Solution to iFrame and Javascript attack

Malware logo Crystal 128.

Here’s a solution to iFrame and Javascript attack for those who’s having problem with it. I got this guide from my Hosting Provider. Take this seriously as the attack will spread malwares like wildfire for people browsing your blog or website. Google will ban and block such blog or website. All the hard work and time spent on your blog or website will go down the drain in an instant if that happens.

It’s not just your blog or website, it will affected your PC as well. It can make a mess of everything totally.

Blog or website owners will be locked out from accessing and  loose control over their own blog or website. If your blog or website have been compromised, you can read the solutions here. If you’re unaware of this, this will be a good start to learn how to deal with this kind of attack.

Solution:

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this hack will stop.

For Blog or Website Owners:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop.

You must have removed the code numerous times and it comes back again:  Change the FTP password first.

Changing password is not a complete solution but is the first step to stop the main access to the hackers. Next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

  1. Change the FTP or root password of server
  2. Scan your pc using antivirus / antispyware / antikeylogger

*Clean format the PC will be your last resort

Take care in the future, you dont visit any of the virus links made by this hack. Also to keep your password secure I would suggest you to use any password manager software if your having problem remembering long and complicated passwords.

How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor Apache bug nor CPanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER!

How It’s Done

This is one sophisticated operation and since the infection cycle is involved but basically, the hackers are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of it being compromised) and loading them with expensive hacking tools like Mpack.

When someone visits that site, their browser is detected and attacked (browsers affected are IE, Firefox and Opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hackers and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers will use a program that goes to the persons site and instantly adds the hidden ‘iframe’ or ‘encrypted javascript’ codes to every index type page (index.html, index.php, etc). This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set will make no difference.

After they put the iframe code into that person’s pages, anyone visiting that site will be redirected to the hackers infection site, where the person’s computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands.

Please, don’t think you can depend solely on your antivirus software to protect your computer. It is more than likely won’t help you. For $1000 dollars, the Russian hacking bulletin boards are offering MPack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. So, keep your virus program updated, but don’t depend on it completely!

This way the hack is spreading fast from one computer to another computer, broadcasting the passwords to hackers. During my research in this, I even found some of the password files collected by the hacking method on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases, Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in Google.

Leave a Reply