Hello,

I'm running a server with Plesk 8.3, Centos 5.2, ASL (kernel 2.6.26.6-1.art.i686, mod_security mod_security-2.5.7-1, etc) and PHP 5.2.6

I have one site hacked, and I can't out find how it was done.

All index.* files now have a iframe injected after the body tag.

The files are not world writeable, and the owner is the site user (plesk default)

The iframe contains this src: "http://bestlotron.cn/in.cgi?cocacola60"

I have looked at every log file I could remember, but I didn't find any clue (no FTP, no file injection in PHP pages, etc).

There are no mod_security log entries that could be possible related to this issue either.

I'm wondering if the problem is related to the PHP version, or any PHP setting, plus some flaw in the code's PHP pages.

Any help will be welcome.

Thank you.
Alexandre

First thing to do is look at the time stamps on the files and then look at who logged in at those times. Every iframe case we have dealt with was a straight login to the system through FTP or SSH where the attacker simply stole a password via a keylogger on a desktop.

Let us know what you found, and if you need our team to login to your box please let us know. If you prefer to do this via email please send an email to support@atomicorp.com.

which site is it? and what have you on it?

As an aside, so far 100% of the cases we've seen with this happening have been straight logins by the badguys. If you find an iframe at the bottom of a file thats the MO for that kind of login - they steal a username/password from a users desktop with a keylogger, then hit the users sites (because again the keylogger told them what they logged into) and they just feed all these site+username/password combos into a script and put their junk on the bottom of all the index.php and index.html files. In short, its not really a hack - that is to say its not a vulnerability in the technical sense - its a very simple attack on the users site by just logging with the users legitimate account. Not much you can do about that without getting into setting up rules to limit what IPs that user can come from, rules on the time they login, etc.

We're working on a one time password addon for ASL that can help to protect your users from password theft. No timeline on when that will be available, we'll post more when we have sometime to share.

In the mean time, if you see this for only ONE of your vhost sites - you can be pretty sure its that someone just logged into that site and changed its files and not the box was hacked or otherwise broken into.

Hello,

Thank you all for your updates.

In fact I already had another case a couple of months ago.

At this time I have made a similar search and I didn't found anything too.

I have assumed that the problem was related to the user's computer (files changed locally in this computer) or some password compromised.

I have asked the client to changed this password and check his computer for virus.

But now I have another case with the same pattern (but with different "virus"): some pages within a site with some added content, that shows a virus message in my computer everytime it is loaded (I'm using Avast AV).

That's why I'm concerned about this issue, since I couldn't determine for sure what really happened in both cases.

Thank you.
Alexandre

Would you like us to take a look at your logs?

Hello Michael,

Yes, it would be very nice.

I have already granted access (installed your ssh keys) and sent the server information to our support email a couple of weeks ago.

If you don't have this information anymore I can send it again.

Thank you.
Alexandre

Yes, please send a heads up to support@atomicorp.com and we can take a look at it tomorrow.

As a followup for anyone else interested in this one it was a simple case of the users password having been stolen and the bad guys just logged into the account and added the iframes to the end of the php files. No vulnerability in the system.

Thanks, that's good to know.

I'm sure zooming is relieved about that too!

Faris.

Other followup on this, some of my counterparts in the Cpanel community told me that there is a botnet that is automating this. They've had over 1000 separate domains get caught by this same exact attack. Looks to me like malware is owning desktops, and looking for people who store ftp credentials for hosting environments specifically.

Sounds very similar to what happened to auctiva.com a couple of weeks ago. The Chinese are getting some nasty hacks in.

Yeah. A large proportion of the attacks that I look into (as opposed to the ordinary ones that happen every few mins) are from China at the moment. We are considering blocking China completely, having already done so for certain other hotspots (though those are mostly skiddie hostpots rather than the real blackhat crowd)

Faris.

Just for the record, the client has changed his password and I haven't any other incident since.

Thank you!
Alexandre