Web Site hacked, iframe inserted, where to start?
Other faq items
HOW-TO setup Plesk with Samba Share and OpenVPN on CentOS 15 April 2010
HOW-TO - Not get Plesk Certificate Error or get rid off "This Connection is Untrusted" message. 23 March 2010
HOW-TO configure PLESK with NGinx (proxy reverse) 15 March 2010
HOW-TO install ffmpeg, Mplayer, mencoder,FLVtool2 and Yamdi on Plesk Linux based server 25 September 2009
HOW-TO restart automatically on Linux Kernel Panic if hanging on boot 23 September 2009
Spam blacklist unlisting from sorbs.net 31 July 2009
How to find out PLESK admin password? 12 July 2009
Plesk 9.2.x - Postfix SMTP authentication error 16 May 2009
Automated Remote FTP Backup shell script 26 October 2008
The security is in FTP credentials. I have found 2 ways of hacking, one is administrator fault of the server and one domain user fault.
FTP user with no password
One of the issues is administrator fault (or if we can call like this, cause it was an error in proftpd). We have found (thanks to Scott from ART), that in one version of proftp users can login with the correct username and any password. The problem was in /etc/pam.d/proftpd. The problem is if you do not discover it, later upgrade will not fix the issue. So I suggest to check this issue and if you can reproduce (login with a user but any password) then check the PAM settings.
Go find out what /etc/pam.d/proftpd say? If it is like shown below, then is not OK.
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_shells.so account include system-auth session include system-auth session optional pam_keyinit.so force revoke session required pam_loginuid.so
Change into this (comment out old lines for backup)
#%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_stack.so service=system-auth auth required pam_shells.so account required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
service xinetd restart
Then try again to login and it should not work. But of course you should try to login also with a correct user/pass to see if it works as expected.
Keylogger - user/password are stolen
There are a few keyloggers out on the market, which will allow some bad people to gain access to some of the PC desktop, install a keylogger (could be trojan or anything) and that send FTP user/pass to hacker. I have actually found on a forum the next explanation, very interesting...
"I have found a version of this in action and have examined it. Here are the first steps, make sure that you have updated your Adobe Reader and Shockwave/Flash plugins, and make sure you have a good antivirus/antimalware application running on your system. The instance of this, that I found spreads through people's sites for which they have the FTP login information. They modify a ton of different pages in many different ways, to direct people without them knowing it, to their server, which runs a cgi script and java script to determine what plugins your browser is using, and then it will attempt to feed your browser the appropriate .pdf and/or .swf with exploit code in it, which infects the person's computer who is browsing the site. The infected computer then has a trojan, which in this instance listens and searches for FTP and perhaps other login information to sites, which reports back to a central server, which then periodically processes the sites, downloading, modifying, and then re-uploading the new infected site files. The site's files are infected in specific ways depending on how they are named and what kind of file they are. For example, all files that contain the word home, default, index, etc, are modified as if they are the main index pages. Depending on the extension, it will insert the appropriate code, so it differs when modifying a .php, .html, .js, .shtml, and so on. They do it this way so that it can work as cleanly as possible without detection so the site can be infecting as many people as possible for as long as possible. Many of the codes inserted will be encoded in various different ways so that it is not plain readable, so they can hide exactly what they are doing to a certain extent. In plain html files, they often use hidden iframe tags to get their payload to the end browser and its plugins. The rest deal in PHP code, include and encode java script, with a few exceptions. One last thing, it seems that at least in this instance I saw, .cn domains involved where it loaded the exploits."
After this, all is easy, they connect via a script (usually CGI) to FTP and run that script which will install on index*, homepage* files that iframe.
How to get rid off?
- Change FTP password, but if the keylogger still can steal pass, then it is not very useful.
- Use SFTP, in this way the password for FTP is not sent clean, is encrypted and keylogger cannot steal it.
- Ask your host to disable CGI/PERL support, for the moment. As far as I know is mostly CGI hack outside to do the iframe trick. I’ve said mostly ...
- In ASL module from ART in new version (for PLESK) there is a module which will scan these attempts via FTP.
It is actually quite neat to see something like this in action, not that it is good, but wow, quite an operation. Not that it is without its flaws, it can tend to eat the end of files sometimes, and it has a tendency of generating replacement files that do not have a correct end of line. They are probably use sed to process the files with a search and replace string.
From the same forum, mentioned, we get some good examples of how can be inserted into some files the code. Check this URL - http://www.sitepoint.com/forums/showpost.php?p=4292911&postcount=10
Just see that used perl, cgi to do a fast insert, so if it is disabled, should not work. Also can be disabled by admin some functions for linux users, like sed, grep, but only for regular users, not for root, a lot of script use it.
Articles to read: