[consulting] Iframe tags placed on index.php files attack possible solution
rajasekharan
websweetweb at gmail.com
Tue Aug 11 06:10:24 UTC 2009
Hello Drupalers,
You may have heard or even experienced the attack where some mysterious
iframe tags are placed right after the
<body> and before the </body> tag in you index.php file, header.php,
login.php and footer.php.
This even causes the php files to break as the iframe tags are placed
randomly within the index.php file (failing to find the <body> tag)
resulting in
php errors.
The attack causes your website to be blacklisted and marked as an attack
site in the search engines. Even the web browsers
scare people away from visiting the site with nice blood red alert signs
(not that I blame them).
This problem exists for users of all content management systems such as
wordpress, phpbb, joomla, fauxBB and so on. I might have the solution to
this problem.
The problem starts at the website owner's computer being infected with
some virus. The virus listens to the FTP transactions and relays the
FTP information to someone else. Most attack victims have reported
having used FileZilla so the virus may even be finding and reading
FileZilla's xml/registry database (or may simply be a conincidence).
The attacker uploads a PHP file to the server and starts executing it
and immediately removes it. I was unable to find any offending script in
one of my clients'
websites where the attack had taken place. The malicious script is
(probably) running as a background process (may be using
ignore_user_abort or similar) while the script file has been deleted
(which is possible in linux). This is why sometimes the offending code
return to the pages inspite of the FTP password being changed. But the
attack always stops after the server has been restarted. I am
still not certain if the background process theory is correct as I have
not been able to verify it yet.
The only solution I can think of is to change the password and restart
the server. If the server is in a shared host, it may be possible to
kill the
offending script's process. You can find out if there are any php
threads running for a long time via SSH using the ps -aux command and
kill it using kill [procid].
Please let the list know if you face the same problem.
Raj Sekharan
http://www.expeditionpost.com
More information about the consulting
mailing list