By

The "onload if this" website infection

Of course the title of this post is only part of the infection.

The typical type of infection I’m going to discuss first looks more like this:

The domain this iframe directs to and the long string of characters (kzjev…) before the closing iframe tag can be different, but from what I’ve seen, the rest is typically the same.

Other domains we’ve seen include, but are not limited to:

the-another-life
theeasyriver
iquotient
testodrome
whendeath
intelekt-testing
ig-testing
zria
worldrat
qualitysuper
deth-test
iq-mozgi
dedlife
mozg-testing
testossteron

Using PowerGrep, we’ve been able to remove this infection quite quickly, however, just removing it doesn’t mean your website is safe – not by a long shot.

Upon further analysis, we found that these infections were remotely controlled, locally injected. 

What I mean is that the control of the infection is handled remotely, however, the infection process itself is local to the files on the website.

First of all, in some of the sites that had these infections, we found the old gifimg.php file in the images folders. Some sites have various plugins and some of the plugins have their own images folder. The gifimg.php was in there as well so look through all folders for the gifimg.php file. As you may know from our previous post, this file allows the hackers to send commands to your website from where ever they are – this is remotely controlled part.

Keep in mind that not all of the websites where we found the “onload if this” infection had the gifimg.php file. Just because you don’t find that file doesn’t mean you don’t have the “onload if this” infection.

Before we get too focused on the “onload if this” type of infections, let me state that other infections were injected the exact same way.

This infection was found using the same method as the “onload if this” infection:
sunsetfibersinfection

Here again, we’ve seen various other URLs such as:

albaser.com
unilanguage.net
akrjewellers.com

just to list a few.

The infectious code that generates this infection is:

Which deobfuscates to:

The base64_decode in the above script deobfuscates to:

Which, as you can see, is one of the domains listed above. The original PHP script injects this malscript into various pages it finds throughout the site.

You can search for and delete this script (inside the script tags) all you want. If it comes back over and over again, then you might have the original php code, or something similar in one your files.  It’s these repeat infections that are the worst because you could waste hours of time scanning through your files, looking at the code, removing everything you believe is malicious and then it comes right back again – over and over.

Typically for a repeat infection our advice would have been to scan your PC for viruses and trojans with a different anti-virus program than what you’ve been using. However, in this case, that might eliminate the original infection, but the repeat infections are the result of this php code.

Unfortunately, the only way you can detect this is to find it in the code on your website. We requested full FTP access from the clients who had this infection so we could look at all the files. No remote (meaning a scanner that scans from outside your website) can find this. The PHP code dynamically generates the webpage so you’ll never see the malicious remote control code in the source code of your browser.

How did these sites get infected originally?

By the same method used to infect thousands if not millions of sites – via stolen FTP login credentials. FTP login credentials are saved on a local computer and stealing them gives hackers a valid method for accessing the files on a website – valid login credentials.

I’m working up a full write-up on steps to take to prevent compromised FTP login credentials, but it’s not ready just yet.

If your website is getting hacked over and over again, you should scan all your website files for any occurrence of this string:

eval(base64_decode

Don’t just delete any file with that string in it because we have seen various files where that is used legitimately, however, close examination of any file with that string is suggested.

If you need assistance in locating this code or deobfuscating code let me know and I’ll try to help you.

If you have any other domains or URLs to add to our lists above, please send them to me at traef@wewatchyourwebsite.com or post them as a comment here.

8 Responses to The "onload if this" website infection

  1. b h says:

    I found http://starktourism.com/flash/mt_global.php as a script that was injected into the HTML using eval

  2. miramis says:

    Thank you for all information.
    I found
    http://biocasa-inmobiliaria.com/images/start-ES.php
    classicholidays.co.in/
    freddyboy1.se/
    thepascoedifference.com/
    leuchtmittel-welt.com/

  3. Luc says:

    I’ve found this on 5 of my sites today, along with a few new commonalities (although not between every site, just 1 or 2 on each);

    1) A file called “mailtest.php” was created on the root a some base64_decode string
    2) Where timthumb.php (a popular image resizing script) was being used, new, randomly named directories had been created (presumably to test the attack)
    3) 14 lines of document write script tags at the bottom of pages, linking to starktourism.com and ssmgulf.com
    4) A file called chat.pl in a cgi-bin

    4 of the 5 sites were all on the same server (and the 5th externally hosted with a completely different host), so I’m hoping that it’s a server vulnerability, rather than my PC (which is part of a larger, protected nextwork) that’s been compromised.

    The newest one I found was only attacked yesterday (22nd Nov), so there might be a new wave of attacks gearing up…

  4. admin says:

    @Luc,

    The hackers have been leaving all sorts of malicious remote control code on websites. But the common thread is the virus/trojan on a PC with FTP access to the site. Please, please have your PC checked and any other PC with FTP access to your sites.

    When analyzing these infections you have to look for common denominators. In this case you have 5 sites, 4 on one server and 1 on another server. So I would look deeper for a common denominator – like the PCs being used for FTPing files to the 5 different sites.

    Keep looking for the .php files with various base64_decoding strings. Also look for php files with “echo (insert obfuscated javascript here)”

    Let me know if you need further help.

    Are you comfortable with grep? There’s an awesome program: grepWin that works great at cleaning websites.

    Let me know…

  5. peyman says:

    I found

    Line 72:
    Line 73:
    Line 74:

    our website designed by asp.net 2 (aspx and vbx)

    could i couldn’t find any eval(base64_decode
    i need your help to solve this problem

  6. Tachyon says:

    Nice read. Thanks for tips.
    Domains I recently found where:
    – fujikvl.ge/
    – adsolutionindia.com/
    – cumportal.com/

    Does anyone know a secure editor who scan files on FTP-site (with regular expressions) so I don’t have to download any possible infected files???

    Thanks,
    Tachyon

  7. admin says:

    Tachyon,

    What do you mean by “a secure editor”?

    The infected won’t infect your PC unless you open them up in a browser. If you open them up with Dreamweaver or whatever your editor is, you won’t get infected.

  8. visitor says:

    Thanks for sharing this usefull information.
    One site I detected also as a virus:
    xg1.es/images/gifimg. php (DON”t follow this link!! but I post it here so that others can find it – so, be aware !!!!)

Leave a Reply

Your email address will not be published. Required fields are marked *