Comments on: Hidden CN Iframes Are Still Prevalent

By: gifimg.php Malicious Scripts Removal Instructions | PHP Proficient

gifimg.php Malicious Scripts Removal Instructions | PHP Proficient — Fri, 25 Dec 2009 18:57:09 +0000

[...] also noticed that Gumblar (and this new attack) infects sites that were previously infected with hidden malicious iframes. That iframe injection attack steals FTP credentials from configuration files of 10 popular FTP [...]

By: Kathryn A.

Kathryn A. — Sat, 07 Nov 2009 03:17:09 +0000

I don’t know if the problem attacking one of the servers that I visit is this particular problem but the when my browser popped up w/ a warning and a Google SafeBrowsing report, one of the links that was apparently hosting malware was visaforchina .co .uk

By: Denis

Denis — Thu, 01 Oct 2009 08:56:53 +0000

To prevent reinfections you should remove malware from your computer, change FTP passwords and keep them secure. You might want to read this post about how the malware works and why you shouldn't save passwords in FTP clients.

By: dude harris

dude harris — Wed, 30 Sep 2009 02:26:01 +0000

oh, no im being attacked again, help.

By: dude harris

dude harris — Wed, 30 Sep 2009 02:22:09 +0000

i got infected with http ://some-other-life .ru:8080/index.php- good thing i have a back up of the files on my wordpress blog and able to restore it. The problem is that the attack me reoccur. damn.

By: Noxwizard

Noxwizard — Thu, 13 Aug 2009 01:40:52 +0000

Found another on one of my clients’ sites:
http ://b9g .at:8080/index.php

By: Shaun

Shaun — Mon, 27 Jul 2009 02:01:52 +0000

A few more URLs for you:
http ://q3c .ru:8080/index.php
http ://q1e .ru:8080/index.php
http ://x8o .ru:8080/ts/in.cgi?pepsi114

We had almost every index.html, index.php and several other files infected with these iframes on our server.

By: Yo P

Yo P — Sun, 26 Jul 2009 06:23:47 +0000

Dear Denis,

could you explain how could this spyware injure our computer? Where should(n’t) we click to (avoid) the injuries?

Thanks!

By: Steef

Steef — Fri, 24 Jul 2009 12:24:14 +0000

My client is on a holiday, so i can’t change the FTP pass. Because I have to clean the site every other day, I wrote a script that does that for me. By calling the script every hour with a dronjob, the site keeps clean until she comes back.

Here’s the script. I hope it’s useful for other people.
(make sure to backup your site befor using this one)

$path = ".";//define the path as relative

// filenames infected in Joomla sites:
list_dir($dir_handle,$path,'index.php');
list_dir($dir_handle,$path,'index2.php');
list_dir($dir_handle,$path,'index3.php');
list_dir($dir_handle,$path,'mainbody.php');
list_dir($dir_handle,$path,'index.html');

function list_dir($dir_handle,$path,$filename)
{
$dir_handle = @opendir($path) or die("unable to open $path");
while (false !== ($file = readdir($dir_handle))) {
$dir =$path.'/'.$file;
if(is_dir($dir) && $file != '.' && $file !='..' )
{
$handle = @opendir($dir) or die("unable to open file $file");
list_dir($handle, $dir, $filename);
}
elseif($file != '.' && $file !='..')
{
if(strcmp("$file", "$filename")==0)
{
$handle = file_get_contents($dir);
if ($handle)
{
preg_match('/]*>(.*)/s’, $handle, $iframe); // find iframes
$hacked = str_replace(“<", ">", (str_replace("<", "<", $iframe[0]))); // sanitize HTML for viewing
if ($hacked)
{
echo "\n$dir $hacked”;
$cleaned = preg_replace(“#$iframe[0]#”, ”, $handle);
$thisfile = fopen($dir, w) or die(“unable to open file $file”);
fwrite($thisfile, $cleaned);
fclose($thisfile);
echo ‘(cleaned)‘;
}
}
}
}
else {
//do nothing
}
}
closedir($dir_handle);
}
?>

By: Steef

Steef — Fri, 24 Jul 2009 12:14:09 +0000

A client of mine was also targeted. Addresses used:
06-07-2009 >> u1w .ru
08/07/2009 >> u8r .ru
10-07-2009 >> update .cn
12-07-2009 >> u9j .ru
24-07-2009 >> xe5 .in