iframe issue [edited]

Sonikempire · #1 04-22-2008, 10:13 PM

Is anyone else experiencing issues with their sites on gator109. All of my pages have a suspect iframe code in it and they all redirect to a site.

security is working on it, hopefully they can restore it.

This sucks.

Sonikempire · #2 04-23-2008, 12:11 AM

Talked to security@hostgator.com, and they can't save the files. They scanned and cleaned like 11,000 files but the site still redirects to a malicious site.

They can't restore it to a previous backup because of some large inode.
What am i left here with?

1. Move to another host and start fresh?
2. Stay here and start fresh?
3. Kill myself and not deal with this headache?

Whoever can help, the existing ticket number is FFM-2596687.

You guys had harder problems in the past, please try to restore my site. I put years of work into it, please!

jimbug · #3 04-23-2008, 12:36 AM

1. Could you describe the problem exactly.
____a. One or more lines added to your files.
____b. The hacker has overwritten lines or just added to the file?
2. Give an example, something that shows the hack.
3. What file types affected (php, html, etc.).
4. Do you have shell access?

striddy · #4 04-23-2008, 02:51 AM

Quote:

Originally Posted by Sonikempire

They can't restore it to a previous backup

Do you not have current backups (plural) of your own?

***GatorFord*** · #5 04-23-2008, 03:22 AM

This appears to be just one particular account that was defaced. Not the whole server. Our security department is working with you at this time.

This is almost always due to :

1. Out of date scripts.
2. Insecure passwords.
3. Improper storage of passwords.
4. Trojans/keyloggers on your machine.
5. Sharing passwords with a "webmaster" or other developer who may want to use your account for rogue purposes.

Regardless, our Security department will get this handled for you. Please just update the ticket if you have any further questions or concerns and your peers here in the forums can also help you.

Keep in mind that if you need to fully roll back to NAS backups you can fill out the form at http://hostgator.com/restore.php

Although, if it is restored, and they were able to deface it originally, it will likely happen again unless you take some proactive steps to prevent it.

Sonikempire · #6 04-23-2008, 07:23 AM

Every file (html, php) other than images, videos, etc are have an iframe script in them. The site currently is still redirecting to the malicious site, and possibly trying to install malware.

I'm thinking that the problem was the /gallery because cpanel didn't let me update it, and manual update would always give me errors.

As for the backup, the $15 is not a problem, but to what date will it be restored? Right before the problem happened? or weeks/months earlier?

Thanks

jacci · #7 04-23-2008, 08:15 AM

I got done too and i am on gator418. Moving host is not the answer i beleive, as i got done with the same kind of iframe insertion on my old host as well.

My old host told me bad luck boo hooo. Hostgator helped me clean files i missed as well as showed me how to increase security so that seomthing like this is harder to happen again. They had been really wonderful, and about 100 times more helpful than my last host.

Hacking is part of life on the net (sad reality that that is) and it is always a nightmare. Lucky i am a backup demon so it was just a matter of reupload for me.

I would have to commend the hostgator support for their help when this same thing happened to me, the iframe was inserted into every php and html file on the site

Sonikempire · #8 04-23-2008, 10:09 AM

They are working on it. Hopefully they will be able to restore it.

***GatorFord*** · #9 04-23-2008, 10:54 AM

In the case of a hacked or defaced page the restoration process from our NAS server will be free (the 15$ fee) will be waived.

I'm notifying our upper tier security admins on this to further assist you guys. Thanks again for your patience.

jonel · #10 04-23-2008, 10:58 AM

Quote:

Originally Posted by jacci

Lucky i am a backup demon so it was just a matter of reupload for me.

I also wanted to create some backups, but I don't know how to do it. I have my site running in database. I try one time to backup my entire site, I think I made a success on it but to restore the site in database is another thing. My question is, how to create backups that are easy to restore?

jacci · #11 04-23-2008, 11:07 AM

I use phpmyadmin and export my databases, saving them on my hardrive. I usually do this every 2 days or so, (every day when I am being good).

To restore them, i just drop whatever is my corrupted database, leaving it empty and then run the import command to upload the backup. It is easy as. Got abuout 10 databases for forums, guestbooks, efiction, galleries and wikis and never have any trouble restoring them using that procedure.

I also do a site dump every month or so using the backup home directory in the cpanel.

I am new to hostgator and i notice that that backup aslo has a facility to do the databases too, although i am still doing manually as i know the restore procedure through myphpadmin works without me having to modify anything. don't know about the other one yet

#12 04-23-2008, 01:38 PM

I've taken a look at/cleaned both accounts. If you see outstanding issues, let me know and I'll take care of it. Thanks.

Sonikempire · #13 04-23-2008, 09:59 PM

Great job on restoring the site.

There were a few things that i messed up, while cleaning the the code by myself.

So i had to request a NAS restore. I was told that the site will be restored to 4-20-2008.

Thanks to all Hostgator staff, especially Ford and Jamyn.

Hostgator rocks!

striddy · #14 04-23-2008, 10:17 PM

Quote:

Originally Posted by jonel

I have my site running in database. I try one time to backup my entire site, I think I made a success on it but to restore the site in database is another thing. My question is, how to create backups that are easy to restore?

What system or CMS, etc is the site running under? e.g. wordpress, drupal, joomla, etc?

If you provide some info on that I'm sure someone here will provide you with an answer.

Tsunami · #15 04-25-2008, 05:45 PM

Same issue here on gator378. This is the second time in 2 days. It affected my root domain & subdomains, injecting the code into the main index files (index.php, default.html etc) but doesn't seem to go any deeper in the directory structure, i.e. it doesn't hit the index file in a Wordpress theme.

@ jimbug - It adds adds the line of code to the page and downloads the JS/Psyme.QM virus.

I also have another account on Hostgator, which at this time, has not been infected but that maybe because it is on a different server and / or is still on PHP 4.4.4 (not 5.2.5 as the other account is running).

Thankfully, I have the files locally so its just a case of overwriting the server versions. It is an annoyance we could all do without... bad for visitor confidence. However, it isnt just Hostgator hit by this, I have seen others suffer the same issue.

Be great to find a solution...