Hidden iFrames = Hidden Demons!
Setting the Scene
Following an extended period of disuse, I recently returned to one of my domains to completely overhaul and update it. Everything was as I'd left it except for a line of text at the top of the page that read:
you must pay for this crypt
A quick search proved that I'd been hacked and that this was malware. I don't know how long it had been there or how much damage this simple line of text had or could cause, but I certainly knew that I needed it gone. Now.
I connected immediately through my FTP program and deleted all my files. Naively assuming that the issue had been solved, I created a new two-page website and uploaded my files.
Checking it on various computers and browsers, the website looked great. I went back later that day to do some tweaking and was a bit surprised to see that only my background image remained. Everything else was missing. The table, my title image, my Adsense ad, my text, everything gone.
Again, naively assuming that I'd made a mistake, I uploaded my files again and completely the tweaks that I'd intended.
The following morning, I checked in again and my website again had only the background image. I knew then that this was not my mistake. Someone or something had access to my website.
First Attempt at a Fix
Googling about the script or the symptoms brought few helpful results.
My next step was to change my passwords, starting with my FTP password and then my login password for my webspace provider account.
When that did not solve the issue, I called my webspace provider for assistance. Five times in total, with an email to their technical support people and finally to their security team. They were unhelpful, only reporting that no other IP address had uploaded to my webspace and that the issue was likely to be code-related and as such, out of their remit.
Then I started seeing a flash of my background image followed quickly by a redirect to a website I'd never heard of.
My webspace provider had sent me a form letter email where they mentioned Code Injection and Remote File Inclusion but neither seemed exactly what I was going through and they were not interested in any further help.
The Offending Code (scroll right)
A Shining Light on a Dark Day
I sent a message to a friend who I knew was web-savvy and who had worked in the web design field. He showed suitable sympathy and gave me a few suggestions of where to look for the answer.
Doing as I was told, I Googled "hidden iframes" and landed here. This fantastic fellow then led me to the root of my problem and ultimately got me my website back. I must remember to send My Hero a big, fat cyber kiss!
My Hero's steps for removing hidden iframes
- Change your FTP password.
- Keep the password secure by not clicking on 'save password'. Taking the time to type it in every time you want to access the webspace means that it will be difficult for hackers to steal it.
- If you can, do not use the FTP protocol. Instead, try to use the more secure SFTP or FTPS.
Finding these four malicious files and not saving my password has allowed me to regain control of my website.
It's a fabulous feeling!
UPDATE: A few weeks later...
I've had another attack on website since I wrote this hub. The symptoms were identical to last time, causing me immense frustration.
Only my index.htm page was ever affected and it got me to thinking that the attacker's code was likely written to affect pages with that name, or close variations like index.html. So I deleted my index page and saved it again using the name default.htm, which a browser also recognizes as the front page of a website.
Two weeks later, my website is still up and running. Could it be that bozo cyber attackers have written code for a relentless onslaught and have omitted to include default.htm? I'll go with that assumption for now!