Iframe Hack, Did Boonex Hack My Site?

DosDawg posted 23rd of September 2009 in Community Voice. 20 comments.

No, Andrew, and team, I'm not infering this at all, however there are certain individuals in the community who would assert this, and stand firm that boonex employees who were given ftp access to their server, are the cause for their site being compromised.

well i would attribute this to an end-user error. i have done just a touch of research on this iframe hack to see what was being said about it since last time i had to actually deal with it. found some interesting stuff. there are some basic guidelines that will help protect you.

just another pointer, if you need help from somebody, tis best to create the ftp user account and password for them. now what i do and it may not even make two fat rat asses, but i never transport usernames and/or passwords across smtp, not really paranoid, just know its not secure, so choose not to do it. so i implemented a technique some time ago in that use notepad or some other editor, type the uname/pword, and take a screenshot. i crop that screenshot, name it some inconspicuous file name as an image, and i send the image. dont know 100% if that makes an actual difference but it works for me.

if you must transport your uname/pword, i would suggest sending it as an image file, less likely to be intercepted and way less likely that you become a victim.

quit accusing people, get a grip, know what you are doing on the internet, understand protocols and functionalities, both w32 and linux kernel if you are on those environments before you take blame and finger pointing at somebody who had the full intent to do nothing more than to help.

im just gonna try to add some information here for the obliquely misinformed. boonex didnt hack your site, didnt necessarily contribute to your site being hacked, and most likely you allowed it yourself in most cases.

If you are using an unsecured FTP client, you are in danger of exposing your passwords to hackers because the passwords are passed between your FTP client and your website in plain text. Use a program like WinSCP, or a FTP client that allows you to connect to your site using SFTP, SCP. Both of these methods encrypt your user name and password, making it much more difficult for a hacker to discover them, even if they intercept them with some sort of packet sniffer.

Lock her down!

so as you can see here, it has nothing to do with MALWARE being on your computer to start.

How it works:

Hackers are likely relying on an automated tool to do the dirty work, the hackers add IFrame code to the saved search results on the sites. The next visitor that uses the search tool is then redirected to another Web site by the IFrame code. The second site in turn puts up a message telling the user that a new codec (coder/decoder) needs to be installed. Accepting the codec takes the user to still another site, which actually hosts the malware — a new variant of the Zlob Trojan horse — and installs it on the victim’s PC.

Since i would presume that this word-press site, which anybody who has been around the internet and utilizing open source applications for any period of time has most likely used a WP site, so do you think the owner of that site gave his password to boonex, and boonex had their site infected as well. doubtful.

WordPress Users Beware of IFrame Hack

Posted 04.15.2009 by Frank J in Internet, Security,

source:http://www.techjaws.com/wordpress-users-beware-of-iframe-hack/

Hackers continue to subvert hundreds of thousands of Web pages with IFrame redirects that send unwary users to malware-spewing sites. It was apparently reported that these IFrame redirects have slowed, but they’re still occurring at an alarming rate. A friend of mine, who owns the blog called YourSEOSucks, was recently exposed to the IFrame hack using WordPress 2.7.1.

Sticky: Solution For Iframe Java Script Hack
How does this hacking takes place:

This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

Beleive me, I am reasearching behind this iframe and java script hack from last 10 months.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

How it's done
This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person's pages, anyone visiting that site will be redirected to the hackers infection site, where the person's computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands... Please don't think you can depend solely on your antivirus software to protect your computer. It more than likely won't help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don't depend on it completely!


This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

===============================================
Solution:
===============================================

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

1) Change the FTP or root password of server
2) Clean format the PC

and take care in future, you dont visit any lof the virsu links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software like:

http://keepass.info/

This is a FREE OpenSource Software

I can assure you this is confirmed solution and will definitely help you all.
Please try it and also when you are confirmed, please spread this message in as many forums as you can so that others also come to know how to stop it.

so as you can all read and this just in case you were wondering is a reliable dependable source:

Source:http://forums.cpanel.net/f7/solution-iframe-java-script-hack-78595.html

houston you are correct, i just want it to be understood this had nothing to do with boonex or dolphin. has nothing to necessarily do with sharing your password at all. if you are on a shared hosting environment, this can be accomplished. if your password for FTP is not encrypted, you can be compromised.

i hope this clears up the air so that we all have some sort of understanding.

the iframe hack has been around for ages that i am aware of, and its a rather common exploit on sites, they have changed their methodology to some degree, but basically you can rest assured it has nothing to do with being incompetent, its more to do with unknowing, that makes those who have been torched victims.

Regards,
DosDawg

 
Comments
·Oldest
·Top
Please login to post a comment.
selo12
useful info, thank you for your time
DosDawg
selo,
sorry for the (-) mouse slipped over on me. my sincere apologies.

Regards,
DosDawg
DosDawg
oh and thank you for the kind words.

Regards,
DosDawg
Synergy
Thanks for such an in-depth explanation.
DosDawg
Synergy, you are much welcome, as you can see i have added to it, and i think i will leave it at that now. its long winded, but you dont get the answer in just a few lines thats for sure. when dealing with server security and pc security its an ongoing battle every day.
'
Regards,
DosDawg
buckmcgoo
To summerize for people who didn't read the whole post.. Hackers hit 1000s of sites everyday and it's completely automated, if you think it had anything to do with Boonex you are a little on the slow side.
DosDawg
thank you buck for the summary. i know its long winded dude, but you cant factually state something like this in just a few lines.

Regards,
DosDawg
buckmcgoo
Oh I know.. and I read your whole post :-)

I just had a feeling that the people who were silly enough to think Boonex was conspiring against them weren't avid readers.
CALTRADE
You are absolutely correct Buckmcgoo - the problem is that there is NO ONE here who thinks that. Dosdawg simply just made that up out of whole cloth. If he wants to claim that then he should publish the person's name and let them tell their side of the story - because I know of no one who said anything like that. People here have different technical levels, but most are sophisticated enough to know this was an automated process.
DosDawg
just continued the search, and this fella makes some really valid points as well.

I will have to agree with confusion on this. The cybercriminals have many, many ways of getting into your website.

Honestly, you can't tell without some good forensics, if they got in via keylogged ftp account, php vuln, sql injection, file inclusion, etc. Many successful attacks are based on software vulnerabilities (as stated earlier by confusion).

The point is, you need to be aware of security for your see more website. Assume anything you download is vulnerable until you prove it otherwise. We've worked on cases where people were infected by downloading what they thought was the free version of AVG. Cyber gangs know how you think. They know how to get high SE rankings either by using blackhat techniques or by using traffic from some well known site to redirect to them.

There are so many people out there looking to make money on the Internet. Some are legitimate some aren't. The ones that aren't don't care if they use your site or any other site to make money. They just want to make money. To many of them there's something "cool" about making money hacking. That's their mindset.

You need to adopt the mindset that everything is suspect. One of the postings on this site said that his site was hacked because of an ad server he was using on his site. Here he was trying to make money with an ad and turns out some of his visitors were getting infected by this. You can't trust just everyone.

Recently an infected update to Wordpress was offered. It was a version 2.6.4. Anyone who downloaded it and upgraded was serving up infectious code to their visitors. How rude!

I read that a lot of forums were getting spammed recently. People were stating that they're even using captcha. Many hackers/crackers... have tools to help them get past captchas. Their tools aren't 100% effective, but they don't need 100%.

As I read about and hear about all this level of forum spamming increasing, I immediately think, "What is the real motivation behind this?"

One possible answer is that the hackers/crackers have modified some anti-spam module and they have posted it online. Now to drive people who aren't using it already, to Google it, they start spamming every forum they can find. You as a forum website owner, seek out solutions - maybe on Google. You find someone offering a free download for anti-spam module for your forum software. You download it and install it.

Unknowingly to you, you just gave hackers a way into your website.

This kind of strategy goes on all the time. Be suspicious of everything online. You'll be better off.

That's just my 2 cents worth. In the current economic slump, maybe it's worth even less...
__________________
We Watch Your Website - so you don't have to!

Source: Grump (http://forums.digitalpoint.com/showthread.php?t=901622)

from the same thread (Confusion)
A couple of additional notes...

1. The scenario you describe is far and away the minority of cases. The majority of compromises occur due to exploiting vulnerable web applications - wordpress, smf, phpbb, etc, etc. Most of those apps parade their version number around, which makes it easy to search for vulnerable sites. Mpack is a scary thing to be sure. Don't visit your porn sites from the same PC you use to manage your sites.

2. Once an attacker has had access to your server, you must consider all of the contents of the server suspect, and it's strongly recommended to reload the server and restore from back up. Once I have had access, I can drop many backdoors that will give me continued control of your server after you change the password.

i know this is all long winded, but this IMHO is some good information.

but still standing on the fact that it had nothing to do with boonex or dolphin. weak passwords, unencrypted passwords, in some cases shared hosting environments (do you actually think they would tell you the server was compromised?). there are so many factors in this ordeal, that it really does take some investigation. server logs would be the first place i would go.

Firewall your local pc, firewall your server, require authkeys on ftp, ssh, and any other secure login you can conjure up on a server, most specifically a shared environment, when you have no idea what is hosted on there.

i think i talked about this last year when 6.0 was getting torn off by the remote shell script. if there is hosting for $1.99, that is an attraction to a clan of script kiddies, they can save one days lunch money and get a hosting account for a month. shared environment is a childs playground when its not managed. so with that $1.99 they are able to load up a php remote shell script, basically access every site on the server, read databases, read passwords on the database, change or add passwords and users to the database. i know this first hand, not read it anywhere. this was part of my case study on server security and i have continued to remain active in research and development consultations where servers and server applications are involved.

at any rate, hope some find this information usable.

Regards
DosDawg
houstonlively
Good post Dawg. To accuse Boonex of compromising your site without any evidence to support that ridiculous assumption, is both rude and asinine. I have shared login details for several sites with multiple Boonex staff members, and I will continue to do so with confidence. I would bet that the computers Boonex coders use to work on company assets, are more secure than your average home computer.
CALTRADE
If there is anyone on this site who is "rude and and asinine" it is you Houston. I am told not to reply to you because I am "feeding the troll" but when you post false information like "this has nothing to do with file sharing" someone has to call you out - because you are FACTUALLY WRONG - plain and simple. Again - who are you saying accused boonex of hacking their site. If you say it is me, then you are not only a troll - you are a liar.
CALTRADE
Could you tell us who exactly said "Boonex hacked my site" - because I know of absolutely no one who said that - I think you are trying to put words into people's mouths here, and misrepresent what really was said. Several people did say that they had shared their passwords with Boonex and that they could find no malware on their own computer - but that is completely different from what you are claiming. I have heard you say several times on the forums that this can only be caused by see more a virus on "your" computer, or that it can only be caused by by a defect in "your" ftp client. That is not true - you can have a completely clean system, but if you share your password with someone who is infected, your site can be corrupted. As all the truly authoritative information about this says this problem is spread by password sharing.

Since my site was infected, I have received several PMs from people who are also infected who noted that they had also shared their password with Boonex and couldn't find any cause on their computer. I also could not find any malware on my computer - if I had, I would have posted it on the forums. So you are you saying made the ridiculous statement that "Boonex hacked my computer" - because I have been following this closely and I don't know anyone who said anything like that. If you are saying it is me, then you are not telling the truth.
DosDawg
i dont want to attack you caltrade.cal, did you read this post at all, it doesnt say you have to be infected in order for your site to be compromised. it lays out the many avenues that are utilized in order to obtain your password, the most forebearing is an unsecured ftp login.

has absolutely n-o-t-h-i-n-g with s-h-a-r-i-n-g anything. i think there were even a few who mentioned they have never shared their password with anybody. im gonna go read your post again, will not comment on it at this see more point, because i want to read what you said that prompted me to create this blog. it was some tiff you were having with HL. not attacking you, just trying to set clarity to what is happening and what can happen with this iframe hack, nothing personal, its a community issue, and its being dealt with across the community. apologies if you felt it was directed at or near your vicinity.


Regards,
DosDawg
DosDawg
well, i went and read it then came back to the blogs and lightwolf had posted something, so i went back to do some research on that, of course copied and pasted over what i was going to set as a quote from your forum post.

listen cal, as written, this was an assertion, that boonex staff had some part in having your site compromised. you continued to brow beat that this is directly related to the "sharing of a password" and that is not the case, yes it could be a factor, but not the see more root of what is going on here, but you could see it no other way.

i see you have since that time regathered your composure, and have even admitted that this is an or could be an automated system doing this, packet sniffing, grabbing packets as they transport across port 21 on a server.

cal, i can say this with all honesty, i have had sites hacked, but i wouldnt really even call this a hack, its more of an annoyance than a hack. but we move on, learn from the mistakes, and figure out ways to secure ourselves and our property. i hate this happened to you, glad you could get it corrected. i think it was the choice of words and the associated perception where you state that you shared your password with boonex staff, and through that it would be misleading to the unknowing that the boonex staff who you shared your password with, had something to do with your sites misfortune. then i read on, and your assertion grows taller and louder, when you express that you have received messages from several other members who shared their password with boonex staff and they too suffered the same plight.

i was not attacking you caltrade, it was the insinuation that was portrayed to me when i read your post. may very not have meant that at all while you were posting it, but that was the way it came across, and i read it and re-read it to make sure what i was reading was what was there. if i have misinterpreted by all means my apologies.

at any rate, glad you got squared away, glad all is well now.

Regards,
DosDawg
jordan
Very useful information thanks!
pcnetguru
Hi Dosdawg. I like your posts...you seem pretty knowledgeable.

I am a Microsoft guy who knows a little linux. I setup Dolphin on opensuse. I followed the directions on the installation manual down to the T. It works. But my question is, what steps would you suggest I should take in order to secure the server itself?

Other than strong passwords of course, are there permissions I should modify for the dolphin directory so that a hacker cannot gain access and edit webpages (add code)?

I am see more NOT running FTP.....I access my linux server directly to edit everything.

When I do a ls -l on the dolphin directory, I see only ROOT having access. Is this ok?
Scooterguy
In Oct 2008 I hired John MIller of Terabyte Hosting and Dosdawg to build a website called Scootermates.com for me with Boonex software. This website was to be a FOR PROFIT website with banner advertising and Adword type advertising down the sides of the pages in the website. The website also was supposed to include a listing directory with links from motor scooter clubs from around the world. I also paid him $699.00 in advance to host this website for a year and I paid him for software that covered see more other required functions. John Miller told me that he could put this website together in 3-4 weeks. After waiting aprox 6 months I was very upset and I posted in the forums about how John Miller took my hard earned money and never completed my website as promised.
John then wrote me an E-mail admitting that he treated me badly (I Have It Available To Post) and he told me that if I retracted my truth exposing forum post about him he would quickly finish building my website once and for all! I took John Miller for his word again (BIG MISTAKE) and I asked Andrew and Victor to pull the post exposing John Millers dishonest and bad business practice's he did to me. Well folks it's been another 6 months and John Miller again broke his word to me by still not finishing my website! ALSO he charged me this time over $700.00 for another years worth of hosting for a website that he never completed! He also lost a flash header with images that he himself had installed on my website. This header cost me all together around $500.00. How could my flash header be lost if he was backing up my website on his Terabyte Hosting server as promised in my hosting agreement with him. That is unless he never backed up his server!
When I demanded that he refund the over $700.00 I also demanded to be refunded all of the money I had already paid to him for the still not completed website after over a year of waiting. John Miller first refused to refund the latest amount of over $700.00. He also pulled my still unfinished website totally off of his server and off of the internet. After I threatened legal action, today he refunded the latest charged amount of money for hosting a website that no longer exists. However he still refuses to refund me for the last years hosting for the website he never finished and for the software I paid for that has also gone to waste since he pulled my website off of his server and the internet.
I am not finished with John Miller and since he still has well over a $1000.00 of my money that he refuses to refund to me I will do what ever it takes to get my hard earned money! If you are now doing business with John I hope that he treats you better then he has treated me. However I would beware before paying him any money for building a Boonex Website and pay attention to make sure that backs up your Boonex site on his server!
Barry Cohen
DosDawg
In Oct 2008 I hired John MIller of Terabyte Hosting and Dosdawg to build a website called Scootermates.com for me with Boonex software. This website was to be a FOR PROFIT website

just wondering how if the site is for profit, i would have anything to do with that, i can put up the website, cannot make the website make you money.


with banner advertising and Adword type advertising down the sides of the pages in the website.

this was explained to you in detail regarding the adverts and see more banner expletives. you as the site admin would need to obtain that type of information. i showed you that the banners section in the admin panel would work for a portion of what you were seeking, and also showed you in admin how to create custom blocks to be able to place other adverts into. that was not my scope of work to provide banners to display on your site.


The website also was supposed to include a listing directory with links from motor scooter clubs from around the world.

this was just part of a wish list, never was charged for this feature, and the work was neither promised nor suggested that it could or would be done. it was discussed and the agreement was that i would look into the solution. it didnt exist, no way for me to provide it.

I also paid him $699.00 in advance to host this website for a year

this is about the only true and factual part of this entire post. barry did pay for a years hosting. the site was hosted, it was never down, and there was never a complaint about the hosting services.


and I paid him for software that covered other required functions.

any and all intangibles that were purchased on behalf of barry were purchased, installed and a training session provided. as you can see there was no charge for consultation, and if barry needed daily hand holding, which is exactly what he was after, then obviously the price would have to be more.

John Miller told me that he could put this website together in 3-4 weeks.

time frame was based on initial scope of work, not a scope of work that changed daily. also the fact that barry would call me daily and use up 1-2 hours of my time on the phone talking about his hopes and dreams of what the site was going to do for him and his moped riders united association, which was never charged for. when i say his scope of work changed, trust me it changed two to three times a week. kinda hard to provide something in three weeks that took 9 weeks to type up a scope on?

After waiting aprox 6 months I was very upset and I posted in the forums about how John Miller took my hard earned money and never completed my website as promised.

you posted a lie, you stated that you had been charged for work that was not completed. even with this post you make a misleading statement, that you paid for something, that was not delivered. the website was completed from a programmatical standpoint, as mentioned above it was not my intention to administer the site and place your banners and adverts on the site, this was your responsibilty not mine.

John then wrote me an E-mail admitting that he treated me badly

yes barry please post where i stated i treated you "badly" i said you could have used a little more attention. i never said i treated you badly. LIE.

(I Have It Available To Post) and he told me that if I retracted my truth exposing forum post about him he would quickly finish building my website once and for all.

you wanted me to show you all of the rayz widgets that were installed and how to use them, it wasnt that they werent there, it was the fact you were unknowing of the application and didnt know how to navigate the app. had nothing to do with the work not being done. LIE

ALSO he charged me this time over $700.00 for another years worth of hosting for a website that he never completed!

barry i didnt charge you anything. you stated you wasnt going to pay for hosting, the hosting account was terminated amicably, and your account was set to inactive on the billing application. it was your responsibilty to follow up with your paypal settings, and remove any recurring payments that you were no longer interested in engaging in. paypal sent the subscription payment barry, i didnt charge you anything. again, software that was overwhelming for comprehension.



He also lost a flash header with images that he himself had installed on my website. This header cost me all together around $500.00. How could my flash header be lost if he was backing up my website on his Terabyte Hosting server as promised in my hosting agreement with him. That is unless he never backed up his server!

this one was funny, i lost a flash header, it fell off the site and landed on my secondary hard drive and the wind came by and blew it away. i lost a flash header. amazing. the header was there when you told me it was missing, so obviously this was something to do with your home computer, and not being able to view flash. had nothing to do with me losing anything or not backing up anything. i can assure you all sites are backed up, those who opt for that feature, and many sites have been restored from those backups, when it was necessary to do so. so again barry LIE.

When I demanded that he refund the over $700.00 I also demanded to be refunded all of the money I had already paid to him for the still not completed website after over a year of waiting.


the payment was processed on halloween. of course i had other family engagements and really didnt have the time to deal with barry and his pipe dreams. it was also a fact that barry wrote to boonex and in his writing said i had ripped him off for the $700.00, when in fact it was a saturday afternoon, prior family engagements, and just wasnt available to kinder-sit with barry. LIE


John Miller first refused to refund the latest amount of over $700.00.

never once refused to refund the money barry, you said you would see me in court and i suggested that we just keep the seven hundred to help pay for legal fees, because you would be getting sued for defamation and slander. and i thought it was funny to hear your wimpering voice when i made that suggestion. so again barry LIE


He also pulled my still unfinished website totally off of his server and off of the internet.

barry, get this concept, call the power company there where you live and inform them that you are no longer going to pay your light bill, and see how long the meter stays attached to your house.

After I threatened legal action, today he refunded the latest charged amount of money for hosting a website that no longer exists. However he still refuses to refund me for the last years hosting for the website he never finished and for the software I paid for that has also gone to waste since he pulled my website off of his server and the internet.
I am not finished with John Miller and since he still has well over a $1000.00 of my money that he refuses to refund to me I will do what ever it takes to get my hard earned money!

you are correct, i refuse to refund money that was paid for services rendered.
1. was the site online for a year - yes
2. were the mods purchased and installed - yes
3. were you hand-held to learn to use the script - yes
4. do i have any further obligations to you - NO

so as you see barry, you have a convuluted story and it is not appreciated that you state half truths or out and out lies.

Regards,
DosDawg
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.082608938217163