iFrame Injection Attack - Site hacked

iFrame injection attacks are not quite as common as they once were on the web, however, from time to time, they do still happen.  We were recently alerted to an iFrame injection by one of our users and in hunting down the cause for the attack, we found an article posted at http://forums.cpanel.net/showthread.php?t=78595

Due to how cPanel forums are configured, you would need to have an account with them in order to read the article, so I have trimmed down the fat and posted a summary of the post. 

All copyrights belong to the original poster and can be found in its original form at http://forums.cpanel.net/showthread.php?t=78595

""""" QUOTE """"" 
How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug.

How it's done
The hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected.  And so the cycle continues

Solution:

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will usually stop.  The only reason it wouldn't is if a keylogger is on your personal computer and sicne you change the password using the same computer, you just gave the passwords back to the hackers again.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

""""" END QUOTE """""

If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

So there you have it - the shortened version of the post.  MOST iFrame injections happen due to keyloggers being loaded on computers and the owners of those computers not knowing there's one on there.  In almost every case that we have seen with regards to an exploited site the exploit has been linked to "live-counter.net".  If you notice this site on your HTML tags, you may have been compromised.

Anyone who has FTP access to the site, can you please verify that your computer is not infected with any sort of trojan or keylogger that might be sniffing passwords and sending them back to the attackers. Spyware Doctor is the only program that we've found out there that both looks for the virus, remove the virus and is FREE.  It is also handy for scanning for keyloggers. You can get the FREE Starter edition by going here:http://www.pctools.com/spyware-doctor/google_pack/

This will at least let you know if your computer is infected and will also allow you to scan and remove the code. It does not do constant monitoring (that's a paid version) but you can use this one to at least make sure you're running a clean site.

If you should find HTML code in your pages with the words "iframe" and you don't recognize it, please contact our support team at http://support.eicra.com for further help and allow us to research your site with you.