XFileSharing Pro - HELP! My site got hacked!!

Message
Author
qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

HELP! My site got hacked!!

#1 Postby qq_bbq » Jul 27, 2010 11:08 am

Either hacked, virus, or injection of some kind.

When I move file from:
server 1 to server 2 - iframe to spam site is loaded in api.cgi
server 2 to server 1 - iframe to spam site is loaded in api.cgi
server 1 to server 3 - iframe to spam site is loaded in api.cgi
server 2 to server 3 - iframe to spam site is loaded in api.cgi
server 3 to server 1 - no problem
server 3 to server 2 - no problem

Obviously server 1 and 2 is infected but I've replaced all the files and still getting the iframe spam. Please advise what script files are accessed when you move a file from 1 server to another server.

I got these files so far:
api.cgi
uu.cgi

I need to pinpoint the injection or whatever it is.
What else is assessed when moving a file?


It shows up like this:
Sending 00000/5nqkolz11qaj...OK DB:
<iframe to spam site>
All Done.

ankurs
Posts: 1054
Joined: Mar 10, 2009 2:34 am

#2 Postby ankurs » Jul 27, 2010 11:17 am

ask your server admin to clean server1 and 2 , both seems to be infected

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#3 Postby qq_bbq » Jul 27, 2010 11:25 am

Thank you for the obvious advice but they cannot fix this.


Take a look:
Sending 00000/5nqkolz11qaj...OK DB:
<iframe to spam site>
All Done.

Supposed to be:
Sending 00000/5nqkolz11qaj...OK DB:OK
All Done.

Is this iframe loading from the database itself?

ankurs
Posts: 1054
Joined: Mar 10, 2009 2:34 am

#4 Postby ankurs » Jul 27, 2010 11:33 am

qq_bbq wrote:Thank you for the obvious advice but they cannot fix this.
which management company is handling ur servers ? they should be able to fix it , if they knew what they were doing

are u sure its a script exploit ?

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#5 Postby qq_bbq » Jul 27, 2010 12:29 pm

I manage my own servers. This is pretty obvious it is a script exploit.

Admin, this part in api.cgi sub TransferFiles in bold:
print " DB:".$res->content."<br>\n";

Where does it read from? Database? Another file?

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#6 Postby qq_bbq » Jul 27, 2010 5:07 pm

Admin, please help. I can't move files because it does not give the "OK" it loads the iframe so the file does not get moved/unlinked. I am also troubleshooting from my end but I don't think I will be successful. Please give pointers what does that code in bold refer to so I can troubleshoot further.

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#7 Postby qq_bbq » Jul 27, 2010 11:41 pm

From the scripts, I think the process goes like this for moving files:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi]
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi]
[server 1 api.cgi] prints OK and All Done

Problem is here:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi] <-- I know this is fine because I see the OK output
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi] <-- Problem, the OK does not show up, the iframe show up instead
[server 1 api.cgi] prints OK and All Done

Other things I tried but still get the iframe exploit:
  • Replace all main server files with stock script files
    Replace infected file server files with stock script files
    Installed new file server with stock script files on infected file server's server
    Used a new database
    Even tried from another computer and Internet connection to make sure my computer did not have a virus that could generate that iframe
I think I have tried everything possible I could think of. This is a very serious issue, any one of us could be affected from these exploits, please admin help investigate this issue.

PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#8 Postby PowerChaos » Jul 28, 2010 12:18 pm

the best way to discover what iframe it is and where it come from is by trying it and then when you see the iframe opening the source code (right click , show source)

if you see somehting like this
<javascript> blalalala,anlankjanjaknanala </javascript> (coded txt )

then it is a expload that write on the fly

you can easy remove it by checking the HTML files (yes , it only infects html files)

it is not always what it seems to be , it doesnt mean that the api.cgi gives a error that it is in api.cgi

api.cgi use a template to , and if the problem is in the template then you need to check on the template


for that reason you need to see at the source to figure out how the iframe works (is it javascript ?? is it a real iframe ?? , is it just plain html code ?? )

hopely this can help you to fix the problem

Greetings From PowerChaos

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#9 Postby qq_bbq » Jul 28, 2010 1:34 pm

PowerChaos it seems you have some technical knowledge on this.

My sites have been iframe injected before but I was always able to remove the exploit. This one is different, I just can't locate it. The iframe is loaded directly into the api.cgi I don't even know what URL the iframe is loading from.

Since my other file servers are fine, I am very sure the main server and database are not infected. But I replaced all the file server files with stock files and still can't remove the iframe.

My last solution is going to move the files to another server and reinstall the infected file server.

PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#10 Postby PowerChaos » Jul 28, 2010 2:34 pm

i dont have experiance with it
exept that i got it a few times to on my sites that they got a javascript injection (cpanel)

i found them by looking at the source code and thats how i found the javascript injection

i easy removed it and i decoded the coded html and blocked the ip's to prevent that they could execute

first problem is that you need to locate the source :S

if that is not possible , then its realy hard to fix the problem

you say that it is a iframe , then it depends how the iframe get created

if it get created by javascript then you need to search for javascript code
if it gets created by a direct iframe , then its probaly in the html files (as they can be written on the fly)

the thing you can try to is installing clamav virus scanner (for linux on cpanel) and scan the home dir

its possible to that it is a background procces that is running as a daimon
and that it writes the files on the fly (check running daimons in linux)

if you want , i can take a quick look but i cant promise that i can fix it (i am a noob at linux :s , i am a lot better at windows)

if you want , send me a email to [email protected]

Thank you
Greetings From PowerChaos

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#11 Postby qq_bbq » Jul 28, 2010 5:55 pm

PowerChaos I saved the source code of the exploit, please take a look:
http://www.mediafire.com/?ohlb779lsmc69xc

It looks like they just stuffed the iframe in there loading directly from the iframe directly. There is no way to find out where it is loading the page from. This appears to be a very advanced type of injection.

PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#12 Postby PowerChaos » Jul 28, 2010 11:19 pm

i cant figure out anything on that html file
i see 2 differend things and 1 is a site tracker

the reason why i ask you to email is because i like to have the admin login so i can try it out on my own so i can get the things i need (google chrome got more options then only source code)
or that you can make a account for me with admin acces (little database trick :P)

at this moment , i dont see anything that have to do with a iframe in the file you sended me :S

i dont know how to explain it right what i mean , but let me try to explain

you say that you got a iframe that loads that shoulnd be loading (injection/expload)

it only happends on server1 and 2 when you try to move a file

now the things i need to figure out where it came from

1) logfile (if it makes logfiles)
2) source code (right click) with the iframe in it , if possible (else you need to use google chrome to invest the page :p )

then from that sourcecode i can figure out what the iframe gives (is it javascript or just iframe ?)

it gives a lot of other things to (only javascript ?, or with divs ?? closed html tags ?? closed P tags ?? ) and on that way you can locate where it is

is it at the end ?? , is it at the beginning ?? , does the footer and header loads to ??

it are a lot of things that you can exclude to find the exact location of it
but you first need to have a start


to provide a example of my last injection

a site of me runs on php only (no templates , all php codes)

the javascript injection was located in index.php because it contained <html>
the footer.php was not loaded because it refused to load until the script loaded (on google chrome)

in the source you saw it at the end of where the index file stops (and where the footer should start to close)

thats how i figured out that it was in index.php and that all files that contains html was infected (easy to remove)

thats to provide a example of how you can figure it out

hopely you can understand what i try to say :S

ps: i can not promise that i will figure out the error , i can only give it a try to see if i can fix it or that i can find stuff that helps you more then you got now

Greetings From PowerChaos

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#13 Postby qq_bbq » Jul 29, 2010 2:44 am

I am using Chrome and can see this:
<iframe name=i3" style=width:640px;height:300px;border:1px solid black;: src="about:blank">

I think this is standard with the script though, can you confirm this from your end?

PowerChaos
Posts: 521
Joined: Dec 19, 2009 5:12 pm

#14 Postby PowerChaos » Jul 29, 2010 3:34 am

i cant try it out on my own as i do not have multiple servers (i use only 1 server as file server)

and the only website i can find is the city.ws site , but it doesnt seems like your site (not the download site)

so i got no idea how i would be able to confirm anything :s

for the iframe , it seems strange as it doesnt go to any screen (normal they are suposed to go to a website)

is it the only thing that loads ? or does everyhting load fine and then the iframe on it

try to locate the location of the iframe to know in what file you need to start searching (is it index ? , is it the header ? , is it the uu ?? is it the footer ?? is it a other included file ??)

if it is the only thing that loads then it need to be the first file that it calls to load
if it is later then it are files that are called later

its hard to solve problems with out any vieuw on it :s

Greetings From PowerChaos

qq_bbq
Posts: 122
Joined: Jul 05, 2009 11:33 pm

#15 Postby qq_bbq » Jul 29, 2010 4:35 am

I think the iframe is part of the script but the stuff inside the iframe is not.

For example the iframe is supposed have something like:
Sending.... OK:DB:OK

Instead it is like this:
Sending.... OK:DB:
<Spam site>
OK

So something is injecting into the iframe but I still have no clue how it is able to do that. I already blocked the site from my computer but it still shows up in the iframe. Oddly I blocked the site from the server and it gives a cannot display site error. So this iframe injection is loading server-side, I have never seen something like that before.