Knowledgebase

iframe injection attack that change permission of files

Posted by romanfed, 04-03-2010, 11:00 AM
Hi! My sites under iframe injection attack. I can't understand what hole in server/apps they use to insert own code. I have tried to change the owner to root user and remove write permission from group and other for some web files, but the permissions was changed and code have been inserted again and again . It have inserted every few hours. I have found only one temporary solution is to remove injections by shell script which run automatically by crond every 5 minuses. it injects different codes that refer to the following sites: ratingyahoo.org top100mail.org averzameling.com I have not found any rootkits and php shells and other strange file. All passwords was changed. mod-secure is installed. No files changed recorder via ftp. The only ideas the server itself run some native linux virus code that make the injection. How can it be possible ? Is anybody know/have experience with similar issues? How to clean up it to stop new injections? bash-3.2# cat /etc/redhat-release CentOS release 5.4 (Final) bash-3.2# uname -a Linux 2.6.18-prep028stab062.3 #3 SMP Fri Jun 12 04:26:45 MSD 2009 i6x bash-3.2# apachectl -version Server version: Apache/2.2.3 Server built: Mar 27 2010 13:52:45
Posted by klikli, 04-03-2010, 01:13 PM
Maybe holes on your PHP scripts. What's those PHP scripts?
Posted by Dustin B Cisneros, 04-03-2010, 01:22 PM
That sure seem's like the Gumblar Exploit.... You could of downloaded/installed a dirty script... Someone else on the server could of done the same and it overwrote several files in the server.... Most thing's like this have back door's so you should make sure you found it all... the best way to fix this is upload a back up! Make sure you removed all those iframes aswell...
Posted by romanfed, 04-03-2010, 01:46 PM
Yes, maybe, but how php scripts running under apache user can change the permission of files owned by root and permissions 640? I specifically change the owner and perm. to protect the files from updating by everything running under apache/php.
Posted by klikli, 04-03-2010, 01:47 PM
Sorry I haven't read all your words
Posted by Sileep Kumar M S, 04-05-2010, 02:54 AM
I guess those sites are CMS like Wordpress/Joomla! Please secure your CMS installations first. Google will guide to secure your CMS, just search!
Posted by romanfed, 04-05-2010, 03:15 AM
No, the sites does not use Wordpress/Joomla. The main question how it modifier the permission of file which apache/php does not owner?
Posted by Sileep Kumar M S, 04-05-2010, 03:42 AM
May be some malicious scripts running in your server. Check the cron jobs for all users. Check all user owned files in /tmp.
Posted by madaboutlinux, 04-05-2010, 04:44 AM
The malicious files are mostly uploaded under the home directory of the websites itself OR under /tmp. And these files are executed regularly to inject the website files. I would have removed everything from the websites home directory and would have uploaded the website files itself. Also check /tmp, /dev/shm/ to see if any malicious files residing there. Also make sure to disable the PHP functions which are used to execute the server side commands. Check the current processes of the server to see if any malacious process is running


Was this answer helpful?

Add to Favourites Add to Favourites

Print this Article Print this Article
Also Read
How does Billing work? (Views: 617)
Strange /tmp/undo.#prelink#.XXXXXXXX files in /tmp (Views: 547)
Major Disruption to Traffic in Middle East/North Africa [MERGED] (Views: 621)
DNS Question - Can I make a single domain resolve to exchange server and web server? (Views: 584)
CAn i use my own dns? (Views: 626)


Language:

Client Menu

 

Client Login

Email

Password

Remember Me

Search



  
 

Clients

Hosting

VPS Hosting

About Us

Contact Us

Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.