Hi there,

recently, my website has been the victim of an (apparent) xss attack.

However, from what I gather about XSS, you need to have either PHP or Javascript on a page in order to execute an attack on it.

There has been some javascript appearing on my pages which redirects to other pages; some being spyware websites. However, on my index.html, which I use to redirect to my forums, the only code in the whole page is this:

<meta http-equiv="refresh"content="0;URL=/forums/index.php">

Is it possible to execute an XSS Attack on this? Some how they are sticking javascript onto that page.. the page has no exploitable things on it.. it is just a meta refresh bringing you to my forums homepage.

I have password protected my index.html with .htaccess, however the attacks keep coming and malicious javascript keeps getting injected into index.html.

Is this an XSS attack or something different? If so, what would it be?

The same code has also been injected into virtually every index.php and index.html I have on my server, mostly in directories which nobody even knows about - something I thought was only achievable by having server access.

If all your index.* files are affected, then it is most likely done by a script installed on your server. If you are on a ahsred server, it might even be running from a different account on the same server if the security is not setup correct for the server.

Please contact your host.

That is exactly what it was. After some fighting and them telling me it was an XSS attack multiple times, they finally (apparently) have fixed it. Ironic, because their support website was also affected by this issue.

This is what they told me (They said "Dear Blair".. I've got no clue who Blair is.):

Dear Blair,

We have investigated the root cause of the issue and it is a type of iframe hacking from an Serbian IP which got into one of the customised php scripts of one of the clients and then got FTP access of domains and modified the pages.

We have removed that script and the banned the IP and process of removing that hacked script from the domains in under process.

We have also added some strong mod_security and firewall rules to prevent this .


Please feel free to contact us back in case of any other information.


Please feel free to contact us back in case of any other information.


Regards,

Alan

their support website was also affected by this issue.

Look for a new host.

I was thinking about that.. however, what put me off was the great deals that this host has. I get 500gb of diskspace, unmetered bandwidth, etc, all for a very, very, reasonable price. My site uses about 35gb of bandwidth per month, however we expect our traffic to rise somewhat in the next few weeks when we partner with a large company.

Do you know of anything comparable to what we have now?

lol, you're not paying enough to get that much.

I pay for a dedicated server and don't even get 500gb of storage.

How do you know how much we pay? :\

Are you paying more than 300 dollars a month for that shared hosting account?

Nope; we're not, and I agree - their plans are unrealistic.

We don't use 500gb of disk space anyway and I highly doubt we ever will - we only use about 400mb, if that.

Can anyone recommend me a better host? Our website is not nearly large enough for a dedicated server; perhaps a VPS? I'm not even sure we're big enough for that :P

as the saying goes ...
"You get what you pay for."

next attack - you will loose everything ...
protect yourself and get a new host now

I'm in the process of looking for a new host as we speak.

Please see this thread: https://vborg.vbsupport.ru/showthread.php?t=162819

The host is www.3ix.org in case anybody cares.

Ever since this incident their support has been very pissy towards me whenever I use support.