugins, and either upgrade or restore your script installation from backup.
While we understand this is frustrating, we appreciate your patience while we work to help you through this issue. If you need assistance in removing files or need advice or recommendations on this issue, please let us know and we will be more than happy to assist you in the future.
Thank you,
GVO – Abhilash,
Server Administrator,
GVO Support.
Hello Ann
If you changed the password for WHM, it will also affect your primary domain whichever one that is (I guess it maybe this site). In changing that password, you will have also changed the FTP, SQL and Cpanel password for that primary domain.
Just go into your FTP program and change the password within the settings for the domain and you should be able to access again.
I have 17 domains hosted on Kiosk and went through and changed the password for each and every one. However, doing so did not prevent the second attack and I had to go through once again and delete the rogue index files.
I do eventually get responses to my tickets but recently from two people. One is obviously the Indian support desk and the other from somebody called Jose Cyriac. However, very little information from either apart from standard responses. Then we get emails from Joel saying that the problem is Wordpress related, which it is not.
I have now found a way to change the login password to the Kiosk member area which I am almost certain is the entry point for these hackers.
Login into your member area as usual, go to “account manager” and then “edit your profile”. There is an option in there that allows a password change. You can only use letters or numbers but at least you can change it to something different.
Once changed, you will get an automated email from Kiosk with you new login details. Only time will tell if that stops any further attacks.
Considering what we pay each month for so called premium hosting, I would have expected a lot better than this.
Alan
Hello Ann
If you changed the password for WHM, it will also affect your primary domain whichever one that is (I guess it maybe this site). In changing that password, you will have also changed the FTP, SQL and Cpanel password for that primary domain.
Just go into your FTP program and change the password within the settings for the domain and you should be able to access again.
I have 17 domains hosted on Kiosk and went through and changed the password for each and every one. However, doing so did not prevent the second attack and I had to go through once again and delete the rogue index files.
I do eventually get responses to my tickets but recently from two people. One is obviously the Indian support desk and the other from somebody called Jose Cyriac. However, very little information from either apart from standard responses. Then we get emails from Joel saying that the problem is Wordpress related, which it is not.
I have now found a way to change the login password to the Kiosk member area which I am almost certain is the entry point for these hackers.
Login into your member area as usual, go to “account manager” and then “edit your profile”. There is an option in there that allows a password change. You can only use letters or numbers but at least you can change it to something different.
Once changed, you will get an automated email from Kiosk with you new login details.
Only time will tell if that stops any further attacks. Considering what we pay each month for so called premium hosting, I would have expected a lot better than this.
Alan
That email is a carbon copy of the one that I had when I noticed the problem on my sites hosted on Kiosk servers.
However, what Kiosk support are pointing to as the problem is not the case as far as I can see. I have 17 domains hosted on Kiosk, two of which are not even being used, as in the domain name is simply parked on the server. Even so, each and every domain, some of which are not Wordpress, still had an index.html and index.php containing the iframe code put into the root directory.
I have since discovered a security loophole which allows anybody with the right password to gain access to the WHM (webhost manager) and then simple access to the cpanels of each and every domain. So, even though I have changed passwords for both the WHM and every domain cpanel, it will not do too much good since the hackers can still gain easy access to WHM and then the cpanels for each domain. Unfortunately, this loophole can only be put right by Kiosk, which I have already pointed out to them and awaiting a response.
Although I won’t go into details here, but suffice to say that the problem lies in how you login to your WHM
Alan
hi Alan,
Thank you for the valuable information, that’s sound so scare! When was your sites got hacked? no wonder they reply my inquire that fast … could you please keep us updated about that security loophole issues once you got responses and answers from kiosk?
I think it is important for everybody to learn and to know it even though they are not kiosk’s customer.
Thank you.
Ann
Hello Ann
I think we must have a bit of a time difference between us judging by the post time-stamps. I am in the UK BTW.
According to the date stamps on the new files that were added to the root of each domain and sub domain, they were all added at 3.15 on 12 November 2009 which I would guess is Texas time since that is where Kiosk/GVO are based.
Fortunately, I tend to check my sites quite often and was getting an http 500 error from one site. On checking , I then found the rogue index files in the root of that domain and all the others as well. Had it all sorted within two hours of the files being placed on the domains.
I experienced something similar back in September as well with a line of code being appended to index.php on some domains although that ended up just throwing up errors on the bottom of the screen.
What I do know is that this time around, the issue is nothing to do with wordpress despite what Kiosk and Joel are saying. I am convinced that access was gained through WHM. There is no other way that the hackers or anybody else for that matter would have been able to find every one of my domains and sub domains, some of which have nothing on them.
I have still heard nothing back from Kiosk support regarding my observations. If you are interested, I can email you details about this security loophole, assuming that you are on a Kiosk hosting plan that allows WHM access. I am on their Titanium plan.
Lets just hope they do something about this otherwise I for one will be looking for another host.
Will let you know when and if I get any further info
Alan
Alan,
We have 6 hours different – I am ahead you 6 hours (Thailand). My sites got exactly the same sort of attack & experience as yours, I also thought about the access was gained through WHM. Don’t know how many sites out there has got attacked??
Can you send me the email that you wrote to the Kiosk in regarding to the security loophole? Yes, I am also on their Titanium plan. So please do let me know the further process, if the problems keep coming back and can’t get fixed, i will also looking for another host … there will no business if the attack is non-stop especially when your business is online.
Thank you
Ann
Hello Ann
Seems that all sites got hit again yesterday evening (UK time). Had to go through the same process of deleting rogue index files etc. You had the same problem as well.
The only good thing about this second attack is that it more or less proves my belief that access is being gained through Kiosk member login and directly into WHM. I changed all of my passwords after the first attack but the only one I cannot change is the member login password.
Your contact form is not working on this site and I cannot find an email address for you. Could you drop me an email to the address that you should be able to see with my comments and I will get back to you that way.
I am getting paranoid now – continually monitoring my sites through FTP waiting for the next attack.
I am actively looking for another host at present although that is easier said than done.
Alan
Hi Alan,
Yes, got attacked again .. it is hardly to believe there no help desk in the support room when I login, only customers there, so we have to help each other to got the problems fixed (from time being), they also not feedback (answer the ticket) regarding to the issues this time … anyway, I do the same things as you did, unfortunately, after changed the pw, I can’t login to FTP, the error message said it doesn’t communicate with the server !!
The problem of contact form fixed. Yes, I agreed with you and we should do something toward to the hosting .. Thank you.
Ann
Hi Ann
If you changed the password for WHM, it will also affect your primary domain whichever one that is (I guess it maybe this site). In changing that password, you will have also changed the FTP, SQL and Cpanel password for that primary domain.
Just go into your FTP program and change the password within the settings for the domain and you should be able to access again.
I have 17 domains hosted on Kiosk and went through and changed the password for each and every one. However, doing so did not prevent the second attack and I had to go through once again and delete the rogue index files.
I do eventually get responses to my tickets but recently from two people. One is obviously the Indian support desk and the other from somebody called Jose Cyriac. However, very little information from either apart from standard responses. Then we get emails from Joel saying that the problem is Wordpress related, which it is not.
I have now found a way to change the login password to the Kiosk member area which I am almost certain is the entry point for these hackers.
Login into your member area as usual, go to “account manager” and then “edit your profile”. There is an option in there that allows a password change. You can only use letters or numbers but at least you can change it to something different. Once changed, you will get an automated email from Kiosk with you new login details.
Only time will tell if that stops any further attacks.
Considering what we pay each month for so called premium hosting, I would have expected a lot better than this.
Alan K
hi Alan,
Alright, let’s hope this can stop the further attack. Thank you for your help and I did what you said ..
Ann