IFrame - Script injection attack - Help! :: Zikula Community

mderdem [15]

Rank: Registered User

Registered: Oct 31, 2003

Last visit: Oct 21, 2009

Posts: 39
[16] Posted: Mar 25, 2008 - 04:16 AM

Hello,

My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.

I have cleaned index.php but the page source still has this line!

Please Help

edited by: mderdem, Mar 25, 2008 - 05:37 PM
[17]

[18]
nestormateo [20]

Rank: Team Member

Registered: Sep 06, 2006

Last visit: May 09, 2010

Posts: 2411
[21] Posted: Mar 25, 2008 - 05:06 AM

Once time i saw that code in the final of the /index.php file
check and remove that code.

Also, download the error_logs to find the vulnerable section in your site.

--
- Mateo T. [22] -
Mis principios... son mis fines
[23]

[24]
espaan [26]

Rank: Developer

Registered: Aug 23, 2003

Last visit: May 31, 2010

Posts: 1401
[27] Posted: Mar 25, 2008 - 07:50 AM

Check out the forums as well. There have been a lot of topics on hacks lately. Make sure that all your modules are up to date etc.

--
campertoday.nl [28], Module development, Dutch Zikula Community
[29]

[30]
AmmoDump [32]

Rank: Team Member

Registered: Dec 07, 2003

Last visit: May 09, 2010

Posts: 2703
[33] Posted: Mar 25, 2008 - 01:26 PM

http://community.postnuke.com/module-Forum-viewtopic-topic-54176-highlight-iframe.htm [34]

You have to have both a secure/updated web server and patched modules... there are actually no known problems that are a result of both a reasonably secure/updated web server and updated modules.

--
David Pahl
Zikula Support Team
[35]

[36]
larsneo [38]

Rank: Software Foundation

Registered: Dec 31, 1969

Last visit: Oct 21, 2009

Posts: 3814
[39] Posted: Mar 26, 2008 - 12:06 AM

Quote
My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.
I have cleaned index.php but the page source still has this line!

as already mentioned one needs far more information to help you with the issue (server enviroment, installed third party modules) etc. - i've analyzed a couple of iframe injections that all had in common that the initial exploit was PNphpbb-related (SQL-injection to the footermessage from admin-settings)

- if pnphpbb is installed check with a diff-programm (e.g. winmerge) if you are using the latest build
- check the logfiles (both access and errorlog) for the exploit from the time of attack (mostly it's done via a remote code injection)
- check the enviroment via e.g. phpsecinfo [40] to optimize the security

--
regards from germany
..::[Zikula Application Framework [41]]::.. ..::[SEO-Blog [42]]::.. ..::[CMS Sicherheit [43]]::..
[44]

[45]
mderdem [47]

Rank: Registered User

Registered: Oct 31, 2003

Last visit: Oct 21, 2009

Posts: 39
[48] Posted: Mar 26, 2008 - 10:18 AM

Ok. I have place echo lines to figure out where this comes from. I have found that the news/index.php was infected. Later I realized each and every single index.html and index.php were infected.

1. Does anybody know a good tool to handle find/replace text on the server ?

2. You mentioned that modules need to be updated. I am running .764 as it is. I checked the download site and I don't see module updates there. Where can I find updated (I mean more secure) modules.

3. I don't use PNphpBB, if I disable the module and delete it from the modules dir, would that break anything ?

4. phpsecinfo [49] warns about register_globals [50]. Can this be a serious security hole ?

5. One hint. If you have the AVG free addition, it can find this malicious code if you download the index.htm/php files to your computer. Cool.

Thanks guys.

MDE

edited by: mderdem, Mar 26, 2008 - 10:21 PM
[51]

[52]
AmmoDump [54]

Rank: Team Member

Registered: Dec 07, 2003

Last visit: May 09, 2010

Posts: 2703
[55] Posted: Mar 26, 2008 - 11:25 AM

1. ...that really depends on your OS an server access level
2. Check for 'author' site for updated modules.
3. If you no longer use pnphpbb2, uninstall and delete it. Yup.
4. It is auto-linked for a reason... It is not a security enhancement, but it is recommended OFF.
5. You could, but the ones I have seen are in the Database. ... So you are looking at the output, not the source.

--
David Pahl
Zikula Support Team
[56]

[57]
larsneo [59]

Rank: Software Foundation

Registered: Dec 31, 1969

Last visit: Oct 21, 2009

Posts: 3814
[60] Posted: Mar 26, 2008 - 11:25 AM

2. if you are running .764 the core should be 'safe' - updates for third-party-modules should be checked individually
3. if you don't use pnphpbb (but you did before?) disable and remove the module in administration-modules and later on remove /modules/PNphpbb from the filesystem completly (the known exploits are done via a direct call to the filesystem)
4. yes - the baseline analyzer within the postnuke administration should print this important warning already for some time
a .htaccess file with

Code
php_flag register_globals off

or maybe an individual php.ini with

Code
php_admin_flag register_globals Off

should disable register_globals [61] (otherwise ask your provider)

if index.html and index.php files have been changed by the attacker i'd recommend to start from scratch with a fresh and clean download - otherwise you might forget some malicous content within the filesystem (remote console, spambot, phishing bot etc). although this means lot of work it's the only way to be safe for the future

--
regards from germany
..::[Zikula Application Framework [62]]::.. ..::[SEO-Blog [63]]::.. ..::[CMS Sicherheit [64]]::..
[65]

[66]

IFrame - Script injection attack - Help! [8]

Quote

Code

Code

Users on-line