iframe / javascript hacks?

[Silver_2000]

I just wanted to jump in and add my statistics to the thread. I run 8 cpanel/whm servers located in three datacenters in the US. Instances of this hack were applied to 6 of my servers on the Mornings of July 2 and 3.

After discovering the initial hacked site on the 4th, I was able to locate infected files using the following command:

Code:

#grep -rl "<script>check_content()</script>" /home/*

That snippet was the only consistent code I could find in the hacked files (located at the end of the modified line).

After I gathered the list of files across the 6 servers, the only consistent finding was that it only infected .htm, .html, and .php files. Sometimes every file inside the that user's directory, sometimes only a few and always at least a couple files from the webalizer and webalizerftp folders. The code was found on the last line of the file and the attacker did not seem to be creating new lines, just appending to what was there.

The attack was made through FTP, one account at a time, using the account's password. No brute force was detected.

We have since modified passwords and sanitized the files. I've been running the grep daily and no more infected files have been found.

My theory: Trojan/rootkit/keylogger-type virus on a user's PC simply gathering ftp credentials. I did have a few clients call in the few weeks prior asking why their anti-virus software said they had a Trojan-horse.

dont want to be a ____ but have you thought about the common thread among all 6 of the servers ?

[EEKdood]

haha yes, forgot to mention that. Most of my accounts are referrals from a couple of web development companies. It quite apparent that a good majority of the compromised accounts came from one of those companies. A few others were from the individual account owner. That's just deductive reasoning on my part, but it makes sense.

My original intent was to add to the statistics to help anyone else suffering, not to expose the vulnerabilities in my business.

[Spiral]

It is clear from the still speculative comments on the recent <IFRAME> attacks, I need to bring everyone up to speed ...

I am shocked looking at recent posts in this thread to see comments of FTP and server compromise talk and other speculative ideas still being posted with many administrators out there clearly still not knowing what is really going on!

I have posted a great deal of information over the past several weeks but to give a somewhat abbreviated recap for those who may have missed it from the security advisories and articles I've published previously here and elsewhere:

A hacking group operating out of China developed a virus in combination with a keylogging trojan that captures account logins and passwords on users own home computers and also sniffs through files looking for certificates and monitors how a user accesses their accounts (IE: ftp, sftp, ssh, etc) then reports all that information back indirectly via a proxy network and uses the captured hosting logins to update the victim's web files at their hosting account on their hosting provider's server.

The captured information is then used by the hacking group to access the the infected user's hosting accounts (and if captured bank accounts) specifically and generally comes in 3 waves ...

The first is an automated process which is actually part of the virus and makes it's own connection to the victim's hosting account just to update the index files and adding the well observed <IFRAME> links. This first access will generally originate from the client's own IP as it is the virus infection on their own computer initiated the login.

The second wave will come from the Chinese hacking group sometimes relayed through Russia or South America proxies to try to hide the original source location in China using the recording information from the victims computer to login and will again update their web files but also drop in scripts in the account mainly to test and report possible vulnerabilities in the host's server for later hacking attempt. Incidentally, the virus on the victim's computer can also act as a proxy relay and the hackers can also connect through the victim's own IP address so blocking all IPs to the account except the client's own IP won't do any good while they are still infected since the hackers can just use this connection.

The third wave will come later as another connection trying to exploit what they learned and try to compromise the server via the user's account which as you now know they have access due to the account owner's home computer being infected with their information gathering trojan.

Some items to note:
--------------------
This attack does NOT involve the FTP server or any exploits on the server and disabling your FTP service, changing to secure FTP only, or any of the other ideas I've seen posted around here will do **NOTHING** to help because this is not how the hacker's are gaining their information! In addition, I have witnessed this group using certificates to login to SSH on servers where password authentication is turned off so don't think that will help either.

Even though there is no compromise to the server in regard to how the hackers are gaining access and you can feel better about that much, you do need to be concerned because if your server is not properly secured, the hackers could try to compromise your server via security vulnerabilities that might be exploitable from within the infected client's hosting account and it is a lot easier for a hacker to hack a server once already in the server than trying to gain access completely from the outside. Make sure your security is tight and no regular user has access to run system calls or do things that might otherwise harm the server.

The first thing you should do when detecting a compromised account is either suspend the account or change the password on the account so that the account holder DOES NOT KNOW THEIR OWN PASSWORD! You should then contact the account holder and tell them that they are infected and have them run full scans with a good antivirus program **AND** a good trojan / spyware scanner with the latest updates. This should be done before handing over the new password to the user because as soon as they try to login, the hackers will immediately know their new password if their home computer is still infected!

Right now the best trojan scanner I have seen and the only one that reliably detects the polymorphic trojan part of this would seem to be Spyware Doctor by PCtools but the latest updates to 'Spybot: Search and Destroy' look like they pick up some of the variants at least.

I myself use a published replacement hosts file that may help limit exposure to infections by limiting connections to known infection source sites, other trojan sites, and advertising sites. If anyone is interested:

http://forums.toadsociety.com/files/hosts.zip

(The "hosts.txt file should be renamed to "host" and placed in C:\windows\system32\drivers\etc\hosts and the instructions say if you use this file then it would be a good idea to run "services.msc" and disable your "DNS Client" service alse you could slow down your computer)

Just a side mention to those blocking IPs and to the nut job here who was talking about blocking darn near half the internet, you should know that country IPs are not necessarily sequential and you would block a whole lot of IPs from regular countries like the United States for example! Blocking by IP
addresses are stupid for this sort of thing except for maybe the few you may have directly witnessed. If you want to block full countries then I recommend that you DO NOT block by IP address but rather use country matching technology like GEOIP from Maxmind!

If you don't have GeoIP, it is fairly easy to add to your server and the following script will help:

Code:

#!/bin/bash
IFS="$"

cd /usr/local/src
#####################################
#  Install the GeoIP C Library for the server               #
#####################################
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz
tar zxvf ./GeoIP-1.4.6.tar.gz

if [ -e GeoIP-1.4.6 ]; then
   rm -f ./GeoIP-1.4.6.tar.gz
   cd GeoIP-1.4.6
   ./configure --prefix=/usr/local
   make
   make check
   make install
fi

cd /usr/local/src
#####################################
#  Install the GeoIP module for Apache2                   #
#####################################
wget http://geolite.maxmind.com/download/geoip/api/mod_geoip/mod_geoip2_1.2.5.tar.gz
tar zxvf ./mod_geoip2_1.2.5.tar.gz

if [ -e mod_geoip2_1.2.5 ]; then
   rm -f ./mod_geoip2_1.2.5.tar.gz
   cd mod_geoip2_1.2.5
   /usr/local/apache/bin/apxs -i -a -L/usr/local/lib -I/usr/local/include -lGeoIP -c mod_geoip.c
fi

#####################################
# Update the GeoIP database with the latest version #
#####################################
if [ -e /usr/local/share/GeoIP ]; then
  cd /usr/local/share/GeoIP
  rm -f ./GeoIP.dat
  wget http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
  gunzip ./GeoIP.dat.gz
fi

#End of Script

Save the script on your server and set the permissions (chmod) to 700 and run the script and it should do most of the work of downloading GeoIP and installing it for you.

You will then need to add the following to your Apache Configuration:
(File location: /usr/local/apache/conf/httpd.conf)

Add to the LoadModule section if it isn't already there:

Code:

LoadModule geoip_module modules/mod_geoip.so

Add the following just before the <Directory "/"> line:

Code:

<IfModule mod_geoip.c>
    GeoIPEnable  On
    GeoIPDBFile  /usr/local/share/GeoIP/GeoIP.dat
</IfModule>

Save your httpd.conf file and then run the distiller script and restart Apache:

Code:

# /usr/local/cpanel/bin/apache_conf_distiller --update
# service httpd restart

You should now have GeoIP functioning on your server and if all is well, you should now see new variables showing up in your phpinfo() screen that on any site you host including GEOIP_COUNTRY_CODE which tells you the country of origin for any visitor to your server.

You can use these new variables in any script and you can actually setup .htaccess access commands using GeoIP in stead of IP address ranges.

In example, to block all connections from China, Russia, and Korea to a site:

Code:

<IfModule mod_geoip.c>
    SetEnvIf GEOIP_COUNTRY_CODE (CN|HK|RU|KR) BadCountry
</IfModule>

<Files *>
Order Allow,Deny
Deny from env=BadCountry
</Files>

This is extremely powerful and far better than trying to block by IP.

There are 3rd party scripts and modules available (I have a few of them) that you can get to connect iptables and most firewall and security applications with GeoIP and have a complete solution managing TCP packets by Country as well without having to blindly target massive IP ranges which may or may not block what you are wanting to block specifically without unforeseen IP blocking collateral damage.

Hopefully this post gives you a little better insight into what is happening and some ideas for protecting yourself.

[Silver_2000]

Spiral

How do you explain the servers where every account has been compromised ? Even accounts that haven't been accessed in months so no keylogger could have captured passwords that haven't been typed.

The Filezilla admins deny that the plain text storage of account passwords in their application has played any role in these exploits and they claim there is nothing wroing with plain text storage of passwords in an xml - they say the right security solution is to implement file level encryption. IMO a virus or malware harvesting passwords from applications like this would be one way to explain how entire servers get exploited.

This kind of exploit has been going on for years. It appears that you are confident that it only happens one way. There may be one way that is common now but having been causally watching this for years I doubt that there is one attack vector for these attacks.

[HostIt]

This kind of exploit has been going on for years. It appears that you are confident that it only happens one way. There may be one way that is common now but having been causally watching this for years I doubt that there is one attack vector for these attacks.

What you are explaining is a different issue altogether and has nothing to do with the most recent events.

What has happened recently - the "Gumblar" virus and related strains, is exactly as Spiral, myself, and others in this thread have explained it. I, and many other admins, have seen with our own eyes the same pattern. Customer logs in via FTP (for example), site files are then defaced via authenticated FTP login (for example), follow-up shows customer PC had been infected. Totally isolated to individual accounts, no evidence of server-wide exploitation. Clean-up customer PC, account and passwords... problem eliminated.

There have certainly been other javascript/iframe exploits over the years, but that's not what has been discussed in this thread most recently.

[jols]

I concur. We have seen roughly a half dozen of these exact same issues since early June. On every occasion it (the iframe insert) was isolated to just a single account on the server. Plus the hosted member, and/or their webmaster had an infected PC.

My thanks to Spiral for posting such an eloquent summary of this particular issue.

[Silver_2000]

What you are explaining is a different issue altogether and has nothing to do with the most recent events.

SNIP

There have certainly been other javascript/iframe exploits over the years, but that's not what has been discussed in this thread most recently.

Since the problem is old - the thread is 40 pages plus long - it makes sense to put comments in context

to be honest the tone of some of the replys here make me laugh inside.
the "im the expert my answer is the ONLY solution, Everyone who thinks differently is an " idiot " "tone is amusing.

Im not disagreeing that the details recently shared MAY be accurate for THOSE few incidents that have been seen directly. But the length of this thread is evidence that its a bigger issue than one particular virus using one attack vector.

[Pacoup]

Spiral's story could make sense.

In our case, we got infected last Friday. We know the exact date because we visit our sites every day to ensure everything is OK. Unfortunately Media Temple (gs) provides no FTP log what-so-ever.

I thus searched a bit on the issue and what arose as the biggest problem was passwords. Incidentally, we changed the password while at work and we never got any problems after that. We also made sure to use an especially strong password, kind of like that: f72/$xSS"@^x0 instead of this: Gakyu738!
Don't worry, those aren't real passwords.

ALL of the infected sites had only their index.php edited. However, one site, which does have an index.php, wasn't infected. All other sites had WordPress, MODx and nothing at all, just a PHP redirect which got infected.

Although I usually do editing on the Mac, I could have edited the site on my Windows computer Thursday, although I don't remember doing so, and I use Microsoft ForeFront, which is pretty solid. At work, we use Symantec Endpoint Protection, so there too, it's highly doubtful that we could have been infected without knowing. Besides, I don't go on bad sites, especially at work, so I'm really pondering where I could have got the virus.

However, my other friend editing the site has a very dangerous computer because she uses MSN plus, that Windows Live Messenger add-on full of security holes. What's more, she almost never updates her computer and uses Internet Explorer, which means even her Windows is full of well exploited security holes just waiting to be updated. Yes, I've seen repeated attacks on her computer, it's almost constant, so it wouldn't be surprising if it came from there, despite the computer being protected by SEP11 (she never scans too, so that doesn't help).

So yes, although Spiral's story wouldn't make sense if it was only of my computers (which are kept up to date every day, protected by enterprise security suites (ForeFront), completely manual firewalls (the only way to access is if a human confirms) and don't visit malicious sites or use dangerous software), it would absolutely do so on my friend's computer.

Maybe you should check the computers of your site's other editors.

Note: We consider the issue resolved, and are in the process of enforcing stronger security policy and banning products like MSN plus from our employees' computers at home.

Other Note: We just switched from Media Temple to WebFaction shortly after the attack, in part because Media Temple's (gs) does not provide FTP logs, a major security issue.

Edit: A very basic index.html also got infected.

[Spiral]

To Silver 2000:

HostIt said it the best above explaining to you that what I and everyone else is discussing is specifically the most recent attacks happening right now and contrary to your comments has most certainly NOT been going on for years. Yes there have been many <IFRAME> type attacks over the years but none being done in the manner that is happening right now presently and this is not only very unique and ingenious on the part of the hackers involved but show a totally new type of threat emerging which is the real topic of discussion and once on a server, hackers can further try to exploit existing security vulnerabilities to compromise other accounts and / or gain root access.

To Pacoup:

Incidentally, we changed the password while at work and we never got any problems after that. We also made sure to use an especially strong password, kind of like that: f72/$xSS"@^x0 instead of this: Gakyu738!

I am gathering from your post that you are on the home victim side of things verses being the hosting provider with the server?

Yes, the first thing I would do aside from scanning your system thoroughly using both virus and trojan / spyware scanners would be to change your passwords with a strong password so you did a good job there. I would recommend you also don't type your new password but rather use a screen keyboard to enter your password such as what is optionally available on windows for disabled users or from 3rd party sources. No guarantees but that should make it a little bit more difficult for straight keyloggers from capturing your new password.

ALL of the infected sites had only their index.php edited. However, one site, which does have an index.php, wasn't infected. All other sites had WordPress, MODx and nothing at all, just a PHP redirect which got infected.

Sounds like you got hit by the stage I attack which is actually performed directly by the virus on your home computer and just targets only the "index" files on your account most likely because the additional logic coding required to seek out other files would substantially increase the size of the virus core so the first attack is automated and only targets just your index files only.

However your password information is also transmitted elsewhere so that the original hackers can take more action later if your password weren't changed between the first and second attacks.

Although I usually do editing on the Mac, I could have edited the site on my Windows computer Thursday, although I don't remember doing so, and I use Microsoft ForeFront, which is pretty solid. At work, we use Symantec Endpoint Protection, so there too, it's highly doubtful that we could have been infected without knowing. Besides, I don't go on bad sites, especially at work, so I'm really pondering where I could have got the virus.

There is a Java based component to how the infection is performed but I do not have enough specific reverse engineer information yet as to say whether this virus would be viable or effective on a Mac or not. I do know for certain however that you are safe if you are running Unix or Linux presently.

As for "how" you got infected, it is NOT NECESSARY to go to "bad" sites per say as the victims are turned into source points of infection. The primary reason they are actually putting in IFRAME modifications to your site is to actually put in more places to get people's computers to infect to infected source distribution points. Sites that would normally be safe are suddenly made questionable if the owner gets infected.

The implementation is actually quite ingenious because from what we have determined is that you don't need to download or execute any program like you would with most and it's delivered to your computer in several pieces that each seem harmless by themselves as far as we can tell but together setup the core for the keylogging trojan hacking virus whatever you want to call it. Actually I would probably put it into its own new classification.

A few of us have managed to get a hold of a couple of pieces and ripped apart for study and tried to reverse engineer as much as possible but from there seems to be enough to suggest with it's polymorphic engine and the way it is implemented to suggest more if not many more variants out there with different signatures so I am not certain whether or not the current methods of detecting will be sufficient or not. I personally am working on trying to develop scripts and programs to help server administrators watch out for and lock down accounts that might be infected and the rest of the security industry is of course focused on removing the infections from home computers so hopefully with all that going on, this form of attack will have a very short life and have a stop put to it very quickly.

However, my other friend editing the site has a very dangerous computer because she uses MSN plus, that Windows Live Messenger add-on full of security holes. What's more, she almost never updates her computer and uses Internet Explorer, which means even her Windows is full of well exploited security holes just waiting to be updated. Yes, I've seen repeated attacks on her computer, it's almost constant, so it wouldn't be surprising if it came from there, despite the computer being protected by SEP11 (she never scans too, so that doesn't help).

That is just asking for very serious trouble!

However, I fully understand her position, and yours, as I am well aware that not everyone out there is all that much into computers or understand security aspects all that well but that doesn't mean the problem can be ignored either.

I would avoid doing any website work from your friend's computer as this seems to be the primary interest of this particular group of hackers.

I would install updated virus protection, a good trojan scanner, and a good firewall. In your friend's case, I would recommend "Norton 360" because it is designed to stand more in the background aimed more for users who don't understand what is going on but deal with many issues on it's own. It is not as configurable or robust as some but then doesn't give all the alerts and warnings or complicated setup that may just serve to confuse people like your friend such that they might otherwise become frustrated and ignore having security altogether which is something you would want to avoid.

Setup "automatic updates" for your friend's computer so at least they'll get high priority updates regularly and don't have to remember or know how to do it on their own themselves.

If you or your friend need any help, the company listed in my signature will give you a hand and if I am available, I can try to give you a few pointers as well to help you secure your friend's computer a little bit better.

So yes, although Spiral's story wouldn't make sense if it was only of my computers (which are kept up to date every day, protected by enterprise security suites (ForeFront), completely manual firewalls (the only way to access is if a human confirms) and don't visit malicious sites or use dangerous software), it would absolutely do so on my friend's computer.

Something you should also consider is that you are likely more active on the internet than your friend and thus more prone to infection. Even though you may have better overall security, that does not make you immune. Another consideration is that most viruses out there now specifically target popular virus and firewall programs and modify those programs so as not to let them detect themselves on the system. Running your firewall manual is indeed a good idea and I would also password protect the menus as well (a common feature in most current security applications) but even doing these things cannot guarantee those applications won't be circumvented but it is definitely a big step in the right direction.

A common misconception is that you have to visit known hacker, porn, or spammer type sites or other "bad" sites to get infected but that is simply not the case and you are more likely to get infected from some old grandma's blog out there or even major popular commercial sites you might trust and use everyday as each of these might be compromised and in turn be used as tools to spread infection. The point is that you don't need to get to a "bad" site to get infected with anything.

There is also the factor that just about everything these days has a spyware component in it and even if you yourself avoid certain types of sites, that doesn't mean your computer isn't visiting those sites without your knowledge in the background and that is something to consider as well.

Running "netstat" on your computer occasionally might surprise you!

Maybe you should check the computers of your site's other editors.

You make an excellent point here that is often forgotten that ANYONE with access to a site could be the source of compromise. If you have more than one person using an account, any one of them could be infected. The old but very true addage in security is you are only as strong as your weakest link!

Note: We consider the issue resolved, and are in the process of enforcing stronger security policy and banning products like MSN plus from our employees' computers at home.

The effectiveness of that from a security perspective is debatable at best although you may have some legal ramifications unless you happen to own the computers they are using at home so you may want to check with legal counsel regarding that particular matter.

Edit: A very basic index.html also got infected.

Like I said in the earlier post and also above -- first wave attack is INDEX files.

The program is basically designed to hit any index files it finds in the account irregardless of whether it is HTML, PHP, or CGI.

[qwerty]

does anyone know how effective ClamAv is against this gumblar worm? Does it detect any/all of the variants ? if it CAN detected infected files ..that;d be great and atleast stop/slow down reinfection rates..

I'm asking because clamav is common on most cpanel servers and can be easily set to scan ftp uploads too (if using pure-ftpd) as per Integrate pure-ftpd with clamav - CPanelDirect

[bornonline]

No idea, but I went ahead and set this up anyway. ClamAV now scans everything uploaded via FTP. I have not noticed any problems from this.

does anyone know how effective ClamAv is against this gumblar worm? Does it detect any/all of the variants ? if it CAN detected infected files ..that;d be great and atleast stop/slow down reinfection rates..

I'm asking because clamav is common on most cpanel servers and can be easily set to scan ftp uploads too (if using pure-ftpd) as per Integrate pure-ftpd with clamav - CPanelDirect

[hidonet]

There is a solution

http://forums.cpanel.net/f7/solution...tml#post552453

[mterman]

There is a solution

http://forums.cpanel.net/f7/solution...tml#post552453

Your solution relies on ClamAV to detect changed files. I don't think ClamAV can detect injected iframes.
Earlier today I wrote a simple shell script that scans uploaded files for iframes and then notify you by mail if there was a file containing iframe (with code snipet similar to cpanel php mail script notifier).
It is similarly based on pure-ftpd upload script.

Here is the script:

Code:

#!/bin/sh
# iframe upload scan script

if [ "$1" = "" ]; then
        echo 'Variable is blank';
        exit;
fi
if [ ! -f "$1" ]; then
        echo "$1 file not found"
        exit;
fi

grep_output="$(grep -A 1 -C 1 iframe $1)"

if [ ! -z "$grep_output" ]; then
        SUBJECT="Recently Uploaded file that contains IFRAME on your.server"
        EMAIL="your-mail@your-domain.hr"
        EMAILMESSAGE="/tmp/emailmessage.txt"
        echo "File contining iframe is: $1

        "> $EMAILMESSAGE
        echo "Sample code:
----
$grep_output
----

" >>$EMAILMESSAGE
        echo `date` >> $EMAILMESSAGE
        /bin/mail -s "$SUBJECT" "$EMAIL" < $EMAILMESSAGE
fi

Just change your-mail@your-domain.hr to your server notification email (or any email you want)
and your.server to the name of your server

If you have ClamAV upload script settup done by this method: Integrate pure-ftpd with clamav - CPanelDirect then just add

Code:

`/path/to/the/script/script.sh $1 &`

at the end of your ClamAV upload script.

If you don't have the ClamAV upload script for pure-ftpd and don't want to have it, just follow the procedure here Integrate pure-ftpd with clamav - CPanelDirect but instead script given on the page (/var/run/pure-ftpd/clamscan.sh) use the script i posted.

[d_t]

ClamAV is a good anti-virus, but cannot detect all injected iframes so scanning files is not an option (or it may be, if you use a better anti-virus with heuristict engine)

My solution is similar to what @Spiral said, limit ftp access to some countries, based on ip2cc while whitelisting some IPs and ignore other accounts. Works almost ok (with some complais from users travelling to other countries). The only problem is that some of the attacks are from US IPs (zomby PCs) so you have the option to block entire US... (not a problem for me ) I will publish it soon.

[Silver_2000]

pardon my ignorance but is clamav even capable of scanning uploaded files ?

I know it scans emails - but does it even have the ability to scan every ftp or ssh uploaded file ?