Site hacked -- iframes inserted


#1

All of my domains had an iframe injected into the code for each page. I’m trying to use shh and the sed command to replace all occurrences of the iframe, but it appears that I need to do this one directory at a time. Right now I’m using:

sed -i s/<iframe.*iframe>// *.html

Is there a way to make this happen recursively for the entire domain and all sub-directories?

This is the second time this has happened in the last few months, and it’s getting real old.

Thanks, Tim


#2

find [filepattern] -exec sed [replace_string]

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#3

I ended up using:

perl -pi -e ‘s/<iframe.*iframe>//’ find . | grep .html

where:

perl -pi -e ‘s/[text to search for]/[replace with]/’ find . | grep .html

I did need to search and replace in html, shtml, and php by replacing the last bit as appropriate. Seemed to work great.


#4

Same has happened to me today, although I actually used the restore function from the “Manage Domains” area to fix. Your command could be improved though by using find . -name “*.html” … with mine actually only index.html and index.php scripts were affected, and as I caught it quite quickly I could find the files that had been modified in the last 24 hours by using find . -ctime=0

I’m a bit worried if this seems to be a regular thing though. The worst thing is that my main site is now flagged by google as an attack site and firefox users get a massive warning with every page hit. That’s how I found out I had been hacked :frowning: