Either hacked, virus, or injection of some kind.
When I move file from:
server 1 to server 2 - iframe to spam site is loaded in api.cgi
server 2 to server 1 - iframe to spam site is loaded in api.cgi
server 1 to server 3 - iframe to spam site is loaded in api.cgi
server 2 to server 3 - iframe to spam site is loaded in api.cgi
server 3 to server 1 - no problem
server 3 to server 2 - no problem
Obviously server 1 and 2 is infected but I've replaced all the files and still getting the iframe spam. Please advise what script files are accessed when you move a file from 1 server to another server.
I got these files so far:
api.cgi
uu.cgi
I need to pinpoint the injection or whatever it is.
What else is assessed when moving a file?
It shows up like this:
Sending 00000/5nqkolz11qaj...OK DB:
<iframe to spam site>
All Done.
XFileSharing Pro - HELP! My site got hacked!!
Admin, please help. I can't move files because it does not give the "OK" it loads the iframe so the file does not get moved/unlinked. I am also troubleshooting from my end but I don't think I will be successful. Please give pointers what does that code in bold refer to so I can troubleshoot further.
From the scripts, I think the process goes like this for moving files:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi]
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi]
[server 1 api.cgi] prints OK and All Done
Problem is here:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi] <-- I know this is fine because I see the OK output
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi] <-- Problem, the OK does not show up, the iframe show up instead
[server 1 api.cgi] prints OK and All Done
Other things I tried but still get the iframe exploit:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi]
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi]
[server 1 api.cgi] prints OK and All Done
Problem is here:
[server 1 api.cgi] --> [server 2 uu.cgi]
[server 2 uu.cgi] sends OK to [server 1 api.cgi]
[server 1 api.cgi] gets OK and proceed to post to [main server fs.cgi] <-- I know this is fine because I see the OK output
[main server fs.cgi] updates database and sends OK to [server 1 api.cgi] <-- Problem, the OK does not show up, the iframe show up instead
[server 1 api.cgi] prints OK and All Done
Other things I tried but still get the iframe exploit:
- Replace all main server files with stock script files
Replace infected file server files with stock script files
Installed new file server with stock script files on infected file server's server
Used a new database
Even tried from another computer and Internet connection to make sure my computer did not have a virus that could generate that iframe
-
- Posts: 521
- Joined: Dec 19, 2009 5:12 pm
the best way to discover what iframe it is and where it come from is by trying it and then when you see the iframe opening the source code (right click , show source)
if you see somehting like this
<javascript> blalalala,anlankjanjaknanala </javascript> (coded txt )
then it is a expload that write on the fly
you can easy remove it by checking the HTML files (yes , it only infects html files)
it is not always what it seems to be , it doesnt mean that the api.cgi gives a error that it is in api.cgi
api.cgi use a template to , and if the problem is in the template then you need to check on the template
for that reason you need to see at the source to figure out how the iframe works (is it javascript ?? is it a real iframe ?? , is it just plain html code ?? )
hopely this can help you to fix the problem
Greetings From PowerChaos
if you see somehting like this
<javascript> blalalala,anlankjanjaknanala </javascript> (coded txt )
then it is a expload that write on the fly
you can easy remove it by checking the HTML files (yes , it only infects html files)
it is not always what it seems to be , it doesnt mean that the api.cgi gives a error that it is in api.cgi
api.cgi use a template to , and if the problem is in the template then you need to check on the template
for that reason you need to see at the source to figure out how the iframe works (is it javascript ?? is it a real iframe ?? , is it just plain html code ?? )
hopely this can help you to fix the problem
Greetings From PowerChaos
PowerChaos it seems you have some technical knowledge on this.
My sites have been iframe injected before but I was always able to remove the exploit. This one is different, I just can't locate it. The iframe is loaded directly into the api.cgi I don't even know what URL the iframe is loading from.
Since my other file servers are fine, I am very sure the main server and database are not infected. But I replaced all the file server files with stock files and still can't remove the iframe.
My last solution is going to move the files to another server and reinstall the infected file server.
My sites have been iframe injected before but I was always able to remove the exploit. This one is different, I just can't locate it. The iframe is loaded directly into the api.cgi I don't even know what URL the iframe is loading from.
Since my other file servers are fine, I am very sure the main server and database are not infected. But I replaced all the file server files with stock files and still can't remove the iframe.
My last solution is going to move the files to another server and reinstall the infected file server.
-
- Posts: 521
- Joined: Dec 19, 2009 5:12 pm
i dont have experiance with it
exept that i got it a few times to on my sites that they got a javascript injection (cpanel)
i found them by looking at the source code and thats how i found the javascript injection
i easy removed it and i decoded the coded html and blocked the ip's to prevent that they could execute
first problem is that you need to locate the source :S
if that is not possible , then its realy hard to fix the problem
you say that it is a iframe , then it depends how the iframe get created
if it get created by javascript then you need to search for javascript code
if it gets created by a direct iframe , then its probaly in the html files (as they can be written on the fly)
the thing you can try to is installing clamav virus scanner (for linux on cpanel) and scan the home dir
its possible to that it is a background procces that is running as a daimon
and that it writes the files on the fly (check running daimons in linux)
if you want , i can take a quick look but i cant promise that i can fix it (i am a noob at linux :s , i am a lot better at windows)
if you want , send me a email to [email protected]
Thank you
Greetings From PowerChaos
exept that i got it a few times to on my sites that they got a javascript injection (cpanel)
i found them by looking at the source code and thats how i found the javascript injection
i easy removed it and i decoded the coded html and blocked the ip's to prevent that they could execute
first problem is that you need to locate the source :S
if that is not possible , then its realy hard to fix the problem
you say that it is a iframe , then it depends how the iframe get created
if it get created by javascript then you need to search for javascript code
if it gets created by a direct iframe , then its probaly in the html files (as they can be written on the fly)
the thing you can try to is installing clamav virus scanner (for linux on cpanel) and scan the home dir
its possible to that it is a background procces that is running as a daimon
and that it writes the files on the fly (check running daimons in linux)
if you want , i can take a quick look but i cant promise that i can fix it (i am a noob at linux :s , i am a lot better at windows)
if you want , send me a email to [email protected]
Thank you
Greetings From PowerChaos
PowerChaos I saved the source code of the exploit, please take a look:
http://www.mediafire.com/?ohlb779lsmc69xc
It looks like they just stuffed the iframe in there loading directly from the iframe directly. There is no way to find out where it is loading the page from. This appears to be a very advanced type of injection.
http://www.mediafire.com/?ohlb779lsmc69xc
It looks like they just stuffed the iframe in there loading directly from the iframe directly. There is no way to find out where it is loading the page from. This appears to be a very advanced type of injection.
-
- Posts: 521
- Joined: Dec 19, 2009 5:12 pm
i cant figure out anything on that html file
i see 2 differend things and 1 is a site tracker
the reason why i ask you to email is because i like to have the admin login so i can try it out on my own so i can get the things i need (google chrome got more options then only source code)
or that you can make a account for me with admin acces (little database trick )
at this moment , i dont see anything that have to do with a iframe in the file you sended me :S
i dont know how to explain it right what i mean , but let me try to explain
you say that you got a iframe that loads that shoulnd be loading (injection/expload)
it only happends on server1 and 2 when you try to move a file
now the things i need to figure out where it came from
1) logfile (if it makes logfiles)
2) source code (right click) with the iframe in it , if possible (else you need to use google chrome to invest the page :p )
then from that sourcecode i can figure out what the iframe gives (is it javascript or just iframe ?)
it gives a lot of other things to (only javascript ?, or with divs ?? closed html tags ?? closed P tags ?? ) and on that way you can locate where it is
is it at the end ?? , is it at the beginning ?? , does the footer and header loads to ??
it are a lot of things that you can exclude to find the exact location of it
but you first need to have a start
to provide a example of my last injection
a site of me runs on php only (no templates , all php codes)
the javascript injection was located in index.php because it contained <html>
the footer.php was not loaded because it refused to load until the script loaded (on google chrome)
in the source you saw it at the end of where the index file stops (and where the footer should start to close)
thats how i figured out that it was in index.php and that all files that contains html was infected (easy to remove)
thats to provide a example of how you can figure it out
hopely you can understand what i try to say :S
ps: i can not promise that i will figure out the error , i can only give it a try to see if i can fix it or that i can find stuff that helps you more then you got now
Greetings From PowerChaos
i see 2 differend things and 1 is a site tracker
the reason why i ask you to email is because i like to have the admin login so i can try it out on my own so i can get the things i need (google chrome got more options then only source code)
or that you can make a account for me with admin acces (little database trick )
at this moment , i dont see anything that have to do with a iframe in the file you sended me :S
i dont know how to explain it right what i mean , but let me try to explain
you say that you got a iframe that loads that shoulnd be loading (injection/expload)
it only happends on server1 and 2 when you try to move a file
now the things i need to figure out where it came from
1) logfile (if it makes logfiles)
2) source code (right click) with the iframe in it , if possible (else you need to use google chrome to invest the page :p )
then from that sourcecode i can figure out what the iframe gives (is it javascript or just iframe ?)
it gives a lot of other things to (only javascript ?, or with divs ?? closed html tags ?? closed P tags ?? ) and on that way you can locate where it is
is it at the end ?? , is it at the beginning ?? , does the footer and header loads to ??
it are a lot of things that you can exclude to find the exact location of it
but you first need to have a start
to provide a example of my last injection
a site of me runs on php only (no templates , all php codes)
the javascript injection was located in index.php because it contained <html>
the footer.php was not loaded because it refused to load until the script loaded (on google chrome)
in the source you saw it at the end of where the index file stops (and where the footer should start to close)
thats how i figured out that it was in index.php and that all files that contains html was infected (easy to remove)
thats to provide a example of how you can figure it out
hopely you can understand what i try to say :S
ps: i can not promise that i will figure out the error , i can only give it a try to see if i can fix it or that i can find stuff that helps you more then you got now
Greetings From PowerChaos
-
- Posts: 521
- Joined: Dec 19, 2009 5:12 pm
i cant try it out on my own as i do not have multiple servers (i use only 1 server as file server)
and the only website i can find is the city.ws site , but it doesnt seems like your site (not the download site)
so i got no idea how i would be able to confirm anything :s
for the iframe , it seems strange as it doesnt go to any screen (normal they are suposed to go to a website)
is it the only thing that loads ? or does everyhting load fine and then the iframe on it
try to locate the location of the iframe to know in what file you need to start searching (is it index ? , is it the header ? , is it the uu ?? is it the footer ?? is it a other included file ??)
if it is the only thing that loads then it need to be the first file that it calls to load
if it is later then it are files that are called later
its hard to solve problems with out any vieuw on it :s
Greetings From PowerChaos
and the only website i can find is the city.ws site , but it doesnt seems like your site (not the download site)
so i got no idea how i would be able to confirm anything :s
for the iframe , it seems strange as it doesnt go to any screen (normal they are suposed to go to a website)
is it the only thing that loads ? or does everyhting load fine and then the iframe on it
try to locate the location of the iframe to know in what file you need to start searching (is it index ? , is it the header ? , is it the uu ?? is it the footer ?? is it a other included file ??)
if it is the only thing that loads then it need to be the first file that it calls to load
if it is later then it are files that are called later
its hard to solve problems with out any vieuw on it :s
Greetings From PowerChaos
I think the iframe is part of the script but the stuff inside the iframe is not.
For example the iframe is supposed have something like:
Sending.... OK:DB:OK
Instead it is like this:
Sending.... OK:DB:
<Spam site>
OK
So something is injecting into the iframe but I still have no clue how it is able to do that. I already blocked the site from my computer but it still shows up in the iframe. Oddly I blocked the site from the server and it gives a cannot display site error. So this iframe injection is loading server-side, I have never seen something like that before.
For example the iframe is supposed have something like:
Sending.... OK:DB:OK
Instead it is like this:
Sending.... OK:DB:
<Spam site>
OK
So something is injecting into the iframe but I still have no clue how it is able to do that. I already blocked the site from my computer but it still shows up in the iframe. Oddly I blocked the site from the server and it gives a cannot display site error. So this iframe injection is loading server-side, I have never seen something like that before.