Linux System Admins Blog

55 responses so far ↓

• 1 brian hugh // Mar 22, 2009 at 5:45 pm

  I am having this problem on my website, everytime i remove it, it comes back the next day.

  what i have done so far is to take of write permissions of my main html & php files, so far that seems to work past 2 days, but i need a more permanent fix and i can’t find out how they are getting to add that code to my pages.

• 2 gerold // Mar 22, 2009 at 7:21 pm

  @brian – have you changed all your FTP passwords? That’s the first thing i did before removing the codes.

• 3 Joe // Mar 22, 2009 at 9:06 pm

  I have seen this on several Linux Sites, some sites had techtite formmailer installed others did not. We need to know what is causing this and why siplank.com is still up and running.

• 4 gerold // Mar 22, 2009 at 9:58 pm

  @Joe – I have no idea where and how to report this issue. We can’t be sure if he is the actual attacker or someone just put it on his site. As you can see on Whois of siplank the domain name/owner, his address, and contact email are present – which normally attackers would not do that (unless this one is a newbie).

  On our infected files i saw two versions of the codes and they differ in number sequence but both resulted to the same code. I’m not sure if we have the same case, like if the virus code on your site goes to siplank or other website. You can decode it by craeting a blank html file and put the virus code this way:
  
<html>
<head></head>
<body>
<script type="text/javascript">
document.write(String.fromCharCode(REPLACE THIS WITH YOUR NUMBER SEQUENCE));
</script>
</body>
</html>


• 5 Joe // Mar 23, 2009 at 7:25 am

  I have seen two so far as well, I also did a whois and noticed that the domain was just registered.

  Here is one of examples of the code:

  eval(String.fromCharCode(118,97,…49,50))

• 6 Jonathan // Mar 23, 2009 at 1:26 pm

  IX Webhosting is also vulnerable. What can a shared hosting account holder do to combat this? Nothing, it is up to the host to prevent unauthorized server code changes. No FTP password was leaked. So that means that someone is sitting high a top the heirchal chain looking down at everyone’s root accounts and able to access this way. You cannot hack thousands of sites by hand this way so there is a stray script in IX’s root higher than we have access to. I ask again what we can do. We can leave this shared hosting provider and move to one who does not blame US! IT IS NOT OUR ISSUE IX… FIX YOUR SH@T!

• 7 Noni // Mar 23, 2009 at 6:50 pm

  Guys,

  I have the same issue but its on GoDaddy and they are also not taking responsibility. I explained them that if its a ftp issue and someone would have hacked it they can simple delete the files but why it is only html file and some asp pages with home/default are getting affected.

  Important thing is that it is happened on three different share hosting sites I have with them.

  I am also frustrated and want to move to another host but seems like its all over.

• 8 I think my site has been hacked // Mar 24, 2009 at 1:47 am

  [...] plagued with MalWare – Bill McIntosh’s Business Inner Circle That page linked to this blog page: HEUR:Trojan.Script.Iframe | Linux System Admins Blog I noticed that at the bottom of your site, below the </html> tag, you have the malicious [...]

• 9 gerold // Mar 24, 2009 at 3:15 am

  My friend’s account is hosted by Hostmonster (shared server).

• 10 Kyle // Mar 24, 2009 at 3:41 am

  This isn’t the hosting company’s fault. Instead of blaming them, look at your own computer first.

  Go ahead, open up your FTP logs and look at them.

  You’ll eventually find connections to your account that are downloading index.html and index.php files, modifying them, and then uploading them again.

  Scan your system carefully, and then stop using FTP. Download WinSCP and stop storing your passwords locally.

• 11 TRaef06 // Mar 24, 2009 at 6:55 am

  We can scan your site to find any vulnerabilities. Post your site name or send me an email directly and we’ll scan it for free and provide you with a full report.

• 12 Joe // Mar 24, 2009 at 7:38 am

  I have seen this on two seperate GoDaddy Hosting Accounts I have. I was using FlashFXP not the browser, I swithched to CuteFTP and changes all the passwords, the code is still getting inserted in the html files. The trojan is still being downloaded from siplank.com and my system is detecting it just fine.

• 13 BobP // Mar 24, 2009 at 8:32 am

  I wonder if GoDaddy would provide you with FTP Log information?

• 14 Luke // Mar 24, 2009 at 10:20 am

  Can someone help me? The fix I just read above reads like Chinese to me for the most part – I’m no web expert. However, I am having the same exact thing happen to my site and I want to get rid of it.

• 15 Kevin // Mar 24, 2009 at 3:43 pm

  My site was recently switched to Godaddy hosting and I have had this recurrent problem ever since. I did not have this problem before using Godaddy.

  Simply that javascript code gets attached to the bottom of all your html files and it supposedly infects other computers although I have seen no evidence of that in my local computer virus scans.

• 16 Michael // Mar 25, 2009 at 11:38 am

  I have a Windows 2003 server running IIS6. I have several websites, 4 of which run PHP. Those 4 (plus one HTML site) were the only ones affected. I do not have any FTP accounts that have access to all 4 of those sites, so I’m a bit confused how this is possible. One of those sites is just a coming soon page with the actual PHP under a random folder for development. All of my coldfusion sites are just fine. So weird….

• 17 someday // Mar 25, 2009 at 1:09 pm

  My site is w/GoDaddy & I am using wordpress. If anyone else is using wordpress & themes, please let me know what themes you are using.

• 18 Jake // Mar 25, 2009 at 2:06 pm

  This hit us too. The attack came in via FTP as mentioned above. However, we do not using a hosting facility and run our own web servers. The question I have is how did they obtain the ftp password of the account that they used? The password used was very secure and not stored online. I’d be curious to hear what others find out.

• 19 birdtree // Mar 25, 2009 at 8:35 pm

  My site was also hit. The site also runs wordpress and themes. The attackers hit the site at least twice.

• 20 Brian // Mar 25, 2009 at 8:44 pm

  All my wordpress sites were hit and also my vbulletin forum.

  I also found a virus on my pc called vonuseo

• 21 jeff // Mar 25, 2009 at 9:10 pm

  We have been hit on a temp e-commerce server, we were the only ones on a shared server, or we were the only one to report it.
  Also our index.html file disapeared on another site we have, twice! All passwords have been changed to be very secure, and still the hacking persists! what is going on these days?

• 22 Brian // Mar 26, 2009 at 4:25 pm

  It is a virus on your PC. make all index files read only and reformat your hard drive

• 23 Celli // Mar 26, 2009 at 9:57 pm

  Yup – GoDaddy claimed it was via FTP they gave me some log info – no IP Addresses though, I put in a request for that information. The odd thing is the siplank.com site still has a virus in its qqp directory called pdf.php I know there has been an abuse case against them.

• 24 Debbi // Mar 26, 2009 at 10:16 pm

  Our site was hit as well. Some are saying it is connected to Google Crome. If you use Google Analytics it is associated with it. It could be assoc. with several stat sites. According to some other forums, the Trojan has found a way to piggyback onto the site from Crome.
  Just putting this out here for discussion and possible help to solve this problem on our sites.

• 25 Celli // Mar 27, 2009 at 8:14 am

  We were using Goolgle Analytics as well. I removed all the GA Code for the time being. Also for those with GoDaddy Accounts, make sure you change your Account Password as well as FTP Passwords.

• 26 Michael // Mar 27, 2009 at 9:51 am

  My sites are not using Google Analytics or any other stat trackers. The code got inserted again. I use FileZilla for a FTP server (just updated) and I updated PHP to be safe. I’m going to change the FTP password now to see if that helps.

• 27 Michael // Mar 27, 2009 at 10:06 am

  Okay, luckily I did enable FTP logging via FileZilla. Someone got a user account and logged in from the ip 212.150.184.141. That account is now disabled.

• 28 Brian // Mar 28, 2009 at 9:51 am

  The virus is on your PC. Even if you change passwords it will still download the index file then upload it back up from your server, because your ftp password is stored on your pc . The only way to combat it is to make your index file read only

• 29 Lenny // Mar 29, 2009 at 10:04 pm

  Same problem here: index files are infected and being uploaded to the site. I changed my ftp password and this seems to help, but there is still a directory called “logs” among my files that I cannot remove. It has files in it called marchxx.tar.gz. Every day a new file is added. Today’s file says stuff like:

  62.167.86.169 – - [28/Mar/2009:17:43:05 +0100] “GET /?p=257 HTTP/1.0″ 200 21334 “http://lentheman.com/?p=257″ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)”
  62.167.86.169 – - [28/Mar/2009:17:43:07 +0100] “POST /wp-comments-post.php HTTP/1.0″ 302 0 “http://lentheman.com/?p=257″ “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)”
  65.60.145.171 – - [28/Mar/2009:18:00:16 +0100] “GET / HTTP/1.1″ 301 5 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7″
  65.60.145.171 – - [28/Mar/2009:18:00:19 +0100] “GET / HTTP/1.1″ 200 53903 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7″
  65.60.145.171 – - [28/Mar/2009:18:00:27 +0100] “GET /wp-login.php HTTP/1.1″ 200 1896 “http://lentheman.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.9.0.7) Gecko/2009021910 Firefox/3.0.7″

  My scanner and malwarebytes’ anti-malware can’t find a virus or spyware… Any help is much appreciated. Thanks.

• 30 gerold // Apr 3, 2009 at 7:11 am

  @Lenny – those logs you mentioned are probably access logs of your site based on the given samples. If you’re doubt about them you can verify it with your hosting provider.

• 31 Daniel // Apr 3, 2009 at 10:23 am

  I’ve been dealing with this issue for a while now, on over 1000 sites. It is NOT an FTP password issue — I really wish people would stop reporting misinformation on the problem. The problem is directly related to insecure host servers, and none of the hosting companies are willing to take responsibility or lock-down their security holes.

  There is no way around this other than to transfer hosting to another host provider, or run a dedicated box that’s completely locked down.

• 32 Peter // Apr 13, 2009 at 5:09 pm

  Daniel,

  unless you can document a proof of concept or provide some logs that show it is a breach of insecure shared hosting sites, I don’t know what the usefulness or relevance of your comments are. Not everyone can get a dedicated box.

• 33 Sean Owens // Apr 15, 2009 at 2:11 pm

  this is a trojan that sniffs the user passes from the ftp client you are using. free ware ftp and opensource ftp should be avoided like the plague. sftp is the only safe and slow way to ftp and keep those ftp passes refreshed regularly.

• 34 John // Apr 16, 2009 at 2:52 pm

  How many of you use filezilla. I just had this happen on 3 different hosting companies!!! Filezilla stores all passwords locally with no encryption. Ran several different antivirus / malware tools and nothing detected

• 35 LordInfidel // Apr 16, 2009 at 10:07 pm

  I’m a professional PenTester/Security Analyst (aka a ethical hacker) and was just called in tonight to look at this issue for a firm that thought they were hacked because of their hosting company.

  After an quick hour of analysis here was my advice to them:

  DO NOT CALL YOUR HOSTING Company! It is not their issue, they are not at fault.

  Next, CHANGE your FTP password. The problem lies with an infected machine that has been used to ftp files into your web site. Meaning they have to have the creditionals…..

  Most likely this machine is your own, unless you have multiple people ftp’ng files. Yes , YOU , most likely, have a virus! And since the connections to sites are NOT RANDOM, the likely hood of someone bruteforcing your site is highly unlikely; unless of course you have an extremely easy u/p combination.

  This may sound like I am venting, but this is the 20th site I have come across that is blaming their Hosting Company. And this one is a supposed “linux sysadmin blog” , so my wrath will be a little harsher on here.

  The best explanation of what this virus does, which is in line with what I have found, is explained here: http://helpdesk.technodg.com/announcements_view.php?id=69

  Another helpful gem is http://vil.nai.com/vil/content/v_144460.htm

  (disclaimer- I do not work for technodg.com or nai; i can just plain ol read)

  so stop your whining and take responsibility for your own actions.

  As for the filezilla comment; I am not sure why you thought that the passwords were “encrypted” to the point that they could not be “de-crypted”, they are merely obsfucated using an XOR operation. I could explain it in depth, but you should probably read it for yourself… http://forum.filezilla-project.org/viewtopic.php?f=4&t=1328

  Now if my sage words have fallen on deaf ears and your still reading my diatribe;

  If you are REALLY honestly curious as to how it happened when you got “Hacked”, look at the date time stamp on the index files in all your directories; then pull the ftp logs from your server and see what the source IP was during that time. Most likely, it was your own.

  Cheers, and Safe Computing

• 36 Luke // Apr 23, 2009 at 8:16 pm

  This is a common problem these days. We have had many customers affected, and even some developers. The problem is caused by malware that is installed from infected websites. It takes advantage of out dated versions of Adobe Reader, Adobe Flash Player, Internet Explorer and others.

  Once on the machine, this malware can steal passwords from well know ftp clients (open source and closed source). It also scans all network traffic to sniff ftp passwords. If you use ftp at all, it will get your password. The only remedy is to get rid of the malware and use only sftp.

• 37 gerold // Apr 23, 2009 at 9:53 pm

  @Luke: I agree, i noticed this on several sites mostly forums and blogs. Thanks for additional info on the problem.

• 38 6 virusi frumosi [a must read!] - Securitatea online | Jurnal de Oradea - Mintea Ardealului // May 11, 2009 at 9:25 am

  [...] Mai multe informatii despre unul din virusi: Heur Trojan Iframe [...]

• 39 Remko // May 11, 2009 at 2:29 pm

  Thanks guys for these tips.
  I have been struggling with the same issues myself.
  My site got hacked everytime as described above.
  Restored a backup, and the site got hacked again.
  At first I thought this was due to some SQL injection. A bad protected guestbook, extension, etc.

  So I got rid of them all. However, still my site got hacked. As much as 5 times a week.
  I decided after reading your tips and to access the logs.
  I could not find anything strange though. My site even got hacked without my site being visisted. (according to the logs)
  I decided to take a closer look at my CPANEL menus and discovered an extra FTP log.
  I looked at the data/time stamp of the altered file. Then search the log for this date/time and voila, I found my hacker.
  Indeed the hack was done via FTP.
  As a thank-you I gave him an IP-ban and changed my FTP password to an even more secure one.
  Then I got rid of Filezilla and started using WinSCP (http://winscp.net/eng/download.php) from which I understand is a much more secure client.
  Also, I am not storing any passwords in the FTP application.
  Hopefully these actions will help. Time will tell.
  I wish everyone good luck with fighting these guys.

  Take care,

  Remko

• 40 gerold // May 11, 2009 at 5:44 pm

  @Remko – it’s good to hear that this discussion helped you on the same problem and thanks for pointing out your situation. This should give the readers a clear details on the cause of problem and on how to prevent further attacks.

  For the file transfer protocol, it is clear that we need to use sftp instead of ftp whenever possible. For the ftp client, you can still use Filezilla but you need to select sftp as its protocol (default is ftp only). WinSCP also supports plain ftp and the default is sftp.

• 41 webmaster // May 17, 2009 at 9:59 pm

  This is an issue which affected us, we discovered a trojan on a cient pc that infected their site whcih then infected one of our sites.

  AVG does not find the trojan nor did Norton, however Mcaaffee did find the trojan on the sites.

  You may find if you infected that you can not even load the mcaffee website and your only way to unifect your pc is to rebuild as we chose to do rather than there be any risk.

  After making sure that none of our pc’s were infected we cleand any sites that had the code in the html / shtml/ php and js files and then changd every single ftp password username we had ever had access to.

  It was a huge job, but better safe than sorry.

• 42 Watt // May 18, 2009 at 11:00 am

  Does anyone knows how to search and remove the javascript code from all the pages? I don’t understand what grep is doing and what is the pearl script that is supposed to do this and how it works.
  A step by step tutorial for noobs would be apreciated
  Thanks!

• 43 gerold // May 18, 2009 at 4:58 pm

  @Watt – grep and perl commands were used to search and replace the injected codes, and you can use them if you have ssh/shell access to your site. If you are familiar with php you can create your php script to search for those strings.

  The virus are just plain html or php codes inserted to your files so you can easily search and delete those lines. If you’re not familiar with the above procedures you can do it this way:

  • Download all your source codes via FTP, SFTP (recommended if available), or a tarball/compressed format or backup.
  • Search or use “find in files” for the virus codes using your editor. Usually it is on the following format(below), but the number sequence may vary as the results point to different domains, not just the siplank.com.
    HTML/Javascript Files: <script type=”text/javascript”>eval(String.fromCharCode(118,97,114…
    PHP Files: <?php echo ”; ?><?php echo ”; ?><?php echo ‘eval(String.fromCharCode(118,97,114…

  Note: Before performing the clean up be sure to change your all your FTP passwords and try to use SFTP if it is available.

• 44 Mike // May 19, 2009 at 10:02 pm

  I have faced the same problem. i made format to my pc 5 times, i bought a new laptop to try and see if the problem from my pc, and i have uploaded empty html page with filezilla, few mins later i saw that i have addidional this iframe malaware, what pissed me is that i saw my site on google saying that my site is malaware.

  hell this is giving me headaches

• 45 Watt // May 21, 2009 at 11:53 am

  This is hard for a noob. Can someone create this perl script to scan an entire folder and also explain how it works (runs)?

• 46 IFrame Malware Script « Michael Jay Cantrell // May 29, 2009 at 9:02 pm

  [...] This is used to write an iFrame to your site that links to malware. It seems the internet has been abuzz lately over this. The most useful link I’ve found is this one. [...]

• 47 Andrew Benitez // Jun 2, 2009 at 5:39 pm

  I also removed write permission for Admin. I’m hoping this will fix the issue.

  It’s so annoying to have this issue with ALL of my PHP sites.

• 48 kerwin // Jun 3, 2009 at 3:05 am

  im having same problem as well and it’s annoying..

  avira didnt detected the virus kaspersky did..

• 49 Eric DB // Jun 6, 2009 at 4:15 pm

  Wow! This is what I was looking for, thanks so much for posting these helpful scripts.

  I had to change the regex to get it to work with my particular situation. Posting here in case someone else might enjoy:

  #!/bin/bash
  grep -Z -R “eval(String.fromCharCode(118,97″ /path/to/site/* >> affected_file_list.txt

  while read line
  do
  echo “Cleaning: ” $line
  perl -pi -e ’s/\eval\(String\.fromCharCode\(.+\//g’ $line
  perl -pi -e “s/\//g” $line
  done < affected_file_list.txt
  echo “Done”

• 50 MK // Jun 8, 2009 at 5:15 am

  I have faced the same issue of accessing the site and getting a warning message instead of the original page. Most probably the issue will be with iframe . In my case also there were iframe entries but they were valid entries.

  After checking further only i realised that some of the files of the site was using another Urls in the code. These other Urls are infected (which are not hosted on our server ) and thus our site is infected :/

  Removing those Urls resolved the issue

• 51 Murat Demirten // Jun 13, 2009 at 11:15 am

  I’ve just a simple ruby script, it uses nokogiri gem and parse files as xml, so alternative-multiline writings of script or iframe codes can be catched and corrected, maybe it can helps for someone too:
  http://linux-tips.org/article/97/multi-conditional-search-and-replace-clearing-a-ftp-trojan-script-example

• 52 ArKu Studio // Jun 19, 2009 at 2:58 am

  Well, first of all, sorry for my bad english.

  I work on a company which is based on web technology, and we was working on 5 sites on Monday, and all those 5 sites was infected what which not can say for other clients ( they are not infected ). We have scanned our PC-s with Kaspersky, BitDeffender, Norton Internet Security and Norton Antivirus, AVG, Avista, Mcaffe and Nod and non of them find a virus on our PC-s.

  Can anyone tell me CLEARLY is the problem in our PC-s or where is this problem.

  ps. also we have changed the FTP passwords but no susses yet

• 53 gerold // Jun 21, 2009 at 11:43 pm

  @ArKUStudio – based on discussions and comments above, I think it’s better if you cleanup your sites/codes, change ftp passwords, and scan pc’s of those who have access to ftp. Then after that monitor your site if the virus return then check the ftp logs. Also, review file/directory permissions if they world-writable.

• 54 Chris // Jul 6, 2009 at 8:25 am

  Hello ,

  It seems kaspersky is blocking my companys website due to a trojan.

  Can anyone tell me if it actualy is infected ? We will need to fix it asap if so.

• 55 gerold // Jul 7, 2009 at 7:49 pm

  @ Chris – if you receive an Trojan alert on Kaspersky when you visit your site, it’s infected – you need to check your codes for new lines added or replaced.

Leave a Comment