They say in the internet world that everyone is touched by a hacker at least once. Especially if your website is becoming more visible. Such might well be the case, as GemGfx had it’s first experience with hackers on August 17th which was approximately 1 week and a half ago.

It all started when we received an email from one of our customers, that his site was delivering an error when visitors tried to log on. On examining the source code, we discovered there was a hidden Iframe on the page in the html of the page that was causing the page to return an error. While attempting to fix this, we noticed that the hidden Iframe appeared on some of our websites as well. We then had to halt all operations and then proceed to clean up this code and follow several security protocols to ensure that we arrested this situation and cleaned it up. Up to seven (7) of our websites were affected. Apparently this iframe was some sort of viral attack and it was spreading.

While doing some research on the subject we found out that the phenomena is referred to as an IFrame Injection Attack. It apparently affected all the landing pages on each website in each folder. The iframe code looked like this:

IFrame Injection Code used by hackers

It caused many of the website pages to return an error, and also caused a few of our websites to receive a malware warning from Google. Well the obvious questions would be:

1.How did the iframes get into our website pages?
2. How do we stop and recover from the Iframe Injection Attack?
3. How do we clean up the infected sites?
4. Have our rankings in Google been affected by the attack?

1. How did the iframes get into our web pages?

Speaking to the folks at Hostgator, with whom we’re hosted, we were told that there are two main ways this type of attack takes place.

A. Server was compromised.

A worm of some kind has accessed the server that hosts our sites, and has infected the landing pages of these sites with the iframe. Quite a few hosting companies use shared servers to host multiple websites. It is possible that a worm through any number of posiblilities, made its way onto the server and proceeded to infect the sites hosted on that server.

B. Local FTP client was infected

The other main possibility of infection, is through the client side ftp. Many website owners use a local FTP program such as Filezilla, to manage their websites. The particular Trojan or worm affects the local machine then attaches itself onto the users FTP program and harvests the usernames and passwords stored in the ftp client. Once it does that, it can connect to your website using your FTP credentials, or it piggybacks on your FTP connection the next time you connect using your client, and gains access to your website that way. In our case, it is most likely that when we accessed our clients website via ftp, the worm infected our ftp client as well, and was able to access our sites from then.

2. How do we stop and recover from the Iframe Injection Attack?

We needed to do several things in order to arrest and begin the process of recovery from the iframe attack

.

a. The first thing we did was immediately change our passwords on all our ftp accounts. This ensured that the password used to access the websites, would no longer be valid and in theory make the site inaccessible to the worms.

b. Secondly we had to make an emergency call to Hostgator and notify them of the attack, because we are on shared servers, and other websites could have been affected.

c. We always keep backups of our website files so we replaced all the files on the server with our backup files which were clean as they were backed up before the infection appeared.

d. We used powerful Antivirus Software to scan all our local machines and ensured that they were clean. We use the paid version of AVG, Malwarebyte’s Anti-Malware and SuperAntiSpyware.

3. How do we clean up the infected sites?

We replaced the infected files with clean ones. Also we are lucky to have a host such as Hostgator whose team assisted us in cleaning all our websites. Another way it could have been approached, was to download all the files, use a search and find all the harmful code, and remove it and re-upload the files.

4. Have our rankings in Google been affected by the attack?

With one of our sites in particular GlobalMicaiah.org, we received a Malware Warning from Google when trying to visit the site. This is because at the time when the page was still infected, Google’s bots crawled the site and found the malicious code. After cleaning up the code, the next time the Google bots passed by, we back on track. The key to this particular issue is timing. The quicker we got rid of the malicious code, the less our ranking was affected. If we had delayed, the situation would have been quite different.

All in all while it was a learning experience, I must say that it was extremely inconvenient and caused much delays in our workflow not to mention unpresidented levels of frustration. We are grateful to our understanding clients who were very patient with us as we got the issue sorted out.

As to the where the worm came from, Hostgator showed us ip addresses from Romania and Eastern Europe. But hackers know how to mask their ips so this can not be for a certainty. We have since increased our website security by introducing a few protocols that include not storing out passwords on any pc or in any FTP program, as well as changing these passwords every month. Whatever the purpose behind these hacker efforts, it is something that we really could have done without. Nevertheless we will take it as one of the many challenges we face as GemGfx seeks to be more visible as the premier provider of High Quality Graphic Design and Web Design Outsourcing both in Trinidad and Tobago and on the world wide web.

Till next time

Admin

GemGfx.com

Bookmark It

TAGS: None