Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!

[BugBear <gryzli.the.bugbear () gmail com>]

Hello, 

For sure your web site has been compromised. Based
on my experience, here are some advices for finding the malicious
redirection : 

1. You can try filter out the files, that are modified since you
encounter the problem. For example, find all files modified after
September 6, or maybe day before ...

- After you find those files, you can search them for the URL u've
  mentioned ( carlos.c0m.li ) . If you are lucky, the URL would be
  there in  clear text.
        - Of course, you can issue the text search to all of your web
          files.

- If you don't find the URL in clear text, you can try to search for
  "eval / gzinflate / base64_decode" php functions, which are not part
  of your code. There are lot of cases out there, when the attacker
  masks the redirection (the iframe) within eval/base64_decode functions
  (because this way it's harder to find).

2. As dishix () googlemail com said, there is a possibility that the code
is injected via SQL Injection. Again you can check this, if you issue
a search(carlos.c0m.li or just "carlos") on the database files or
through SQL search query for all the tables & records.


And i think that your main goal must be finding the source of the
problem (not only the infected files/database) - how did they hacked
you ? Here are some proposals: 
- hacked/brute force or spywared/ FTP account
- web exploit in your system (RFI,LFI.....) - check your access logs
- SQL Injection - this is the most harmless case (in my opinion)

Good luck.

Best Regards

On Thu, 8 Sep 2011 00:01:19 +0430
Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:

> Hi.
> Today I found that Kasper Anti Virus has blocked my site and says to
> the clients that this site is affected by a Trojan.
> At the other hand I usually surf the Internet using Firefox. But today
> I used IE to open my own site. But IE tells me following warning:
> This page contains content that will not be delivered using a secure
> HTTPS connection...
> I traced my site with Fiddler debugging toll and I found that each
> time I send a request to the site a get request handler is established
> to the following URL:
> "http://carlos.c0m.li/iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7";
> I've searched about "carlos.c0m.li" in the internet and I saw in
> "Google safe Browsing" something about that host in the following URL:
> http://google.com/safebrowsing/diagnostic?site=carlos.c0m.li/
> Google says that, that host has a maleware. please look at that report
> and suggest a way to remove this bad thing from my site.
> I've searched most of my public html directory. but I haven't found
> any file that makes following http header. I have no idea. How can I
> find that?
>
>
> ----- this is header that fiddler detects for every file that I open
> in my site: GET /iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7
> HTTP/1.1 Accept: application/x-ms-application, image/jpeg,
> application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,
> application/x-shockwave-flash, application/vnd.ms-excel,
> application/vnd.ms-powerpoint, application/msword, */*
> Accept-Language: en-US
> User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
> Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
> 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)
> Accept-Encoding: gzip, deflate
> Connection: Keep-Alive
> Host: carlos.c0m.li
>
>
> HTTP/1.1 404 Not Found
> Date: Wed, 07 Sep 2011 18:42:02 GMT
> Server: Apache/2
> Accept-Ranges: bytes
> Vary: Accept-Encoding,User-Agent
> Content-Encoding: gzip
> Content-Length: 233
> Keep-Alive: timeout=1, max=100
> Connection: Keep-Alive
> Content-Type: text/html
>
>  ?
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate.  We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You will
> find out how to test, purchase, install and use a thawte Digital
> Certificate on your Apache web server. Throughout, best practices for
> set-up are highlighted to help you ensure efficient ongoing
> management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------