This year, websitefiles were modified by making a FTP connection towards the hosting or server and adding malicious code within the webserver’s default documents (index.html, index.php, index.asp, default.html,…). As a hosting provider we were very annoyed with this situation because we couldn’t figure out the cause of these hacks at first.
Within normal circumstances we check the logfiles of the webserver (if present) and in 95% of the cases we are able to find the specific cause but now we weren’t able to find any information. We could only notice that every website that was hacked had iFrames which contained redirects towards websites ending with the .cn extension.

Until we stumbeled upon the website www.unmaskparasites.com… this website has detailed information about this specific issue and we gained more information on the cause of this new trend. Apparently a virus, present on your computer, makes use of a known vulnerability in adobe acrobat reader to retrieve the FTP credentials of your hosting or server and this virus uses these credentials to connect, without you knowing, and modify your default website files.

The injection of iFrames was just one way to hack websites because a few weeks ago another method gained popularity: Meta Redirects. The same virus that abuses the adobe acrobat reader vulnerability gains access to the hosting or server and uploads a PHP script. This script is then used to abuse security flaws of the system-software (PHP, Apache, Linux,…) so that visitors of a website are ridirected towards webistes such as goscanpark.com, goscansome.com, and many others that look like correct antivirus websites.

If you notice one of these kinds of abuse on your website(s) you should follow the next steps to prevent this issue from escalating:

• Scan your computer with anti-virus and anti-spyware tools.
• Once these scans have cleaned your computer you should modify the FTP-password(s) of your website(s).
• Remove the malicious code (iFrames) and malicious scrpts. You can erase the current files and replace them with a recent clean backup.
• Contact your hostingprovider or server administrator so they can do a double-check of your hosting or server. This suggestion is very important because some cases are known where scripts are running under a “crontab” (or other) user and these can be identified by the hosting provider.

You can find more information about these kind of issues on the pages:

• http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
• http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/

I hope this information was helpfull.