Script Injection:

[carvedhearts]

Hello,

I have a web site that appears to have a malicious script being injected which is setting off virus scanners. The following code is being included in the output of my site, which is not in my templates:

Code: Select all

xxxxxxxxxxxxxxx

The site is at: ;http://www.yodarkroom.com

I am running ver 1.2

[Nullig]

Upgrade to the latest version.

Nullig

[SandyFranklyn]

This is starting to go around. It's coming from Latvia and it's on the server side. It attacks sites that use php, cms, forums, and blogs - and probably more but I don't know yet. It is rerouting your site to xxxxxxx. It will eventually extract your username and password from CMS. It will route everyone using a search engine to find your site to their site and infect their computer. Next, you'll see pop-unders for places like xxxxxxxxxxxx and others. I don't remember the exact URLs. Not that it matters. Make sure your Malware is up to date. Some antivirus softwares aren't even picking it up.

I'm telling you this because our company just went through it and we're not out of the woods yet.

You'll notice that if you strip out the fake Yahoo Counter and reload your page, it will magically reappear on your page. In fact, on ALL your pages.

It’s a virus (or something of a malicious nature).

It’s a JavaScript that has a very complex code that appears to be referencing an ip address or multiple ip addresses. I believe a site is vulnerable to this new attack through improperly set permissions on files. Yahoo clearly doesn’t make a counter script like this in any way. Also, the script shows up in many different locations (in the code) throughout various sites, which also points to that fact that it’s an automatically generated script.

My suggestion would be to get rid of the script and check the file and folder permissions on that site.

[Pierre M.]

Hello,

for the record :
security small guide
recovering from an exploit

Pierre M.

[DrDoom]

Wow, this is unbelievable

I have been searching the net for Yahoo Counter problems and solutions for the past couple of days since my site has also been infected and have ran across several other users with the same issues and have discovered that we all have the same web hosting company, IXwebhosting.com (I looked up your domain name, Carvedhearts)

After much discussion with other users, we feel that the hoster has some type of security problem or infected server hoster that has allowed Yahoo Counter to spread to our websites here recently

I don't want to come off as bashing this company, but a lot of us are having difficulty motivating IXwebhosting to acknowledge they have a problem.

Here are some of the other threads I have ran across other IXwebhosting customers with this issue:
xxxxxxxxxx

xxxxxxxxxx

[carvedhearts]

I received a message from the hosting company today, which, as Dr. Doom pointed out, is having problems with this attack across the board. I am not sure of the accuracy of their claims, but it is something to be aware of. If it is true, be careful of your clients saving their FTP credentials, etc.

Here is the message from the hosting company:

In our ongoing commitment to the security of our customers, we have
discovered a vulnerability located within many of our client's websites,
including yours. This is a self replicating virus which is found by visiting
well-known search engines. When you click on any link it may redirect you to
a fake Anti-Virus 2009 website which appears to scan your system and then
asks you to download the software. Once downloaded and installed it begins
displaying pop ups on your desktop. At this time it collects your FTP user
name and password from your own computer and uses that information to upload
an exploited file named ".htaccess" to your website. Any visitors to your
website will then be redirected to the fake anti-virus website.

We have dedicated our systems administration team to finding a solution to
this and are happy to say that as one of the first hosting companies we have
successfully cleaned all instances of this virus from our servers more than
a week ago, and are continually scanning them to ensure your site does not
become re-infected.

While your website is now secure, your computer may still be at risk. Here
are two easy steps that will detect and remove this malicious software from
your computer and make sure your website will not spread the virus again:

1. Uninstall the fake Anti-Virus software by following the instructions at
this link:
http://www.bleepingcomputer.com/malware ... virus-2009

2. Once removed, change your FTP password from within your web hosting
control panel. Once logged in, click on the FTP Manager icon and then on the
icon next to the password to change it.

To illustrate the severity of the issue I would like to share some facts
with you:

  * 26,991 of our customers have been infected with fake Anti-Virus 2009
  * 79,469 websites have been spreading the Anti-Virus 2009 infection
  * 120,923 malicious files have been removed from our system

[danthemanjones]

There are several variants of this virus. It is the most complex virus and code I have ever seen. I had ten of my sites infected with it at one point. Finally got it resolved though.

Changing your password will do nothing to stop the virus. There are already .php files,.htaccess files and malicious javascript ALL over your site all working together. The virus has a backup plan. If you don't delete all the injected javascript, and foreign .php files and the .htaccess files it will just come back. Oh yeah, the .php files on your server that you probably don't know about are able to change a file or folder to whatever permission it wants.

Luckily for me, my hosting company had a script that went through all my files on the server and removed the javascript. They also used another script to check for file and folder permissions that were set to 777 by the virus.

[UDPride]

I am hosted by IXWeb Hosting as well and run VBulletin and VB Advanced. Can all of us who are suffering this issue and use IXWeb ban together to help solve one anothers problem?

Ive noticed when I deactivate VB Advanced the problem goes away and the code is not there. Likewise with everything running, the malicious code is not in my VB templates.

I did notice a few of my folders were 777 permissions including the modules and cache folder.

I really need help with this. I did get that aforementioned email response listed above from IX, but when I got a hold of them, they indicated this Yahoo issue was a different issue and was on MY end.

Im not convinced its on my end. I never had any hack or trojan issues until this and if a lot of IXWeb people are running into the problem, it sounds like it could be a vulnerability the hosts have they encouraged this.

First and foremost however, what files and folders and bad code do I need to look for and delete???? I've heard suggestions o how to prevent hacks AFTER the fact on other web sites, but nothing seems to be focusing on how I resolve this issue right now.

Is it safe to any any VB and VBA files/folders should be 777 folder and 644 file? Would there be any exceptions to this?

Id really like some help on locating/removing the bad files and tag teaming the problem with others affected. Others can email me at chris@udpride.com if you wish. Thanks.

[UDPride]

More info for those affected...

IX Web doesnt have a script I know of, or wont tell us about it if they do. Just more info on the virus itself:

Look for an htacces file somewhere. May take some looking. Likely in that same folder is an index.htm file with a hacked message about George Bushes militarism and other jibberish. I can supply a TXT of the htm if you like. You obviously need to delete these files.

Also, you are going to have to look through most of your major PHP files in VBulletin (or whatever other forum you use). It likes to pick on the config files, admin files, and cache files (in all of your cache folders no matter where they reside -- I had several).

The script dumps a bazillion lines of code at the end of these PHP files as another PHP script to execute. I must have deleted it from 85-100 or so. Download file, delete the jibberish, upload file. Not knowing exactly if this was malicious code or VB PHP code I couldnt decipher, I rename a file to _hold, downloaded and removed the jibberish and re-uploaded and the forum was file. So I deleted the file on hold. Painstaking process.

I also went through and change some permissions on folders to 755. I had a cpl that were 777 and Im not sure I ever remember setting them to that.  Also checked VB files and changed a few back to 644. Again, Im not convinced they were wrong from the beginning. I usually keep good oversight on this stuff.

Right now, the Yahoo Counter code seems to be removed from my footer, however its still located on most pages in my META DESCRIPTION tag as a script at the very end of my own words. Im hoping since its here and not in the body tag, its not executable and just a nuisance search engine issue at this point. VBulletin doesnt have a META DESCRIPTION field as far as I know -- at least not when I looked. Only META KEYWORDS.

So right now Im working on trying to remove it here.

Ive since changed all the paswords on my VB Control Panel who have admin access and changed my FTP password again. I will also be changing my database password in the a.m. Maybe these will have no affect but certainly cant hurt.

If anyone has more info on this or can speak up about IX Webs action, please tell us all.

[scatrbrain]

after running in to these forum posts during research for a friend whos computer is infected with this, i have also found this code in the bottom of my IX hosted phpbb3 forum pages. im getting ready to contact IXwebhosting


*update 12-21-08*
IX webhosting was no help. Ill paste their response at the bottom of this modified post.

I discovered that my php chat room (x7chat2_0_5_1) also had the Yahoo Counter code in it as well. My folder permissions were set to the letter from the phpbb3 docs, i have the latest version of phpbb3 (im sorry i know that this site has nothing to do with phpbb but i though this info might help someone because it has to do with my database and prefix extensions as well.)

>>>I deleted all my phpbb3 files, reinstalled it fresh and everything was clean. as soon as i edited the config.php to point back to the old table prefix, the code was back again.<<<

Last night I changed all my passwords per IX suggestion (even though im pretty sure its got nothing to do with that) and fortunately my forum was bran new, so I deleted the entire database and started with a new one, reinstalled phpbb3 again last night, this morning its still clean, but i have a clean back up of the forum and database. We`ll see what happens now.

So in my case.. and even though IX support told me that its impossible for this to come from the mysql data base, it appears to have been re-infected by the database somehow.


Here was the response i got from IX trouble ticket:

Dear Robert.
Thanks for using our services.

Let me express the most sincere apologies according to the inconveniences you have faced. But, please, note that most of hackers' attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected. Anyway, it is strongly recommended to review everything that you have in website folder and check web server logs to determine the way you may protect your application against further intrusions. If you have any widely-used software installed, check the vendor site for recent updates or security fixes.

The attack that happened to your sites could be made via an FTP access to your account. Unfortunately, we don't suggest secure FTP connection, for the reason of shared hosting. Please, could you change the FTP passwords under FTP MANAGER icon -> opposite to password field click on Edit. Please, take all of the appropriate measures to prevent other people access your FTP account and use your FTP login information.

Well, what could be done to prevent it from happening again? Please note that most of hackers' attacks are usually done through vulnerabilities of website software which you are using (like forums, blogs, CMS, any other php-based applications). We cannot keep them secured as we are not the developers of such kind of software. From our side, all server-side software (web services, FTP services, etc..) we are keeping up-to-date and protected.

So, It is strongly recommended to review everything that you have in website folder and try to determine the way you may protect your applications. For example, If you have any widely-used software installed (forum, blog, etc.etc.), check the vendor site for recent updates or security fixes.

Please also note that your files are located on the Linux-based server and you are able to change file/folder permissions so make sure you do not have any "open" files/folders with write permissions set for all.
So please check if any folders has full granted permissions 777 set, which is means that it's worldwriteable for anyone from the Web. Recommended permissions are 755 or 644.
For solving this issue we can try to restore your site from our backups. Also please change your FTP password. This will also help you in solving such problem.
Kind regards,
Dmitry Pavlov
Technical Support
24/7 Live Chat

[UDPride]

Yep its at the bottom near your footer. Also perhaps in the Meta Description (which from some reports is buried in the actual database and not in the PHP files).

I think the fact that this intrusion happened across platforms (VB, VBA, phpBB, Wordpress, others) and happened mostly on the same ISP tells me it was an ISP vulnerability. I actually live in Dayton which is 50 miles from IX's Columbus hosting center (I think they moved from KY last year). After a stern note advising they need to accept responsibility for this and that I was only 50 miles away and may need to make a personal visit, they gave me the canned response that "they were working on it and it would be resolved ASAP."

So who knows. My issue isnt so much the fact that IX Web got compromised. Nobody is perfect. In two years, Ive been a fairly happy customer. Sometimes the database take a short nap on me, but other than that Ive had far worse (I have some nightmare ISP stories that would make you rethink doing ANY web work). My issue is IX has not come straight out and accepted responsibility for it and owned the problem. To me, thats worth MORE than had there never been a mistake to begin with. Anybody can be a good ISP when things are all sunny, but how do they handle adversity? Playing it off on customers when pretty much a consensus is made that it was not the customers being careless is not a solid business approach.

[JeremyBASS]

just out of concern... are all of you up to 1.5.1... seems from reading that all have been affected on the same sever but not running the version with the latest fixes.. just wondering....

[UDPride]

V 1.5.1 of what?

This hack was a nasty one. Michael at VBPlusMe.com helped me get out a jam and clean things up. I couldn't have asked for better assistance. If you continue to run into trouble or get ISP runaround, see if he can give you a hand. I posted pretty much the same thing on that forum I posted here. Whatever info I can also offer, Im happy to. I want these scumbag hackers to die a slow painful death (and I want IX to get their act straight).

There is probably also an htaccess file on your site somewhere and in that same folder you will find an index.htm attributable to these scumbags who dumped the code on you as their calling card. Youll need to remove those as well.

The PHP jibberish is at the tail end of dozens if not hundreds of your PHP files and TMPL files. Start with PHP files that relate to configurations.

Also, if you run VB Advanced, check your module PHP files. Most of those will probably have the jibberish as well.

Check your file and folder permissions. The hack may have changed them or exploited incorrect ones. 755 the folders and 644 the files. Michael indicates VB does not need any 777 folders to run (though add-ons might).

Its a painstaking process. The hacked code slows the sites down, sets off all kinds of bells and whistles with users antivirus etc.

Also run MalWareByte (download free at Download.com) to scan your hard drive for any bad guys that may have jumped into your own machine.

Last thing is change your passwords. All of them.

Onward and upward.

[rogerm]

I have the same issue with a CMSMS (older version - 1.0.2) site hosted at hostexcellence.com in Columbus OH. Cleared out phony htacess file and deleted a file called "index1.html" in the modules directory and things cleared up - for awhile. Now the "yahoo" script is back Also a nasty PDF thing where acrobat reader opens up and gets exploited (http://www.adobe.com/support/security/b ... 08-19.html ) Ouch, indeed.

I suspect the database at thiis point because I've deleted all the files and re-uploaded from a fresh copy of the original install files, but the "yahoo" script is back, though the PDF thing is gone for the time being.

-------------
Update:

Just cleared the database and re-populated it with earlier backup. Everything has cleared up for now - even with the site files restored (from back up on my hard drive). Am looking through the dump of the likely infected database to see if I can find what is being injected.

Meanwhile I have changed passwords for FTP, database, users etc  and will check to see if they get back in. There are warnings popups when going to the the filemanager and PhpMyadmin via the hosing company control panel that say that some of the connection is not secure, so I wonder if the f**king hackers get in that way...

[UDPride]

roger-

I experienced those Acrobat issues as well. Wasnt sure what they were from or if they were related. Sometimes browsers just kind of barf for no reason. So it sounds like that was a symptom too.

Dont hold me to this, but I ***think*** Host Excellence may be under the same umbrella as IX Web. I say this because IX Web moved their hosting facility from Hopkinsville, KY to Columbus last year. A bunch of fiber intersects in Columbus and Host Excellence somehow rings a bell with IX to me.

And, to corroborate one more thing you said, IM ALSO getting the "some data in this connection is not secure" issue when going into my IXWeb control panel. To me, further evidence we may be talking under the same umbrella.

With some help Ive determined the jibberish at the bottom of all those files (for me, it was PHP and TMPL files) was base64 code in a PHP script. Apparently to replicate itself. I dont even know what base64 is, I just know its probably evil.

Do some searches to see if IX and H.E. are one and the same. Many ISPs relabel the same product. If so, we need to start gathering names and banding together to get them to plug this hole. I really believe they arent going to do much if we just go after them one at a time. Theres strength in numbers. My concern is they do nothing and the problem just returns. From everything Ive read, folks believe it was a server level attack that then propagated to the accounts on that server running forums and CMS.

I want to also IP address restrict my FTP on my site, but I dont see that as an option in my control panel. I have static IP where I live and theres no reason anybody else should warrant the ability to brute force it.