iframe

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
SusanneR
Posts: 3
Joined: Mon Feb 14, 2011 9:45 pm

iframe

Post by SusanneR » Mon Feb 14, 2011 10:07 pm

Whenever I edit my site, a piece of code including an iframe leading to a certain site, and then possibly some script is inserted into my content file.
(I understand I should not post such code here but if you want I can send it by pm)
Kaspersky antivirus which was used by some folks I wanted to show a suggestion for a new site catches this, but my AV (AVG) does not.

I think it happens during the "save" operation.
How does this happen, what is it, and what can I do to prevent this - (just installed v3.3 instead of a previous version)?

I also found another java script (urchin.js) that is not supposed to be there (??)
I may be doing something seriously wrong here. Wrong permissions?

Holger
Site Admin
Posts: 3470
Joined: Mon May 19, 2008 7:10 pm
Location: Hessen, Germany

Re: iframe

Post by Holger » Mon Feb 14, 2011 10:23 pm

Hi Susanne,
SusanneR wrote:Whenever I edit my site, a piece of code including an iframe leading to a certain site, and then possibly some script is inserted into my content file.
If it really only happens when you edit your site - and only in content.htm, the problem seems to be on your local machine.

Do a little search on "hacked" here at the board. You'll find some hints.
And maybe Tata remember the problems he had in the past with the same type of infection.

BR
Holger

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: iframe

Post by Tata » Mon Feb 14, 2011 11:11 pm

Oh, Susanne!!!
I am sorry for you. And I almost exactly know what you are facing to.
Read more here: http://cmsimpleforum.com/viewtopic.php?f=5&t=930 and this http://cmsimpleforum.com/viewtopic.php? ... a&start=10

If you have installed a localhost or if you have anz saved webpages, let them check for some string from the iframe. Then - if the iframe has been onlz inserted without destroying the files, you may be a little bit lucky. You will need to open all infected files in Notepad++ or any other aditor which allows manipulation with large number of files and search/replace the infected code with an empty string.
The same with all files on your host (you will need to download everzthing and make the same checkings).

But you definitely shall google for recent information about this thread. There may be some new infection around that would require some special removals, though.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

SusanneR
Posts: 3
Joined: Mon Feb 14, 2011 9:45 pm

Re: iframe

Post by SusanneR » Thu Feb 17, 2011 9:30 pm

Guys, I think it may have been one of the plugins or the pluginloader.

I kicked that out.

tested and did not get the insertion.

I reinstalled the latest version from the cmsimple site and it's still fine.

only now I don't have a working guestbook.

I had sblog, or ublog depending on the domain, and a gallery (CMSimple Gallery plugin version 0.6 Final Beta) installed.....

any ideas what it could (keep your fingers crossed) - have - been?

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: iframe

Post by Tata » Thu Feb 17, 2011 10:11 pm

I advise you with full seriosity to use e.g. Notepad++ and check there all you index, config and maybe also other PHP files. I know what I suggest you. I went trough this twice. One forgotten file re-infected my whole serverspace. I had there more installations in subdomains. And If I remember corectlz - over 5000 files got infected in only a couple of minutes. Read one more time my posts. Not only your files may be infected. Without your knowledge visitors of your site may be infected too and zour webpage may get indexed by searchengines as a suspicious one. I am serious.
Almost in all cases I faced to there was used the port 8080. So sometime it is enough to let search for files containing the string ":8080" and then see if there is this string not a part of an iframe. The infection does show no action in your computer. It only redirects you to without any notice a domain full ov another treads.
For more info google for Vundo(Virtu Monde) Virus.
Some of mentioned plugins are pretty old and had security issues - required in their functions dangerous server settings (find more in this or in old forum).
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

SusanneR
Posts: 3
Joined: Mon Feb 14, 2011 9:45 pm

Re: iframe

Post by SusanneR » Sat Feb 19, 2011 2:18 pm

Hi,

I checked for that code, it's nowhere in my files, and the behavior wasn't in any way similar to what is described for the virus you mention.

I think it's fixed now.

Tata
Posts: 3586
Joined: Tue May 20, 2008 5:34 am
Location: Slovakia
Contact:

Re: iframe

Post by Tata » Sat Feb 19, 2011 2:24 pm

SusanneR wrote:I think it's fixed now.
Then you are lucky one. Congratulation.
CMSimple.sk
It's no shame to ask for an answer if all efforts failed.
But it's awful to ask without any effort to find the answer yourself.

Post Reply