PDA

View Full Version : Was My Server Hacked??


JMusic
02-08-2004, 04:00 PM
Some of the pages on my site suddenly had this code under the body tag:

<IFRAME SRC="http://www.forced-action.com/" WIDTH=1 HEIGHT=1></IFRAME>

I didn't add it there, and no one else has access to the main FTP account [that can access each subdivision of the website] except me. The files that include this code in them were all updated around 7am on 2/5/04

I figured it was a site that would download some type of virus to people's computers, but it turned out to be a porn site........ does anyone know how this could have happened or what I can do to prevent it? I've never heard of anything like this before, and the only site I can find on google related to it is http://translate.google.com/translate?hl=en&sl=de&u=http://www.alltagsgrauen.de/&prev=/search%3Fq%3D%2522forced-action.com%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8 (which is translated from German to English and I don't understand)

Do I have reason to worry, or it is possible that someone simply got the FTP information and is playing a prank on me?

fixed part of the explanation to make it more understandable

TN Todd
02-08-2004, 04:12 PM
It does appear to be an attack to help increase forced actions link popularity.

I would definitly change passwords and use something random.

James
02-08-2004, 04:16 PM
Yes, it appears to me that your server was hacked. A google search turns up that it's a |) 1 r t y site. My guess is that due to them having it open in just a 1 px frame, that it just means that they're trying to cheat their sponsors.

Most likely they're trying to get impressions on banner ads, or are trying to have a bad popup opening overtop of your site to give themselves some indecent money at the expense of your name.

JMusic
02-08-2004, 04:33 PM
Is there some type of script I can upload to my server that will find all the instances of <IFRAME SRC="http://www.forced-action.com/" WIDTH=1 HEIGHT=1></IFRAME> and remove them? Or do I have to manually go through in FTP and download every file that includes that, remove it, and reupload the file?

TN Todd
02-08-2004, 04:37 PM
Why not just reload everything from your harddrive? The code shouldn't be there.

Of course make sure it wasn't your computer that was hacked and you loaded without your knowledge.

JMusic
02-08-2004, 04:42 PM
My site is made up of about 25 sections, each with a seperate webmaster. I only have the main section (that I control) saved on my computer.

TN Todd
02-08-2004, 04:48 PM
I can't get to the site in your signature, page can't be displayed.

How do you know one of the other webmasters didn't do it?

Can you just contact the other webmasters and have them check their harddrives and relaod their sections?

JMusic
02-08-2004, 04:54 PM
The other webmasters only have access to one subdomain each (their ftp accounts can't access the entire server).

I could have each of them remove that code from their sites, but until everyone did so, forced-action.com would be getting lots of visitors for free and adding popups to pages on my site.

James
02-08-2004, 05:04 PM
I don't think that I've heard of a spider that would be able to do the task required. But, I do believe you should contact a lawyer about seeking proper reimbursment of costs to your name, and your business.

TN Todd
02-08-2004, 05:12 PM
Unfortunetly the only thing a lawyer will be able to do is send you a bill. The site appears to have russian associations. You will never get a dime from them.

James
02-08-2004, 06:53 PM
Well, you can atleast change your password, and see what other security measures you can take.