Web Site hacked, iframe inserted, where to start?

Date: 10 August 2009
Source: GraFX

Each day I read on forums, job posts that a site was hacked, inserted some iframes, strange javascript code into index.html or index.php. I think these situations are now common, so I will try to cover some solutions. I will try to offer an explanation and also a workaround.
The security is in FTP credentials. I have found 2 ways of hacking, one is administrator fault of the server and one domain user fault.

FTP user with no password

One of the issues is administrator fault (or if we can call like this, cause it was an error in proftpd). We have found (thanks to Scott from ART), that in one version of proftp users can login with the correct username and any password. The problem was in /etc/pam.d/proftpd. The problem is if you do not discover it, later upgrade will not fix the issue. So I suggest to check this issue and if you can reproduce (login with a user but any password) then check the PAM settings.
Go find out what /etc/pam.d/proftpd say? If it is like shown below, then is not OK.

auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_shells.so
account    include      system-auth
session    include      system-auth
session    optional     pam_keyinit.so    force revoke
session    required     pam_loginuid.so 

Change into this (comment out old lines for backup)

auth       required     pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

service xinetd restart

Then try again to login and it should not work. But of course you should try to login also with a correct user/pass to see if it works as expected.

Keylogger - user/password are stolen

There are a few keyloggers out on the market, which will allow some bad people to gain access to some of the PC desktop, install a keylogger (could be trojan or anything) and that send FTP user/pass to hacker. I have actually found on a forum the next explanation, very interesting...

"I have found a version of this in action and have examined it. Here are the first steps, make sure that you have updated your Adobe Reader and Shockwave/Flash plugins, and make sure you have a good antivirus/antimalware application running on your system. The instance of this, that I found spreads through people's sites for which they have the FTP login information. They modify a ton of different pages in many different ways, to direct people without them knowing it, to their server, which runs a cgi script and java script to determine what plugins your browser is using, and then it will attempt to feed your browser the appropriate .pdf and/or .swf with exploit code in it, which infects the person's computer who is browsing the site. The infected computer then has a trojan, which in this instance listens and searches for FTP and perhaps other login information to sites, which reports back to a central server, which then periodically processes the sites, downloading, modifying, and then re-uploading the new infected site files. The site's files are infected in specific ways depending on how they are named and what kind of file they are. For example, all files that contain the word home, default, index, etc, are modified as if they are the main index pages. Depending on the extension, it will insert the appropriate code, so it differs when modifying a .php, .html, .js, .shtml, and so on. They do it this way so that it can work as cleanly as possible without detection so the site can be infecting as many people as possible for as long as possible. Many of the codes inserted will be encoded in various different ways so that it is not plain readable, so they can hide exactly what they are doing to a certain extent. In plain html files, they often use hidden iframe tags to get their payload to the end browser and its plugins. The rest deal in PHP code, include and encode java script, with a few exceptions. One last thing, it seems that at least in this instance I saw, .cn domains involved where it loaded the exploits."

After this, all is easy, they connect via a script (usually CGI) to FTP and run that script which will install on index*, homepage* files that iframe.

How to get rid off?

  • Change FTP password, but if the keylogger still can steal pass, then it is not very useful.
  • Use SFTP, in this way the password for FTP is not sent clean, is encrypted and keylogger cannot steal it.
  • Ask your host to disable CGI/PERL support, for the moment. As far as I know is mostly CGI hack outside to do the iframe trick. I’ve said mostly ...
  • In ASL module from ART in new version (for PLESK) there is a module which will scan these attempts via FTP.

It is actually quite neat to see something like this in action, not that it is good, but wow, quite an operation. Not that it is without its flaws, it can tend to eat the end of files sometimes, and it has a tendency of generating replacement files that do not have a correct end of line. They are probably use sed to process the files with a search and replace string.

From the same forum, mentioned, we get some good examples of how can be inserted into some files the code. Check this URL - http://www.sitepoint.com/forums/showpost.php?p=4292911&postcount=10

Just see that used perl, cgi to do a fast insert, so if it is disabled, should not work. Also can be disabled by admin some functions for linux users, like sed, grep, but only for regular users, not for root, a lot of script use it.

Articles to read:

Other faq items