Somebody implemented an iframe in my index.php

[max.cady]

Today I noticed a little black dot at the upper left corner of my website.
When I looked at the source code I detected an iframe
<iframe src="http://*****/dl/adv711.php" width=1 height=1></iframe>

It was implemented on top of my index.php.

The file was altered yesterday night.

I have now changed my ftp and server password. Is there anything else I should do?

How can this happen?

[IcEcReaM]

Do you have access to your logs?
So may be you can check how this have come.

[max.cady]

I am afraid my site was hacked. They implemented a page ibbh.htm which looks this way:



and there is another php file xml-rss.php included that has an hacker script implemented "c99shell.php "

I never had such an xml-rss.php file on my server.

I had some strange occurances the last days such as the mouse moving on my pc screen
until I removed the station for my wireless mouse and keyboard and replaced them with
usb devices.

Do you think it is possible to hack a computer through wireless keyboard and mouse?

[trez]

Do you think it is possible to hack a computer through wireless keyboard and mouse?

NO its not possible. My guess is, that someone has used a backdoor to your personal computer and gained that way access to th serverpassword (using keylogger, etc)
Do you have a updated antivirus software installed on your system (at home) ?

[V@no]

Ok, the link you showed bring to a page with a "Exploit.WMF" virus. Pehraps you've visited a page with that exploit once and you computer got infected...hope you have a antivirus....
(For security reason I've removed the link from your post. And by the way, that page seems to be removed from that site anyway...)
So, thats one of the explanation what happend.
Secondly, did you apply all the security patches for your version of 4images?
And finaly, as IcEcReaM suggested, look in your server's access logs, from there you might be able trace where it came from.

[comicart]

Looks familiar. I can almost guarantee you are hosting by Interland. Am I right?

[max.cady]

Thanks all for the advise. Yes, I have AVG antivirus installed. Actually I ran
several antivirus and antiy-spy and anti-malware programs (such as hijackthis,
a-square, ad-aware .. )when my mouse started wandering on my pc screen and
typing something in the browser search even when I was offline.
Although especially a-square found several suspect objects those occurences
stopped only when I removed my wireless keyboard and mouse.

My site is still running with the 'old' 4images version without the security
patches since I planned to organise it completely new with the 1.7.2 version.

Anyway ... until I am ready to launch the new site I will implement the other
security patches first.

comicart .. no, my hoster is "1&1 Internet".

I did a google search for "Iranian Boys Black Hat" ... seem to be professional
hackers who even have a database where they proudly list all of their hack
successes (3526 hacks so far) and whether it was a homepage defacement,
a mass defacement or even a redefacement ... guess I am lucky that they
'only' implemented a virus in my site but didn't delete it.
This is their database
http://www.zone-h.org/defacements/filter/filter_defacer=IRANIAN%20BOYS%20BLACK%20HAT

Thanks again! boy ... that was a shock yesterday! 

[max.cady]

I just noticed I had a handful of new users the days before the site was hacked (all with @mail.ru email addresses)
who added some jpg-files which obviously were not images. There isn't even an upload button
on my page since I had removed it from my template from the beginning.

The files were xml-rss.jpg, nst.jpg, n57sh.jpg, r57.jpg, shell.jpg, r57_2.jpg, r57shell.jpg, r57_3.jpg and rst.jpg

I noticed them accidentally when I checked new images in all categories and 9 thumbnails
appeared with no preview-image.

I have deleted all ot them and the users as well.

Could it be that xml-rss.jpg created the xml-rss.php file?

I do not have any other files with the other jpg file names though.

[max.cady]

And these are the logs in the timeframe when the hack took place:

Mon, 06 Mar 2006 - 03:48:14   239-2.201-68.swfla.res.rr.com   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322)
Mon, 06 Mar 2006 - 03:59:20   doc-209-33-22-147.shin.wv.cebridge.net   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mon, 06 Mar 2006 - 04:08:10   cpe-69-133-23-83.cinci.res.rr.com   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Doesn't help much, does it?

[V@no]

The jpg images seems to used the lattest security hole discovery...and yes, they could have create new files on your server using that hole...

[IcEcReaM]

@max.cady:

Then it's important for you,
to search for any files with are not from 4images,
this could be a backdoor file.

Without integrating all security fixes is always an issue.

[max.cady]

Have implemented the security fixes ... feel much better now 

Thanks all, will update to 4.7.2 as soon as I have implemented all mods
The hackers informed my internet provider who again sent me a reminder
to fix the security holes.