Hacking: iFrames containing .cn domains / meta redirects
Because of my job as a support engineer with a hosting provider I often come across websites and servers that are hacked. These hackings can even be divided into trends as I can state that most of the hacked sites in 2008 were hacked due to flaws in scripts, placed on the hostings and servers. But the year 2009 brought along a new trend of hacking.
This year, websitefiles were modified by making a FTP connection towards the hosting or server and adding malicious code within the webserver’s default documents (index.html, index.php, index.asp, default.html,…). As a hosting provider we were very annoyed with this situation because we couldn’t figure out the cause of these hacks at first.
Within normal circumstances we check the logfiles of the webserver (if present) and in 95% of the cases we are able to find the specific cause but now we weren’t able to find any information. We could only notice that every website that was hacked had iFrames which contained redirects towards websites ending with the .cn extension.
Until we stumbeled upon the website www.unmaskparasites.com… this website has detailed information about this specific issue and we gained more information on the cause of this new trend. Apparently a virus, present on your computer, makes use of a known vulnerability in adobe acrobat reader to retrieve the FTP credentials of your hosting or server and this virus uses these credentials to connect, without you knowing, and modify your default website files.
The injection of iFrames was just one way to hack websites because a few weeks ago another method gained popularity: Meta Redirects. The same virus that abuses the adobe acrobat reader vulnerability gains access to the hosting or server and uploads a PHP script. This script is then used to abuse security flaws of the system-software (PHP, Apache, Linux,…) so that visitors of a website are ridirected towards webistes such as goscanpark.com, goscansome.com, and many others that look like correct antivirus websites.
If you notice one of these kinds of abuse on your website(s) you should follow the next steps to prevent this issue from escalating:
- Scan your computer with anti-virus and anti-spyware tools.
- Once these scans have cleaned your computer you should modify the FTP-password(s) of your website(s).
- Remove the malicious code (iFrames) and malicious scrpts. You can erase the current files and replace them with a recent clean backup.
- Contact your hostingprovider or server administrator so they can do a double-check of your hosting or server. This suggestion is very important because some cases are known where scripts are running under a “crontab” (or other) user and these can be identified by the hosting provider.
You can find more information about these kind of issues on the pages:
- http://blog.unmaskparasites.com/2009/04/15/malicious-income-iframes-from-cn-domains/
- http://blog.unmaskparasites.com/2009/07/23/goscanpark-13-facts-about-malicious-server-wide-meta-redirects/
I hope this information was helpfull.
From → Hacking
Ha, very interesting.. this is what an acquaintance of mine ran into … he installed a version of some webediting software ( i think it was webuilder ). Apparantly it was hacked; and all the sites he stored in the editor were compromised. I guess it’s better not to use versions of software you find on P2P networks, even if it’s ‘for educational purposes only’; better use an official demo !