For the past 2 weeks we have been dealing with an iframe hack on one of our shared servers. It is a nightmare. I’ve been on the phone with Symantec for a few hours, worked all night, etc. Basically what has been happening is someone has found a way to add the everyone group with full access to our partition with all of the customer’s web site files. This isn’t too hard to do but you have to get access to the server to do so. This is what we can’t figure out, how they get access. Once they’re in the server they simply run:
cacls.exe c:\ /c /e /t /g everyone:F
This adds the everyone group with full access to everything on that drive. After they get access they insert some scripts for hidden iframes that redircet to sites that deliver a trojan. The imapct is a few hundred web sites on the server all of a sudden redirect to malicious sites and spread virus, trojan, worm, malware, etc.
Symantec found some files and not other. Even when a known trojan was running in memory it did not catch it.
We still aren’t sure if the issue has been resovled. I thought I got everything yesterday but it was hacked again over night. Currently what I have been doing to check is:
Look for C:\user.exe (trojan)
Check system32 for modified files. Google recent ones.
Run cacls to remove everyone from customer’s web files.
Scan all accounts for script insert in the files below using an app called Actual Search and Replace.
Search services for anything weird.
Check task manager and process explorer.
Here are some files I found in system32 which seemed weird.
I was also finding random registry keys with session info. As in what was running while I was logged in. One even had my password in it. Which I changed, a few times.
And the file user.exe kept pooping up on the C: drive and was running.
We’re still working on the issue but at this time the server is clean and running. Hopefully we fixed whatever was causing it.
Here is a good article on iframe hacks as well. http://forums.digitalpoint.com/showthread.php?t=901622