Page 1 of 2 12 LastLast
Results 1 to 15 of 17

Thread: Solution For Iframe Java Script Hack

  1. #1
    Registered Member apscinsspl's Avatar
    Join Date
    Mar 2008
    Posts
    112

    Default Solution For Iframe Java Script Hack

    How does this hacking takes place:

    This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

    Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

    ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

    How it's done
    This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

    After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


    This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

    ===============================================
    Solution:
    ===============================================


    For Server Administrators:

    If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

    For individual person owning just a domain and not server:

    If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

    You must have removed the code many times and it comes again, why ???
    As you dont change the FTP password. So change that first.

    Just changing password is not complete solution but is the first step.
    Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

    Just do the two things:

    1) Change the FTP or root password of server
    2) Clean format the PC

    and take care in future, you dont visit any lof the virsu links made by this hack.
    Also to keep your password secure I would suggest you to use any password manager software like:

    http://keepass.info/

    This is a FREE OpenSource Software


    I can assure you this is confirmed solution and will definitely help you all.
    Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

    Comments can be sent to: tech.cpanel@gmail.com
    Last edited by apscinsspl; 05-12-2008 at 04:03 PM.

  2. #2

  3. #3
    Registered Member
    Join Date
    Jan 2005
    Posts
    159

    Default

    thank you for the great info

  4. #4
    Registered Member apscinsspl's Avatar
    Join Date
    Mar 2008
    Posts
    112

    Default

    Thanks, I request all of you to post this solution in any forum where you find questions on this hack, you can post the exact content of this post.

    Please help to spread this post in the same way as these hackers are trying to spread the virus so that others protect their valuable data from the virus.

    This is a start of big cyber attack which has to be stopped.

  5. #5
    Registered Member apscinsspl's Avatar
    Join Date
    Mar 2008
    Posts
    112

    Default

    Interview In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious websites.

    A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal personal information.

    The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it's malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000.

    In late June, SecurityFocus answered an online advertisement for the MPack infection kit, sending an ICQ message to the identifier listed in the ad. A few days later, a person contacted SecurityFocus through ICQ and identified themselves as "DCT," one of the developers of the MPack infection kit. What follows is the result of two weeks of interviews that took place in late June and early July.

    (Editor's note: The following interview is an edited version of the two weeks of chats that took place over instant messenger with DCT. The answers have been edited for grammar and spelling, and some answers have been reordered or combined for clarity.)

    SecurityFocus: How did MPack start?

    DCT: In the beginning, the first version was only for internal testing purposes. That was around June 2006. My friend - Hello to Fuzka - was helping to analyze different exploits and make a pack for them. Around August/September 2006, it became a commercial project.

    The project was started for the Russian-speaking "market", but nowadays, more and more guys from other countries get in touch because they are interested in buying the pack. It's all because of the AVers' (antivirus companies') articles about the pack.

    How many developers are there? What is the Dream Coders Team?

    We are all online friends. Some are real-life friends. We are mainly self-taught.

    Altogether, Dream Coders consists of three people on a constant basis and some others that are periodically recruited for a one-time job. (Another person identified as a member of DCT and called $aSH by security firms is not one of the three coders but referred to by DCT as a "marketing director.") Developers are Russian, while helpers and testers are from other countries.

    How do you get the exploits for MPack? Do you buy them?

    For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code).

    We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is $10,000 in case of good exploitation.

    Is the project profitable?

    The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live.

    Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project.

    What are your goals for the project?

    Our main aim is to make the pack work better - boost the number of infections, in other words. Everything else is not so important.

    We have got some other projects running and more to be realized.

    How widespread is MPack at this point?

    I really don't know about the number of [download] servers. I suppose it counts in the tens. But if you are talking about the pages containing the IFrame that refers to the server with the pack, that may be in the tens of thousands. [Some security firms' estimates of hundreds of thousands] sound a bit large but may be true. The clients don't give us any usage statistics.

    People have already started offering the MPack software for sale for a lesser amount. Are you worried about that?

    Well, anyone can of course try to do that, but will they be successful? The main thing about MPack is not the scripts, but when the support and the methods of exploit are combined together.

    Were you behind the development of WebAttacker? Some security firms have postulated a connection.

    I know the WebAttacker team. We are friends. I was talking to WebAttacker's manager recently and he told me that they are going to start the real WebAttacker 2 pack in the near future.

    Referring to MPack as WebAttacker 2 is a mistake. They are two different projects.

    Some security experts refer to you as a Russian cybergang. Are you?

    Cybergang is a funny word used by AVers (antivirus companies) and government officials. We are just a group of people working together, but doing some illegal business.

    This supposed link with real-life criminals - I think it's bulls**t. AVers want to make an image showing us like bad guys stealing something from a store, etc. But really, almost none of my friends have any contact with criminals about our work or anything else.

    Can you tell me anything about yourself?

    I prefer to keep it in secret in order to make any official's job identifying me much harder. [However,] I have a legitimate job and am able to combine it with other projects, like MPack.

    Are you worried about getting caught?

    Yes, a bit. And with all these stories about MPack on the Internet, we will have to shut down the project fairly soon. The AV attention is bad because the more people know about the pack, the more the officials want to catch us.

    In Russia, there is a law which forbids [malicious-software] creation tools like MPack, [but] we secure our systems to the best possible extent, so that even a police officer would not be able to get the PCs analyzed.

    Do you feel sorry for the people whose machines are infected by an attack?

    Well, I feel that we are just a factory producing ammunition.

    Anything else you'd like to add?

    I would advise you to use the Opera browser with scripts and plug-ins disabled in order not to be caught by the MPack someday.

    SOURCE LINK: http://www.theregister.co.uk/2007/07...per_interview/

  6. #6
    Registered Member apscinsspl's Avatar
    Join Date
    Mar 2008
    Posts
    112

    Default

    YOUR SERVER CAN BE USED FOR DOING IFRAME HACKS

    Hackers can use your server to hack further site by the IFRAME Hack.
    If you server is infected by iframe, check for the following files on your server:

    fout.php
    qt.phpo7.php
    urlworks.php

    These files are files of the MPACK tool and if the tool in installed on your server you will find it by the above file names. If you find the tool please delete it and disabled the compromised account under which it is installed.

    For further complete information on how MPACK tool works you can check the following PDF file:

    http://blogs.pandasoftware.com/blogs...5/11/MPack.pdf

    IF ANYONE NEEDS ANY HELP TO CURE THEIR SERVER FROM THIS HACK, LET ME KNOW AT tech.cpanel@gmail.com
    Last edited by apscinsspl; 05-09-2008 at 07:28 PM. Reason: error

  7. #7
    Registered Member
    Join Date
    May 2007
    Posts
    78

    Default

    This is just a keylogger, so using https or ssh / WinSCP will not help?

    I'm fairly new to SSH, can you offer recommendation how to search for these files? I have no suspicion I was hit, but better safe than sorry.

  8. #8
    Registered Member apscinsspl's Avatar
    Join Date
    Mar 2008
    Posts
    112

    Default

    If you own any server or domain, I would suggest you to format the computer first, then change the password of the server or domain and then install the following free software:

    http://keepass.info/

    Its a password manager software.

    You have to create a database of your passwords by adding the link, username and password to the software.The software keeps it encrypted with various encryption alogrithms.

    This database will have a password and a key.
    The database can be opened only if the password and key are supplied to the database via software simultaneously.

    The most important in this is Key.
    Never keep this key on computer but keep it in pen drive.

    When you want to login to the software supply the key from pen drive and login once logged in remove the pen drive.

    NOTE: if your key is not there no hacker can read your encrypted passwords though he has password database and the password.

    So all your passwords will be secured. Its a handy software and I use the same on my machine.


    Better versions of this hack are released in russian forums weekly and you are charged +$150 if you want a version which is not detected by any antivirus software or spyware detector. So better way is keep the passwords in encrypted format and dont worry even if your pc is infected as your passwords are of no use to hackers as they are encrypted and IF they dont have the key.

    Never keep the key on any computer to have maximum security on your passwords.

    Hope this will help, if you need more help let me know.

    Mail: tech.cpanel@gmail.com
    Last edited by apscinsspl; 05-10-2008 at 04:04 AM. Reason: error

  9. #9
    Registered Member rootuser's Avatar
    Join Date
    Jan 2005
    Location
    ***INDIA***
    Posts
    124

    Default

    apscinsspl,

    This is a great info thanks!

  10. #10
    Registered Member
    Join Date
    May 2007
    Posts
    78

    Default

    If you own any server or domain, I would suggest you to format the computer first, then change the password of the server or domain and then install the following free software:
    Even if one hasn't been hacked? Seems a little extreme to me.

  11. #11
    Registered Member
    Join Date
    Apr 2005
    Posts
    105

    Default

    Quote Originally Posted by apscinsspl View Post
    [B][COLOR="Red"]ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!


    ===============================================
    Solution:
    ===============================================


    For Server Administrators:

    If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

    For individual person owning just a domain and not server:

    It wont sop.. chances are somewhere there is a keylogger.. whether it is on the users PC or on the server tech's PC or somewhere in between.. it wont stop till the keylogger is found and successfully removed

    The first thing that shold be done is to change the password from a DIFFERENT computer.. BUT only if you know when you visit the site to change the password it is at that ppoint clean.. otherwise THAT PC will get a present of a drive by keylogger download

  12. #12
    Registered Member
    Join Date
    Jun 2005
    Posts
    72

    Default

    The iframe hack is done via a SQL injection which inserts malicious code into index.php files, even those, who's permissions are 644. Changing ftp passwords has nothing to do with it. We have done everything to try and stop it until we have changed index.php permissions to 444. So far it seems all is ok, but dont know for how long.

  13. #13
    Registered Member
    Join Date
    Dec 2008
    Posts
    85

    Default

    644 = Write (User) ,Read (Group), Read(World)
    444 = Read (User), Read (Group), Read (World)

    So, all you've demonstrated to me is, they have to have the Users access credentials to do this hack.


    At the end of the day, the user is getting compromised on their machines, leaking the password, which in turn leads to the account getting compromised. It's a cycle which is hard to break. Phone the user, explain the problem, request they get their machine cleaned.
    Last edited by britsenigma; 02-26-2009 at 08:43 AM.

  14. #14
    Registered Member
    Join Date
    Jun 2005
    Posts
    72

    Default

    Quote Originally Posted by britsenigma View Post
    644 = Write (User) ,Read (Group), Read(World)
    444 = Read (User), Read (Group), Read (World)

    So, all you've demonstrated to me is, they have to have the Users access credentials to do this hack.


    At the end of the day, the user is getting compromised on their machines, leaking the password, which in turn leads to the account getting compromised. It's a cycle which is hard to break. Phone the user, explain the problem, request they get their machine cleaned.
    I'm just sharing what I've found and what has worked, at least until now considering, these folks were getting hacked in hours and nothing has happened over the course of a day.

    Of course you're free to pick up the phone and choose an alternate way to resolve the hack.

    Also, when you say "user is getting compromised on their machine" + "request they get their machine cleaned.", you must understand that this hack (of which I will admit I dont understand entirely in detail) is using a combination of things to gain entry. Its not meant to steal passwords but its sole intention is to redirect visitors of forums (and other sites) to infected servers where it tries to load virus laden PDFs/Malware. In some cases, the redirect also leads to pr0n sites.

    And phoning a client and cleaning the machine is useless because no passwords are compromised. The script breaks into a website by using a SQL injection of sorts and dumps the iFrame code into the index (or other main) page of the users sites. Nearly all are some sort of php based application. So where does this weakness lie?

    In PHP ? in MySQL ? in Apache ? in a function embedded natively in the websites software ? Your guess is good as mine.

    Whats making matters worse is the code injected is in HEX so its even tougher to decode it off the bat.

    What is clear is the hack is performed by a script which targets the main page of vBulletin, phpBB, Drupal, and other php based softwares and then attempts to exploit it. Once it is able to successfully inject the iFrame code into the main page, it then remembers the URL of the site and a secondary script tries once every few hours to re-insert the code into the main page, to ensure the site stays infected.

    As a result, going 24 hours without a break-in is pretty good imo and is working as of now.
    Last edited by encryption; 02-26-2009 at 11:47 AM.

  15. #15
    Registered Member
    Join Date
    Dec 2008
    Posts
    85

    Default

    My apologies, I didn't realise how my post came across earlier, wasn't really helpful input, I was making a snap judgement about file permissions. Grumpy mood, bad morning Sorry.

    I'd install and tweak mod security. Here's a typical block on an unpatched joomla install.

    Access denied with code 403 (phase 2). Pattern match "(?gg|gopher|zlib|(?:ht|f)tps?)\:/" at ARGS:sIncPath. [file "/usr/local/apache/conf/modsec_rules/10_asl_rules.conf"] [line "199"] [id "340026"] [rev "19"] [msg "PHP Injection attempt in URI"] [severity "CRITICAL"]

    http://www.gotroot.com/

    Give it ago, love to know if it helps.

Page 1 of 2 12 LastLast

Similar Threads

  1. Effective iframe/gumblar hack prevention?
    By Wallaby in forum Security
    Replies: 5
    Last Post: 04-30-2010, 12:36 PM
  2. How can you remove the iframe hack server wide?
    By DWHS.net in forum Security
    Replies: 8
    Last Post: 02-17-2010, 01:43 PM
  3. IFrame Hack - Cpanel Forced Update = Fixed?
    By contemptx in forum Security
    Replies: 4
    Last Post: 10-19-2009, 05:58 PM
  4. iframe solution
    By crazyaboutlinux in forum General Discussion
    Replies: 2
    Last Post: 04-16-2009, 08:58 AM
  5. Just got hit by iframe hack on 5 boxes
    By gotroot in forum General Discussion
    Replies: 3
    Last Post: 10-01-2007, 10:48 PM
bargain