Curious if anyone else has had their site hacked lately with the following spam script injection. If so, please post your site info here so I can report it as a group of totally unrelated users.
The spam script is injected immediately following the tag on any file that contains the body tag. It is an image tag with id=frmchkldver and the src points to a russian domain firewallmakeover [dot] ru that has some variables referring to the respective domain that was hacked.
I already do pretty much everything that Dreamhost refers to in their how to prevent hacking wiki and the canned response one gets when you report an instance of hacking. I have had sites hacked before and usually due to a vulnerability in an open source script that allowed the user to upload some sort of shell script. This time is different.
In the past few days I have had two sites hacked in exactly the same way that were on two different Dreamhost accounts (I work for various clients that I have referred to use Dreamhost). Here’s the conodrum: I am 110% sure that my local machine is secure (it has been scanned and re-scanned) and I generally do not use it other than to maintain these sites, I use SFTP, I am not using open source scripts on these sites, I could on but lets just say I am security aware and as such every security hole I can think of has been plugged. Further, I can not find any sort of shell script that would have given them access to upload stuff.
I think there must be some sort of server vulnerability. Dreamhost has told me they have not had any other reports of sites hacked like this that would suggest a server vulnerability. I just get the standard reply that there is nothing we can do because there a zillion ways a site can be hacked and it is usually due to some vulnerability you left open, oh and have a nice day. I get it but I am at a loss for plugging the hole these hackers crawled through.
I have probably 15-20 clients using dreamhost because of my recommendation and now two have been hacked in the same way within 3 days. Is it time to move them all to another hosting company that answers a phone?