#!/bin/bash
ifile=/etc/network/interfaces
echo -n “Insert IPstart:”
read ipstart
echo -n “Insert IPend:”
read ipend
echo -n “Insert Gateway:”
read gw
#echo -n “Insert Subnet: ”
#read subnet
echo -n “Insert Netmask: ”
read net
echo -n “Insert aliast to start: ”
read ali

firstIp=`echo “${ipstart%.*}”`
lastIpStart=`echo “${ipstart##*.}”`
lastIpEnd=`echo “${ipend##*.}”`
dif=`echo $(($lastIpEnd-$lastIpStart))`

ip=$lastIpStart
for ((i=$ali;i<=$ali+$dif;i++)){
echo "auto eth0:$i" >>$ifile
echo “iface eth0:$i inet static” >>$ifile
echo “address $firstIp.$ip” >>$ifile
echo “network $subnet” >>$ifile
echo “netmask $net” >>$ifile
echo “gateway $gw” >> $ifile
echo ” ” >> $ifile
let ip++
}

touch ifcfg-eth1:{307..366}
for f in ifcfg-eth1:{307..366}; do cat origfile > “$f”; done
for f in eth1:{307..366}; do echo “DEVICE=$f” >> “ifcfg-$f”; done
for f in {307..366}; do echo “IPADDR=aaa.bbb.ccc.$((f-239))” >> “ifcfg-eth1:$f”; done

origfile contains:

GATEWAY=eee.fff.ggg.hhh
TYPE=Ethernet
BOOTPROTO=none
NETMASK=255.255.255.192

eval $(tset -s xterm; resize; alias ll=”ls -Al”)

ps -e -ww -o user,pid,ppid,pcpu,pmem,size:7=Swap,lstart,args=Command –sort=-rss

In my researches I found out that this isn’t the hosting Linux/Windows server fault. This issue is provoked by a Windows Virus that sniffs the internet connection for user names and passwords of ftp accounts. Then it silently download every (or only index/default) files from the remote ftp to the infected Windows PC and then adds the iframe or javascript code and in the end it uploads back the files. So..first of all when removing this virus from the remote servers check your computers. The virus is known as : Trojan.Script.Iframe.

After scanning your system carefully, consider to stop using FTP. Download WinSCP and stop storing your passwords locally. Then change your passwords.

To get the list of infected files I use either grep or find under any Shell prompt (you will need ssh access to the server):

grep -Z -R "income" *
101/index.html

or with find:

find $PWD \( -name “*.php” -o -name “*.html” -o -iname “*.htm” \) -exec grep -l “income” {} \;

Also you can check the timestamp of the files and if you see changes of index.html or any other file and you did not do that on purpose then it means you are infected. I`m using the -mtime paramter of find to check for infected files:

find . -mtime -2

Will search all files that were modified in the last 48 hours

Malware Removal
You can remove the malware by just deleting the code (sample above) on the affected files. If you need to cleanup hundred of infected files you can do the following:

perl -pi -e 's/(\)</pre>
<p>Conclusion:</p>
<p>How the hack is done?<br />
   1. Client side PC gets infected with the virus from the search results.<br />
   2. Virus gets FTP username/password from the FTP clients.<br />
   3. Using the username/password, the virus then downloads the index files, adds the iframe code in it and re-uploads it to the web server.<br />
   4. The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it spreads again!!!!</p>
<p># Solutions</p>
<p>   1. Ensure that your code is free from such kind of vulnerabilities.<br />
   2. Change all the FTP passwords regularly and keep them safe and use a combination of alphabets + numbers + special characters.<br />
   3. Before updating the new password in their FTP clients, perform a full system Virus scan with a reliable virus scanner updated with the latest virus definition files.<br />
   4. Also try not to save (remember) the FTP username/password on FTP clients or public computers.<br />
   5. Check the website files for any unrecognizable or encrypted codes that are not known to you or is not a part of the website’s function. If found then please follow the above mentioned steps and update the web pages with the proper codes.</p>
<p>Update : In august 2009 I`ve found that even .htaccess files can contain some redirection to malware sites. The bad part is that if you are using FTP not every time you see the .htaccess file because its hidden. </p>
<p>Also..to check if your site contains the iframe virus you can use the Tamper Data plugin with Firefox and while you are browsing your site you can notice "strange" links redirections in Tamper data.</p>

Example of squid.conf

http_port 10000
hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/passwd
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

acl ncsa_users proxy_auth REQUIRED
http_access deny !Safe_ports
http_access allow ncsa_users
visible_hostname mysite.com
coredump_dir /var/spool/squid

service squid start

Setting proxy for wget:

export http_proxy=http://anton:testinsg@mysite:10000

If you want to make it anonymous add these lines:

forwarded_for off

header_access Allow allow all
header_access Authorization allow all
header_access WWW-Authenticate allow all
header_access Proxy-Authorization allow all
header_access Proxy-Authenticate allow all
header_access Cache-Control allow all
header_access Content-Encoding allow all
header_access Content-Length allow all
header_access Content-Type allow all
header_access Date allow all
header_access Expires allow all
header_access Host allow all
header_access If-Modified-Since allow all
header_access Last-Modified allow all
header_access Location allow all
header_access Pragma allow all
header_access Accept allow all
header_access Accept-Charset allow all
header_access Accept-Encoding allow all
header_access Accept-Language allow all
header_access Content-Language allow all
header_access Mime-Version allow all
header_access Retry-After allow all
header_access Title allow all
header_access Connection allow all
header_access Proxy-Connection allow all
header_access Cookie allow all
header_access Set-Cookie allow all
header_access All deny all

acl ip4 myaclname yourip
tcp_outgoing_address yourip myaclname

Generate acl and tcp_outgoing_address:

for f in {314..372}; do echo “acl ip$((f))” myip aaa.bbb.ccc.$((f-246)) >> “blah1″; done
for f in {314..372}; do echo “tcp_outgoing_address aaa.bbb.ccc.$((f-246))” ip$((f)) >> “blah1″; done