Home
Contacts
Downloads
RoR
Linux
Notes
ERR
Servers
Русский Looking through job alerts1 I receive by email from oDesk I often see requests similar to this:
Some malicious user infected all htm and php files off our server with a iframe in the end off each file. I need to remove it from all files
These requests make me think that some webmasters don’t understand how it works.
This wasn’t some malicious user who infected your files. This was you!
So, how it works (at least how it worked in all the cases I had to deal with).
You or your developers use FTP to upload edited files. Some of the computers connecting to the server via FTP have Windows installed, which is infected by a trojan. That trojan discovers FTP password and makes it accessible for botnet. Botnet is a network of other infected desktops controlled by, well, some malicious person, but not your user! That guy probably never seen your website at all. Each of the computers in that botnet now can download any file from your server, add iframe to it and then upload it back again. They do it again and again, not only because you probably remove those iframes, they also have to change links in those iframes quite often. So, if you simply remove those iframes, it won’t help.
What you can do.
I am not going to insist that you or developers should use different operating systems (some of my clients forced developers to do this though). I personally don’t believe that there exists such thing as non-infected Windows computer connected to the Internet in this world, but many people do. So, if you believe, you may rely on antivirus software and try to find and destroy the trojan. Then change FTP passwords, remove injected iframes from your website and wait if they appear again.
Better approach is to disable FTP access to your server and use SFTP or SCP to upload files. Maybe trojans will learn to recognize them too, but I haven’t seen such trojans so far. If you can’t or don’t want to use SFTP or SCP and disable FTP, there is another good idea: you may block access to FTP for all IPs except those you need access from. This will block access from botnet computers but trojan still can use developers’ computers to access your website.
Of course, you may use all three recipes simultaneously together with some script searching for and removing injected iframes every 5 minutes, and this combined solution is probably the best you can do.
1 Note for my current employer: I am not searching for a job, I am just curious enough to take a look sometimes :)
Comment it: