OT: computers again - hacking question

Don't know, but Avast is complaining about "iframe-inf" when trying to visit your site.

If you didn't put that text there, and you haven't asked anyone to put that text there, then someone has gained access to your website and added that for themselves.

Suggest you revisit the password(s) that you use to update / edit the website (e.g. ftp password, hosting passwords etc) and revert the pages to the backup that you have (you do have one, don't you?!).

Very odd spam to have added, can't see the value for anyone.

Matt

I suggest you have words with your web designer and hosting service and get him/them to rip down the offending pages. Looks like your server has a vulnerablity and a script has cloned your content plus some long tail of gibberish (mostly forests of one sort or another).

Most of the junk seems to be called nnn.php

Hope this helps.

Well I did,

Someone has created a directory (or abused one that already existed)

Click on this

You have been hacked, and that's PROBABLY because you are using some framework that you don't fully understand and log into with a rather weak password.

I could sort it out for you but I would want money for it :-) Oh. Your main site is just .htm pages. There should be no need to run PHP at all.

Ok due to the crass nature of whoever did this it was possible to download a PHP script (all of them can be ) and all it is is a copy of your sites HTML with a load of garbage added.

Unless the directory bertc is yours I'd simply delete it and its contents and change your passwords

Looks like someone has guessed or brute-forced the password to your webhost (or got in through a PHP vulnerability) and appended lots of advert keywords to your page(s), can you change the password of the site and upload a fresh copy, and probably get in touch with yout webhosting company to make sure they keep the software patched?

I see there's s google verification link in there, is that yours, or something they've added too?

Yep - there's a 1-pixel IFRAME with a link to

Bert - your site's been hacked and you are possibly causing others to pick up infection. I'll look some more, 3G permtting (on train).

If you can get to look at the files on the website, I bet you will find they have recent modification times. Your host appears to be running Centos and Apache 2.0.52

The php file looks like it just a bunc of link words to feed Google - maybe to get more hits to your site.

The server seems to have a number of unexpected ports open eg MySQL - are you expecting this?

Tim

Thanks for all the speedy replies. Since my original post I've discovered that added /bertc/subdirectory for myself and taken a look at the 250(!) files that lurk within it. And of course I tried to delete them - but couldn't: FileZilla just threw up a whole load of Permission Denied error messages.

So I phoned customer support for my domain hosts (Easily) and they can't delete the files and directory either.

As it happens, the site is on an old platform which is about to be removed anyway, so they've upgraded me to the new one and I'll re-upload the whole site.

As someone said, it's a curious hack - what's the point of it?

Bert

Malware - what's the point, ever? Unless it is farming new recruits for a botnet - they are very profitable.

If Easily cannot delete the files as root (assumption) - perhaps someone's been clever and set the immutable bit?

lsattr

will show that. Even root cannot delet the file - though root can use chattr to reset the flag.

???

It looks like someone has hacked your website and added a page on their. Can you access your website via FTP or whatever method you use to update it and see if the file forest... exists in a bertc sub-directory? If yes, then change the password immediately, contact the ISP and ask if they can help secure your site.

It IS also possible to lovingly craft text which at first glance appears to be your site but actually isn't, but this doesn't seem to be one of those cases.

Paul DS.

And if the provider is not aware of such, I'd be worried.

Well there are some nutters around. There probably was a reason for their mates at least.

Brian

Some sort of link spam or search engine optimisation? Though I can't quite see how it would work.

ISTR telling Bert he had a problem with his site last year.

I did not google Bert, I sent him a MCB for his garage CU and Bert gave me the link to his web site (a very nice and polite bloke who seemed surprised I would just post a free MCB to a regular poster) and Avast did not like his site last year.

Come on Bert. Pull your finger out:-) I might take you up on that offer you made me if I can see your site.

so would i.

You'd be very welcome. As it happens I've been meaning for ages to update and generally revamp the site: this will probably be just the nudge I needed actually to do it. The old site was written from scratch on a word processor, with all the html coding entered by hand: that was possibly the cause of the various access errors. This time I suppose I'll use a proper website compiler of some sort which ought to solve (or at least minimise) the faults. But it might take a bit of time.

Bert

Use html/css templates and standard javascript libraries by all means, but I'd still pick a decent text editor over some WYSIWYG "web studio".

Andy, that's interesting, thanks. I've no experience or knowkedge of the WYSIWYG programs; I simply assumed that they were OK. Why do you recommend more basic alternatives?

Thanks for the link. I'll take a look.

Bert

Because 'clever' editors either produce messy HTML, or stitch you into their way of doing everything (or both).