[consulting] Iframe tags placed on index.php files attack possible solution

rajasekharan websweetweb at gmail.com
Tue Aug 11 06:10:24 UTC 2009

Hello Drupalers,

You may have heard or even experienced the attack where some mysterious 
iframe tags are placed right after the
<body> and before the </body> tag in you index.php file, header.php, 
login.php and footer.php.
This even causes the php files to break as the iframe tags are placed 
randomly within the index.php file (failing to find the <body> tag) 
resulting in
php errors.

The attack causes your website to be blacklisted and marked as an attack 
site in the search engines. Even the web browsers
scare people away from visiting the site with nice blood red alert signs 
(not that I blame them).

This problem exists for users of all content management systems such as 
wordpress, phpbb, joomla, fauxBB and so on. I might have the solution to 
this problem.

The problem starts at the website owner's computer being infected with 
some virus. The virus listens to the FTP transactions and relays the
FTP information to someone else. Most attack victims have reported 
having used FileZilla so the virus may even be finding and reading
FileZilla's xml/registry database (or may simply be a conincidence).

The attacker uploads a PHP file to the server and starts executing it 
and immediately removes it. I was unable to find any offending script in 
one of my clients'
websites where the attack had taken place. The malicious script is 
(probably) running as a background process (may be using 
ignore_user_abort or similar) while the script file has been deleted 
(which is possible in linux). This is why sometimes the offending code 
return to the pages inspite of the FTP password being changed. But the 
attack always stops after the server has been restarted. I am
still not certain if the background process theory is correct as I have 
not been able to verify it yet.

The only solution I can think of is to change the password and restart 
the server. If the server is in a shared host, it may be possible to 
kill the
offending script's process. You can find out if there are any php 
threads running for a long time via SSH using the ps -aux command and
kill it using kill [procid].

Please let the list know if you face the same problem.

Raj Sekharan

More information about the consulting mailing list