Author Topic: HTML:IFrame-EJ [Trj] Found on my website( It's back!)  (Read 36134 times)

0 Members and 1 Guest are viewing this topic.

Offline avuser007

  • Newbie
  • *
  • Posts: 16
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #15 on: May 12, 2009, 11:37:31 PM »
Thanks for the thread here guys.  Others (like me) have also experienced this exploit.

For your interest, a discussion is currently underway at my host (who is always very helpful) here:
http://support.jodohost.com/showthread.php?t=16472

If you use webalizer, check that too, as I found the exploit script also appeared in /webalizer/default.html.

It also seems to add a hacked .htaccess file to your root folder and your /webalizer folder.

HTH

Offline MarkW

  • Newbie
  • *
  • Posts: 1
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #16 on: May 14, 2009, 04:25:58 AM »
I'm having a very similar problem but avast is detecting HTML:IFrame-EE [trj] on 2 websites I need to work on made with cpanel. Some offending code has been found in the index pages and removed and the problem goes away but within a matter of hours this code has written itself back in. Can anyone tell me how to permanently remove this code?

Offline avuser007

  • Newbie
  • *
  • Posts: 16
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #17 on: May 14, 2009, 04:53:51 AM »
^ That's interesting.. we can work out where the vulnerability is.

Firstly, do you have Frontpage extensions enabled on those sites? If so, turn it off and see how that goes.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84909
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #18 on: May 14, 2009, 04:31:43 PM »
I'm having a very similar problem but avast is detecting HTML:IFrame-EE [trj] on 2 websites I need to work on made with cpanel. Some offending code has been found in the index pages and removed and the problem goes away but within a matter of hours this code has written itself back in. Can anyone tell me how to permanently remove this code?

What comes after the iframe- is just a slightly different variant on the same hack, so that isn't really the issue, but to resolve why you were hacked, so I suggest you check out the quoted text in Reply #7 on page 1 of this topic. This is from his host on measures they ahve taken and measures he should take.

If you haven't already contacted your Host to report this (asking advice about how they/you can prevent a recurrence) as it is likely it could be effecting other sites hosted by them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline markooff

  • Newbie
  • *
  • Posts: 1
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #19 on: May 18, 2009, 01:34:55 PM »
Hi

i've just spotted this problem on one of my web forums (based on PhpBB). I've found a java script added after the closing php tag " ?>" in several php files like index.php login.php etc . There were the same dates of modifying these files. The result was the php error on the front page which said " Cannot modify header information - headers already sent .. "
Of course i got rid of these scripts, but have one question - did somebody copied the content of this java script ?
Could you copy and paste this here ? (because i have archived the content of "my" scripts to compare them)


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 84909
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #20 on: May 18, 2009, 04:49:18 PM »
First ensure the forum PHP software is up to date as this looks like an exploit of the PHP software, old versions are vulnerable to attack/exploit.

I'm not sure what you mean by "did somebody copied the content of this java script" ?

The inserted code 'Script tags'

You should NOT post the code here as that could have avast alert on the forums, you could post an image of the code. I really don't believe that will help much as it would probably follow the same pattern of the other images I posted in the first page of this topic.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.3.2459 (build 21.3.6164.561) UI 1.0.609/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33125
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #21 on: May 18, 2009, 05:44:36 PM »
Hi markooff,

Maybe you have an interesting read here, as there is PHP involved in the code injection from within:
http://blog.fortinet.com/code-injection-from-within/
JQuery ( http://jquery.com/ ) is a respectable and popular JavaScript library by John Resig (who's also a Mozilla employee).
The problem is that most site embeds it in its minified version (for bandwidth reasons), which makes differential fingerprinting from malicious obfuscated code OMG :shock: quite difficult.
Furthermore jquery-1.3.2.min.js can contains recognition pattern of JS/Dldr.Agent.Agr.1 java script virus.
Index.js see: htxp://www.wolframalpha.com//common/jav ... 3.2.min.js is not something to show to the world and malcoders..
If the software code you have there is not fully updated and patched, or there is some old usable crap-code still somewhere laying around on that site, the hacker just needs a little maneuverability to perform these inline injection attacks outside HTML. You can check your whole site here: http://www.blacklistdoctor.com/bld/diagnose.php

Possible attack scenario, not your example necessarily...
1) The attacker finds a hole in your users local PHP script
2) The inject their own PHP code from a remote file making it run as if they are uploading the page through regular FTP.
3) There are various ways you can easily collect the usernames of accounts, extremely easily performed.
4) You can start to then bruteforce attacks on passwords of user accounts
5) You can then start scouring the server for local exploits and use them to your advantage. e.g.: the script you mentioned in that include checks to see if wget, gcc and other system binaries are on the system and accessible for the attacker to use.
6) With a list of whats installed and what they can use, they can now download hacks and start trying to crack your machine and compiling code attempting to gain root, etc.
7) They can search any and all 777 permission files/directories and inject whatever they feel like. Good times for them, crappy time for the site owners and server owners to clean up the mess after the site software was compromised.


Preventing this is a combination of things that I won't go into complete details about but I'll brief over so you get the idea.
1) Lock your system binaries, like wget, gcc, and others to stop anyone from using them.
2) Secure PHP by disabling functions used such as: proc_open, exec, system, passthru, etc..
3) Make sure PHP/Apache is up to date
4) Install mod_security and have CURRENT ruleset! Mod_security through cPanel install has NO rule-set! Use a rule-set that is handed out to all clients which was tried, tested and true.
5) Have a current kernel installed, there are many exploits that still work on a lot of providers.
There are tons of measures you can do to help lock your machine, so the hacker has less room to maneuver and turn you into a victim,

polonus
« Last Edit: May 18, 2009, 09:41:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline MonsterKat

  • Newbie
  • *
  • Posts: 14
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #22 on: May 28, 2009, 10:46:36 PM »
Hey everyone, me again.....unfortunatly.

I'm quite upset with the happenings on mywebsite. I got it all cleaned up at my end and now its back. The Host has been no help at all and did not return my email when this happened before nor have they cleaned up the control panel page. This is crazyness. So because I was unable to change my password they did it all again.



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33125
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #23 on: May 28, 2009, 11:03:31 PM »
Hi MonsterKat,

Yep, the malcode is back there:
Code: [Select]
EDITED Heavily ^/head^^script type="text/j*v*script"v*r hdOruVsHnKBXZuvtsRmw = ^..........."z60z105z102z114z97z109z101z32z119z105z100z116z104z61z34z52z5 etc.....67z109z101z62";v*r kWiFaYwHrXtZBIQvdJDR = hdOruVsHnKBXZuvtsRmw.split("z");v*r TEptzkmsBZolwWqWunem = "";f*r (v*r KYLMhcILlLcFQRyPBlHD=1; ....KYLMhcILlLcFQRyPBlHD<kWiFaYwHrXtZBIQvdJDR.l*ngth; KYLMhcILlLcFQRyPBlHD++){TEptzkmsBZolwWqWunem+=Str*ng.fromCharCode(kWiFaYwHrXtZBIQvdJDR[KYLMhcILlLcFQRyPBlHD]);}document.write(TEptzkmsBZolwWqWunem)^/script^
Why the hoster or the webmaster there cannot clean up his act, is beyond me, if you get your security issues presented on a platter by users is just the security world upside down, "Sign of "HTML:IFrame-EJ [Trj]" has been found in ----304_frame.php\{gzip} file".  Also present them with this issues with the PHP version they are using: http://secunia.com/advisories/product/3194/?task=advisories

polonus
« Last Edit: May 28, 2009, 11:07:31 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline MonsterKat

  • Newbie
  • *
  • Posts: 14
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #24 on: May 31, 2009, 11:29:20 PM »
I have yet to get any kind of reply from my host and I am in the process of shopping around for another host right now. BUT for the time being I cannot afford to lose any buisness that the website is bringing in.

Now, my question is this.

Is it a bad idea to very quickly turn off avast and sign into the userpanel, delete the virus off of my website and then change my password. Then Log out of the control panel and turn avast back on, followed with a virus scan?

My host clearly doesn't give a rats behind about this and there control panels and severs being infected.  I just want my customers to be able to use my website and not get infected.

I can understand that this would be very risky for me to do, but I don't think I have any other option.

I don't use FTP, so thats not a root I can go..


Thanks alot

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33125
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #25 on: May 31, 2009, 11:39:37 PM »
Hi MonsterKat,

This could be done as you propose, but I would still perform it from a Mozilla browser like firefox with NoScript extension and RequestPolicy installed and active. NoScript will protect you from evil scripts running, if you have to have javascript active, then prohibit requests to other domains then yours through using the  RequestPolicy add-on.
RequestPolicy add-on can be found here: https://addons.mozilla.org/en-US/firefox/addon/9727/
NoScript here: https://addons.mozilla.org/nl/firefox/addon/722
Check your code from here: http://www.selfseo.com/html_source_view.php
Or do it through webbug from Amman software: http://www.cyberspyder.com/webbug.html
That program is made to do this and you can leave avast on, and perform your tasks as planned without further ado...

polonus
« Last Edit: May 31, 2009, 11:44:16 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline MonsterKat

  • Newbie
  • *
  • Posts: 14
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #26 on: May 31, 2009, 11:46:18 PM »
This is great, I already use Firefox so getting those add-ons will be a quick job. I'll be doing this right now, thanks very much!

Now I know this is unrelated to a virus, but I have a quick question. Does anyone know if godaddy.com is reputable? How would I go about making sure they have the newest and safest versions of things so I know this doesn't happen again. Go Daddy is apparently one of the most popular for webhosting and I realize I'm just being paranoid. But I just want to make sure..... lol



That  graphic of yours is pretty impressive lol. Reminds me of my cats haha.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33125
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #27 on: May 31, 2009, 11:55:41 PM »
Hi MonsterKat,

GoDaddy's reputation was not always stellar, but they recently acquired a better reputation.
Did you get the webbug tool as well? See attached what you get back there.

polonus
« Last Edit: June 01, 2009, 12:06:36 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline avuser007

  • Newbie
  • *
  • Posts: 16
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #28 on: June 02, 2009, 11:38:42 AM »
MonsterKat, try looking at JodoHost, that's where I host my clients' sites.
Great support, very reliable and "mature" service.

I think what we've experienced here is the "Grumblar" exploit.
Code: [Select]
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
It seems to behave in a similar way and is currently doing the rounds quite effectively.  It does indeed steal FTP and other site credentials on infected PCs. The exploit is based on a vulnerability in Adobe apps incl. Flash.  Recommendations are to install latest adobe stuff which have now patched the holes.

I'm pretty convinced this is how it happened for me. Can't think of another way my client's simple, HTML-only, non-DW, non-FP site could have been modified so extensively other than by FTP, via this exploit. Far more probable than a compromised hosting provider.

So check your PCs for Grumblar, update to latest Adobe versions and see how it goes.

[ed] code'd the link, sorry.
« Last Edit: June 02, 2009, 10:30:43 PM by avuser007 »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33125
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« Reply #29 on: June 02, 2009, 09:44:19 PM »
Oh avuser2007,

Cannot you make the link you put up there non-click-able by changing to hXtp for instance etc, the unmasked parasites sites has the script there unedited (which actually is stupid) so avast flags it. If we put malcode script here for instance we edit the code heavily ( <> gets ^^ and with breaks ...... or j*vascript for instance) so it cannot run or we publish only part of it - only so webmasters can trace it themselves, also a secure way is to publish it as a screendump image,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!