Results 1 to 13 of 13
  1. #1

    severe <iframe> injection problem please help

    I am having a major problem with someone injecting iframes into every header.php footer.php index.php login.php and vars.php file on the entire server. It seems he is exploiting something in php to do this as it seems he is doing it all at one time and not hacking each account. I have read around and everything i found said turning enable_dl off would provent this well i did that and it happened again last night. Any help would be greatly appreciated.


    thanks,

    jj

  2. #2
    Join Date
    Sep 2005
    Location
    Southern California
    Posts
    179
    Do you mean that they are physically editing your files and adding additional iframes to them? If this is the case, your host might have some larger problems that need addressing.

  3. #3
    What version of Apache are you running?
    *AlphaOmegaHosting.Com* - Hosting since 1998
    Managed Dedicated Servers and VPS
    Hosted Exchange 2010 Email Service

  4. #4
    I am the host. It is happening to a lot of host i have talked to. Somehow the hacker has found a way to add iframes to the files on the server. What ever he is doing is allowing him to put them in every file called header.php footer.php index.php login.php vars.php or any file he chooses i quess those are just the ones he has done. Its not one particular script either its every account on the server.

    here is the apache version ect.

    Operating system Linux
    Service Status Click to View
    Kernel version 2.6.9-1.667smp
    Machine Type i686
    Apache version 1.3.37 (Unix)
    PERL version 5.8.7
    Path to PERL /usr/bin/perl
    Path to sendmail /usr/sbin/sendmail
    Installed Perl Modules Click to View
    PHP version 4.4.4
    MySQL version 4.1.21-standard
    cPanel Build 10.9.0-RELEASE 57


    here is php info on one of the servers this server has registered_globals on for one script but have another server with the same iframe problem with registered_globals off one server runs api apache one runs api cgi so its not that either.

    www miyisurf . com / phpinfo . php

    remove the spaces would not let me post the link


    My server techs have scaned the entire server and there are no hack files ect. on hte server so he has to be using a whole in apache or php or something.

    thanks,

    jj

  5. #5
    Join Date
    Sep 2005
    Location
    Southern California
    Posts
    179
    Well if it was an exploit then it would depend on the scripts you are running.

    Check your permissions, and try setting it so the user that apache runs as (usually httpd, apache, or nobody) does not have write access to those files.

  6. #6
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    My server techs have scaned the entire server and there are no hack files ect. on hte server so he has to be using a whole in apache or php or something.
    This is very common actually, and I highly doubt that your server techs have scanned the "entire" server. This would take days to go through every miniscule file on the server to verify things. Not by script, but by hand.

    Start with recompiling apache/php, and make SURE you know exactly what the modules you load in there are doing.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  7. #7
    Quote Originally Posted by localhost127
    Well if it was an exploit then it would depend on the scripts you are running.

    Check your permissions, and try setting it so the user that apache runs as (usually httpd, apache, or nobody) does not have write access to those files.

    they are not explooiting any one scipt as servers with different scripts are being attacked the same way it not any one script thats being attacked its all of them. As for permissions those files that are being edited are currently all set to 644


    jj

  8. #8
    I was faced with the same thing. I had many Admins in and out of a single server that showed similar symptoms with more. To help you out a bit, I will give you a list of who helped, who refused, and who did something...

    Linux-Tech, Was a monthly subscriber, not much they could do.

    Serversupportguys, was a monthly subscriber. They did give me some valuable information and insight of how they made the changes, but no insight to how to stop or prevent it. Nothing more they could do.

    PSM, they removed 99% of the edited files with scripts, searches and what-not

    Rack911, I do not have a monthly service with them, but I have had one time jobs. They have located many things and implemented a few tools to search, log, and assisted with the mentioned problems. Most were hand written scripts tailored to this specific server. So far, they have been in and out of the server as most I have dealt with refused even when mentioned cost was no factor. While I can't say the problem is over, but with the temporary tools and settings that they have made have stopped the attacks stone cold.

    As you can see, moving through my list, Rack911 is the only one so far that has a clue. Give them a shout, I am sure they will assist.


    BTW, give me a shout, I would like to compare a few things if you don't mind.
    Last edited by hbidad; 11-30-2006 at 06:31 PM.

  9. #9
    Quote Originally Posted by hbidad
    I was faced with the same thing. I had many Admins in and out of a single server that showed similar symptoms with more. To help you out a bit, I will give you a list of who helped, who refused, and who did something...

    Linux-Tech, Was a monthly subscriber, not much they could do.

    Serversupportguys, was a monthly subscriber. They did give me some valuable information and insight of how they made the changes, but no insight to how to stop or prevent it. Nothing more they could do.

    PSM, they removed 99% of the edited files with scripts, searches and what-not

    Rack911, I do not have a monthly service with them, but I have had one time jobs. They have located many things and implemented a few tools to search, log, and assisted with the mentioned problems. Most were hand written scripts tailored to this specific server. So far, they have been in and out of the server as most I have dealt with refused even when mentioned cost was no factor. While I can't say the problem is over, but with the temporary tools and settings that they have made have stopped the attacks stone cold.

    As you can see, moving through my list, Rack911 is the only one so far that has a clue. Give them a shout, I am sure they will assist.


    BTW, give me a shout, I would like to compare a few things if you don't mind.

    HI tried to pm you but it would not let me. Is PSM above platnumservermanagement if so that is who i use and they do not seem to have a clue as to how the guy is getting in to do it. I do not belive it could be some hiden file somewhere as one serve that its happening to has only been active for 2 weeks so i know the root on it has not been hacked

    i reinstalled apache and php as suggested above and they are already back again and i had several of the files set to different permissions as a test and all files no matter what permission where written too.

    jj

  10. #10
    Join Date
    Feb 2005
    Location
    Australia
    Posts
    5,842
    Your phpinfo shows apache has the mod_rootme module loaded. I would shut down apache, change your root password and get professional help.

    Edit: http://www.webhostingtalk.com/showthread.php?t=554463
    Last edited by foobic; 11-30-2006 at 06:58 PM.
    Chris

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,294
    Quote Originally Posted by Ramprage
    <<snipped>>

    Ramprage thats a terrible solution. You should look for why it happened before even thinking about cleaning it up.


    To the original poster:

    Linux server8.miyi-hosting.com 2.6.12-1.1381_FC3smp #1 SMP Fri Oct 21 04:03:26 EDT 2005 i686

    I do not doubt that you could be ROOT compromised. That kernel is very very old and has exploits. If you have run rkhunter and chkrootkit and it came back clean, that does not mean you are not root compromised. You have mod_rootme, i would definately get an os reload and secure the server BEFORE adding any clients to it.
    Last edited by anon-e-mouse; 12-01-2006 at 01:29 AM.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  12. #12
    Join Date
    Apr 2006
    Location
    Dallas, Texas USA
    Posts
    71
    Just to clarify this point:

    You went through multiple providers before finding us (you actually planned to have us lock out your previous provider so they could not remove their tools + optimizations). We found the cause and advised a solution to the problem. You promptly cancelled our service and received a refund after we provided you this information.



    Quote Originally Posted by hbidad

    Serversupportguys, was a monthly subscriber. They did give me some valuable information and insight of how they made the changes, but no insight to how to stop or prevent it. Nothing more they could do.
    - Comprehensive Server Management & End User Support
    - Now 100% U.S. Owned & Operated
    - Now offering instantly ready end-user support. 30secondsupport.com

  13. #13
    While I refuse to hijack this post, I feel I need to defend myself. SSG never once gave me any options to remedy the solution. I will be digging through my emails to for word for word responses. Nonetheless, If you could have assisted with removal of this, I guarantee we would still be monthly subscribers. Why would we get information to solve this ongoing issue, but not implement it? See my termination ticket for a full response as you are severely mistaken.

    Someone lit the match... to be continued.

    To the OP, they do indeed have a money back guarantee. It took a few ticket replies to obtain it. However, I did indeed receive it. Many things happened with this Admin company that I will not mention in this thread, but you can choose your own path with a little reference.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •