IFrame Virus/Trojan experiences & question.. Please share yours

[Ecchi22]

Few months ago, I had to deal with this problem..

Some weird piece of code affected almost all my sites on a shared hosting, but it happened on my dedicated too.

Somehow it injects code in .html and .php pages, usually ones with "index" and "home" names. Some antiviruses detects them, some aren't, but google stamps "warning" at your site which, you have to admit is pretty bad and decreases the traffic a lot (in my case, 6 times less traffic).

I tried to clean this code and update almost every CMS software I had on my host, but the problem was still occurring.
Contacted hosting support too, and they told me to change all my passwords (cpanel & ftp accounts). I've done that and everything seemed to be fine. Forgot to mention that I spent lots of time using google webmasters tools to request review after the cleanup.

Yesterday, I noticed this code being injected again. I cleaned it up, but I'm getting a bit worried now, so I'd like to stop it once forever (ok, at least for some time).

In order to isolate my side in this problem, I worked 2 months on newly installed linux machine with all new passwords for host, but some sites still got infected.

What's your experience about this and similar thingies? Is it hosting issue or something else? Any prevention tips?

[klinton]

Clean your PC, trust me... !

I had the same situation

it gets your ftp pass and then reupload infected files

[k0nr4d]

I've had a few clients have a problem like this. It's a computer virus that sniffs out ftp info and either sends it off to another machine which in turn injects this code onto index.html/index.php files, or it causes your own machine to ftp in.

Run Virus scanner, Change all your ftp passwords afterwards

[Ecchi22]

Thanks for your answers.. I might left over some ftp accounts, going to change their passwords too.

Anyway I'll recheck my own security too. Thanks!

[redwhiteandblue]

Quote:

Originally Posted by klinton

Clean your PC, trust me... !

I had the same situation

it gets your ftp pass and then reupload infected files

Yep, I'm pretty sure I had the same. It was happening on two different servers even after changing the passwords but after I scanned my PC with Kaspersky a couple of times it stopped.

[bigalownz]

change your ftp passwords asap and then change them evey week or so

[Robo]

...and if you want to resolve the problem for some time, chmod your index.html or index.php to 444 (no writing possible, but also for the owner).
When you'll update your index files you'll need to delete them first (or chmod again), but also any virus will not have way to come to to index files.
If your site is updated automatic, it can be a problem.

[harvey]

I posted the solution here, check it out. We cleaned 3 PC and everybody that asked for help could clean it with no problem and the fucking thing never got back. Lots of steps, but well, you gotta do it