iframe injection
 

Hello,

this is the follow-up question to this thread. My webserver became a shameful victim of an iframe injection. Now - what to do? Does anyone know?

First find out and list the files the i-frame problem is located in. Then you can clean up the i-frames (depending on what's used a 'sed' one-liner may do) but note these redirections are the symptom, not the cause, so "cleaning up" without addressing the core problem may see them return soon after.

The real problem is PHPKIT (or plugins or bad configuration or it being hosted on a shared host and then some). When you look at the page source you'll see "PHPKIT WCMS - Web Content Managment System - mxbyte GbR copyright 2002-2009". Unless that's an oversight on the developers part that means it's running an old version. PHPKIT seems to have (had?) somewhat of a history of vulnerabilities (CVE oddly enough doesn't show any entries after 2008 while I definitely can find them) so the first thing would be to decide if the owner still wants to run PHPKIT. If so then upgrading to 1.6.6 (also see this) is a given. Else you simply have to find another capable CMS (real soon now).

I am not known to the world of CMS's, can you recommend a good and safe one? Also, I am not confident with the support results I became from the provider, which is www.artatis.de - can you recommend a good filehoster too?

I think your post just explained all my problems better than I was able to find out before. Thank you so much!

Me neither. My first question would be: does the site really need a CMS? Put differently: if there's only a small part of the site that actually needs to be updated dynamically then focus on getting a solution for that. Anything that can be rendered statically once may become less of a target for this type of i-frame tricks. If you're going to want another CMS you'll have to do some research but I'd say basically any CMS that has shown they fix vulnerabilities fast, has a large user base and has a current, maintained version, in short: "the major brands". From that shortlist pare down those with features you don't want or need and those that have requirements you can't fulfill.


While I haven't researched it too exhaustively I see Artatis resides inside the Hetzner network and anyone who watches attack and traffic reports knows Hetzner doesn't spell much good: see for example this or this report (they'll load slowly due to the amount of entries). Note this in no way implies "big names" like 1&1, Godaddy or Rackspace are free from sins.


I can't. Ultimately it's a cash question. Well-known consumer organizations, local (as in language) fora or your local LUG (Linux User Group) should provide you with a good starting point asking for experiences.


You're welcome.