Again, Iframe Injection Attacks

By | 13 September 2009

Often times, especially this year, a hacked website isn’t the result of some vulnerability in the website at all. It’s the result of a virus on a PC with FTP access to the website.

The virus steals the FTP login credentials, sends them to a server which then carries out the process of injecting he malscripts into the website. It then monitors the website to see if anyone removes the code. If their hacked code is removed, it tries to re-infect the website again maybe with a different malscript.

We’ve seen forums where these FTP login credentials are bought and sold. So once someone infects a website, they can then sell the FTP credentials so that others can infect the website as well.

The hackers do this to make money. They get paid an affiliate commission for every PC they install certain software on. By infecting websites that then infect PCs they get paid.

You probably won’t find any viruses on the website that Google has blacklisted. However, you will find a virus on a PC with FTP access to the website.

What you have to do is use a different anti-virus from what is currently installed. The reason for this is that the virus knows how to evade detection from the currently installed anti-virus program.

Many have had good luck with AVG, Avast, Avira or Malwarebytes. If you’re already using one of these, use one of the other ones listed. It has to be different than what’s currently being used.

Scan and clean all PCs with FTP access to the website. Then change all FTP passwords to the website, clean the code, re-upload to the website and then request a review (not a reconsideration) from Google Webmaster Tools.

This should get you clean.

Feel free to get in touch with us, in case of any queries or doubts.

Related post: http://www.webhostingtalk.com/showpost.php?p=6374202&postcount=6

Often times, especially this year, a hacked website isn’t the result of some vulnerability in the website at all. It’s the result of a virus on a PC with FTP access to the website.

The virus steals the FTP login credentials, sends them to a server which then carries out the process of injecting he malscripts into the website. It then monitors the website to see if anyone removes the code. If their hacked code is removed, it tries to re-infect the website again maybe with a different malscript.

We’ve seen forums where these FTP login credentials are bought and sold. So once someone infects a website, they can then sell the FTP credentials so that others can infect the website as well.

The hackers do this to make money. They get paid an affiliate commission for every PC they install certain software on. By infecting websites that then infect PCs they get paid.

You probably won’t find any viruses on the website that Google has blacklisted. However, you will find a virus on a PC with FTP access to the website.

What you have to do is use a different anti-virus from what is currently installed. The reason for this is that the virus knows how to evade detection from the currently installed anti-virus program.

Many have had good luck with AVG, Avast, Avira or Malwarebytes. If you’re already using one of these, use one of the other ones listed. It has to be different than what’s currently being used.

Scan and clean all PCs with FTP access to the website. Then change all FTP passwords to the website, clean the code, re-upload to the website and then request a review (not a reconsideration) from Google Webmaster Tools.

This should get you clean.

Post back here with any questions.