IFrame - Script injection attack - Help! :: Zikula Community

Forum Activity

Teb answered »PNphpBB2 and menu tree« 04. Jul
marc@marcpare.com posted »Adding an "About Us" page« 04. Jul
animateclay answered »SafeHTML output filter and youtube« 04. Jul
videokid answered »caching« 04. Jul
Wendell answered »pagesetter pdf output« 04. Jul
Fredricn posted »Mediashare mysql instalation issue« 04. Jul
slam answered »Theme by iThinkMedia.com footer - Beacon for Hackers?« 04. Jul

» see all | » latest posts

Start
::
::

IFrame - Script injection attack - Help!

Print topic

mderdem

Rank: Freshman

Registered: 31.10.03

last visit: 24.03.09

Posts: 40
Posted: 25.03.2008, 16:16

Hello,

My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.

I have cleaned index.php but the page source still has this line!

Please Help

edited by: mderdem, Mar 25, 2008 - 05:37 PM
nestormateo

Rank: Team Member

Registered: 07.09.06

last visit: 03.07.09

Posts: 1915
Posted: 25.03.2008, 17:06

Once time i saw that code in the final of the /index.php file
check and remove that code.

Also, download the error_logs to find the vulnerable section in your site.

--
- Mateo T. -
Mis principios... son mis fines
espaan

Rank: Professional

Registered: 24.08.03

last visit: 03.07.09

Posts: 756
Posted: 25.03.2008, 19:50

Check out the forums as well. There have been a lot of topics on hacks lately. Make sure that all your modules are up to date etc.

--
erikspaan.nl, avwijchen.nl

BlankTheme, News module, zikula.nl
AmmoDump

Rank: Team Member

Registered: 08.12.03

last visit: 29.06.09

Posts: 3062
Posted: 26.03.2008, 01:26

http://community.postnuke.com/module-Forum-viewtopic-topic-54176-highlight-iframe.htm

You have to have both a secure/updated web server and patched modules... there are actually no known problems that are a result of both a reasonably secure/updated web server and updated modules.

--
David Pahl
Zikula Support Team
larsneo

Rank: Software Foundation

Registered: 31.12.69

last visit: 27.06.09

Posts: 4458
Posted: 26.03.2008, 12:06

Quote
My 0.7.6.4 site's home page source includes a malicious script. After the body tag there is a script tag with a cryptic function.
I have cleaned index.php but the page source still has this line!

as already mentioned one needs far more information to help you with the issue (server enviroment, installed third party modules) etc. - i've analyzed a couple of iframe injections that all had in common that the initial exploit was PNphpbb-related (SQL-injection to the footermessage from admin-settings)

- if PNphpBB is installed check with a diff-programm (e.g. winmerge) if you are using the latest build
- check the logfiles (both access and errorlog) for the exploit from the time of attack (mostly it's done via a remote code injection)
- check the enviroment via e.g. phpsecinfo to optimize the security

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..
mderdem

Rank: Freshman

Registered: 31.10.03

last visit: 24.03.09

Posts: 40
Posted: 26.03.2008, 22:18

Ok. I have place echo lines to figure out where this comes from. I have found that the news/index.php was infected. Later I realized each and every single index.html and index.php were infected.

1. Does anybody know a good tool to handle find/replace text on the server ?

2. You mentioned that modules need to be updated. I am running .764 as it is. I checked the download site and I don't see module updates there. Where can I find updated (I mean more secure) modules.

3. I don't use PNphpBB, if I disable the module and delete it from the modules dir, would that break anything ?

4. phpsecinfo warns about register_globals. Can this be a serious security hole ?

5. One hint. If you have the AVG free addition, it can find this malicious code if you download the index.htm/php files to your computer. Cool.

Thanks guys.

MDE

edited by: mderdem, Mar 26, 2008 - 10:21 PM
AmmoDump

Rank: Team Member

Registered: 08.12.03

last visit: 29.06.09

Posts: 3062
Posted: 26.03.2008, 23:25

1. ...that really depends on your OS an server access level
2. Check for 'author' site for updated modules.
3. If you no longer use PNphpBB2, uninstall and delete it. Yup.
4. It is auto-linked for a reason... It is not a security enhancement, but it is recommended OFF.
5. You could, but the ones I have seen are in the Database. ... So you are looking at the output, not the source.

--
David Pahl
Zikula Support Team
larsneo

Rank: Software Foundation

Registered: 31.12.69

last visit: 27.06.09

Posts: 4458
Posted: 26.03.2008, 23:25

2. if you are running .764 the core should be 'safe' - updates for third-party-modules should be checked individually
3. if you don't use PNphpBB (but you did before?) disable and remove the module in administration-modules and later on remove /modules/PNphpbb from the filesystem completly (the known exploits are done via a direct call to the filesystem)
4. yes - the baseline analyzer within the postnuke administration should print this important warning already for some time
a .htaccess file with

Code
php_flag register_globals off

or maybe an individual php.ini with

Code
php_admin_flag register_globals Off

should disable register_globals (otherwise ask your provider)

if index.html and index.php files have been changed by the attacker i'd recommend to start from scratch with a fresh and clean download - otherwise you might forget some malicous content within the filesystem (remote console, spambot, phishing bot etc). although this means lot of work it's the only way to be safe for the future

--
regards from germany
..::[Zikula Application Framework]::.. ..::[SEO-Blog]::.. ..::[CMS Sicherheit]::..

Users online

This list is based on the users active over the last 60 minutes.

Zikula Community

Forum Activity

Login

IFrame - Script injection attack - Help!

Quote

Code

Code

Users online