homepage Welcome to WebmasterWorld Guest from 54.226.147.84
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

This 37 message thread spans 2 pages: 37 ( [1] 2 > >     
Anyone seeing a huge increase in unflagged malware links?
ianevans

10+ Year Member



 
Msg#: 4052477 posted 5:44 am on Jan 1, 2010 (gmt 0)

I have a Google alert set up to send me mentions of my news site.

In the last couple of weeks, I've been getting a ton of alerts for sites that mention and scrape some of our news and then have these convoluted urls after a three letter php file (like bxh.pkp, ikk.php) that, if clicked, redirects the visitor to one of those fake virus scan, drive-by download sites.

Visiting one of the sites, I saw it was an American Legion site that obviously wouldn't be covering news in our genre. Digging deeper on another message board I was informed that these backdoors have been uploaded unwittingly to a lot of sites.

When I did a search on the relevant search term, I found a lot of references to our site's content being used as a lure to these malware links. Neither AVG's linkscanner nor Google's malware detection passed on any warnings.

Has anyone else seen this behaviour lately?

 

tedster

WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4052477 posted 6:17 am on Jan 1, 2010 (gmt 0)

There is at least one new version of a fake antivirus program that is being distributed through parasite hosting in the last half of December 2009. It is, unfortunately, a very devious bug - the code contains all kinds of defenses against both detection and removal.

This knowledge was forced on me when I tried to check out a domain that a major client had abandoned, one that was originally developed by a relatively shady SEO. Apparently, just by visiting, I got a near to zero-day new version of the trojan, and my AV did not yet have any profile to identify and block it. Neither had Google labeled the domain as a malware risk.

I was speaking with an IT Director of a major corporation over the holidays, and he began describing the exact symptoms I was experiencing - saying it was a near epidemic in his company over the past week. The symptoms are that any common AV program is disabled first - then Safe Mode disabled, Task Manager is disabled, and if you try to use even the most potent of trojan removal programs, the virus goes directly after Windows, corrupting the registry and the Windows reset points.

This trojan imitates and antivirus program. It throws up bogus warnings and websites, and then tells you that you can remove the virus by paying a certain amount for the "Pro" version of their antivirus program. And of course, if you give away your credit card, then it's a keylogger installation and a botnet membership for your machine - in addition to who knows what for your identity and that credit card.

This malware is so devious that I wouldn't be at all surprised if it has programming to avoid being seen by Google's safe browsing diagnostics.

By the way, we had the client simply take their domain offline,
even though Google reported healthy content and backlinks.
Whatever was going on was not worth trying to investigate to see
what ranking value might be preserved.

jdMorgan

WebmasterWorld Senior Member jdmorgan us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4052477 posted 7:12 am on Jan 1, 2010 (gmt 0)

And a good New Years resolution comes to mind: I will make more-regular backups, so a format and re-install won't be such a pain... :)

I've found myself getting into the habit of typing new and unfamiliar domain names into Google in quotes to see what the description says, or if they're getting any complaints visible in the SERPs. However, since Google got so darn helpful a few months ago, don't do this until you're sure you will *never* forget the quotes. Without the quotes, Google will "helpfully" take you straight to the domain unless they have already flagged is as malware-bearing...

A happy and malware-free New Year to all!

Jim

ianevans

10+ Year Member



 
Msg#: 4052477 posted 8:05 am on Jan 1, 2010 (gmt 0)

Egads...the point that bugs me is that my site name and some of the content appear in the descriptions for about 1100+ of these malware links when you search on the keywords of a big upcoming event we cover.

HuskyPup



 
Msg#: 4052477 posted 1:33 pm on Jan 1, 2010 (gmt 0)

There is at least one new version of a fake antivirus program

Yep, I spent a week trying to resolve this problem on a friend's laptop, what a PITA!

I do have it working at about 85% but have told them it's a re-install if they're not really happy with it.

frontpage

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 2:26 pm on Jan 5, 2010 (gmt 0)

An excellent example of why not to use IE or FF with javascript enable by default. For FF users just use NoScript and only enable trusted sites. Plus you can download another Window HOSTS file program (HostsMan) to null route known malware sites.

Erku

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 2:44 pm on Jan 5, 2010 (gmt 0)

So what did you do for your news site? We are having the same problems. How do you combat the problem telling Google that you have nothing to do with this and it's out of your control?

ianevans

10+ Year Member



 
Msg#: 4052477 posted 4:10 pm on Jan 5, 2010 (gmt 0)

I haven't been able to do anything yet. I'm assuming that this php backdoor is affecting a lot of sites who top Google for different keywords since the url we're seeing that mentions us in the description is along the lines if:
example.com/xyz.php?v="news event we cover" so another webmaster on here's probably having problems with example.com/xyz.php?v="widget we sell".

Seb7

5+ Year Member



 
Msg#: 4052477 posted 4:58 pm on Jan 5, 2010 (gmt 0)

I've managed to fix 3 variations of this in the last two weeks, really freaks the users out! The virus were all installed in the apps directory and appeared to have completely trashed the system, but it hadnít, it creates a number of hooks into the system as to throw up the fake 'virus warming' messages when ever you do anything.

Doesnít disable all types of anti-viruses and safe mode did still work on one machine.(f8 while booting). The trick is to get your normal anti-virus running again, updated, and running a complete scan. AVG did the job each time.

Once the virus is removed, the system will almost go completely back to normal, except for some settings still left in the browser. So recommend using the reset all button in the browser settings which should remove any unnecessary proxy settings and return the browser security level back to a normal level.

shyspinner

5+ Year Member



 
Msg#: 4052477 posted 6:01 pm on Jan 5, 2010 (gmt 0)

This entire debacle happened to me over Christmas.

I had to change my Cpanel/ftp passwords, find offending javascript on my home page that was inserted and also delete a couple folders that were uploaded via ftp to my root folder. These files were calling .php files and malware was on my site.

Did all that, but after I had to wipe and re-format the machine and start from scratch. I thankfully keep excellent backups of everything on an external drive.

Noticed the malware had used files from an old wordpress install that was left on server, so there is another place to investigate. Lock down your Cpanel, change passwords and look for iframe javascript injected into your html, etc. Luckily I only found one instance on my home page.

I'm hoping you won't have any long standing problems getting your computer clean, mine needed a clean anyway but I would have rather done it at my own time choosing instead over during a holiday, but I could not rid the files from my computer so I'm happy to have a clean install and updated all firewalls/anti-virus/spyware.
ETA: Machine became UN-BOOTABLE in any mode.

As of yet, I do not know the impact with my site and google, I am optimistic that it was caught quickly enough.

ianevans

10+ Year Member



 
Msg#: 4052477 posted 7:44 pm on Jan 5, 2010 (gmt 0)

The thing that's bugging me though is not malware on my server, but the fact that the malware on these 1100+ sites have the name of my site and some of our content in their Google description. It also pains me that some of them rank higher for this upcoming news event...and they're not even in the same field, just victims.

moTi

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 8:01 am on Jan 6, 2010 (gmt 0)

now that we talk about it, here's my story: end of december i cought one of these mentioned ultra-aggressive backdoor trojans who infected my computer. first time in ten years internet experience. symptoms: the mentioned fake system alerts that trap you into buying their anti-malware malware.
and yes, let's talk openly, i got this trojan by surfing the most popular #*$! site, without warning simply by visiting an infected web page. given that, i wondered how many thousands of people must also be affected by this at the same time.
among other things, it crippled windows defender, disabled antivir and changed registry entries. even though, after a few hours with a few little helpers i finally managed to fully recover my system without a clean install.

my questions to you guys without being studied that much in this topic: how can it technically be in 2009, that a properly standard-protected system is infected simply by visiting a web page without manually downloading anything? why is it impossible to eliminate these occurrences with some simple os/browser patch or tweak of some kind? would this render usual internet browsing impossible? if yes, there must be some serious flaw in software engineering, right? how can this be? why is the only protection in form of obviously incomplete, in other words useless malware warning pages from google of all things to handle the issue? i mean, really.. as long as we have to worry about this kind of crap - this is frightning, isn't it?

rise2it

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 11:10 am on Jan 6, 2010 (gmt 0)

I had a buddy that called me about this on his computer right after Christmas.

I 'clean' computers for a few friends, and always smirk a bit because they are so careless.

As luck would have it, less than an hour later, I clicked a link and went directly from Google to hitting a webpage that caused an instant infestation - from a (probably hacked) site that should have been harmless. (Surfing in Firefox, not IE)

I keep things on my machine locked down pretty tight, and still got nailed.

I know how to get rid of this stuff when it happens, but I feel for the 98% of people who don't.

Things like this do NOT breed confidence in the online experience for the average person, especially when Joe Average already has concerns about identity theft and online shopping - and THAT should concern all of us in this forum.

gouri

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 4:08 pm on Jan 6, 2010 (gmt 0)

I checked my server logs and I saw the following:

www.widget.tld/MSOffice/cltreq.asp
www.widget.tld/_vti_bin/owssvr.dll

I really don't know what to make of this but I don't think it is very good.

Also, I think I had some visits from Performance Systems International.

Can someone please tell me what this could be?

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 4:13 pm on Jan 6, 2010 (gmt 0)

Do a who is of IP address PSI came from and then block the IP address or IP address range. They do you no good. Don't worry about the other two entries all that much. If you don't have those items installed on your server those requests won't do you any harm.

gouri

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 4:31 pm on Jan 6, 2010 (gmt 0)

Thanks for the response and telling me what to do.

If I don't have access to the .htaccess file do you know if I would be able to block the IP address or IP address range?

Don't worry about the other two entries all that much. If you don't have those items installed on your server those requests won't do you any harm.

I don't think I have those items installed on my server. Were those urls created by the ISP in hopes that they might actually exist? If I google those urls and they don't show up in Google's index does that mean that they don't exist? I guess what I am asking is, is there a way to check if those items are installed on your server?

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 4:35 pm on Jan 6, 2010 (gmt 0)

I've read that at least one of the requests is some sort of IE plug-in looking a file that allows others also using the plug-in to comment on said page. I see plenty of these types of entries in my logs all the time.

Look in your website folders and see if the directory and files exist. If they don't exist they are not installed.

gouri

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 4:51 pm on Jan 6, 2010 (gmt 0)

I've read that at least one of the requests is some sort of IE plug-in looking a file that allows others also using the plug-in to comment on said page. I see plenty of these types of entries in my logs all the time.

Can you please tell me where the comments would go? I don't have a blog.

Look in your website folders and see if the directory and files exist. If they don't exist they are not installed.

I looked and I only see the pages of the website. Each page is a file. This is with a template. I don't see anything else. So I don't think the directory and files that I mentioned above exist? The way the site is, it is www.widget.tld/filename.html

I think this means there are files but no directory.

Do you think this is ok in terms of that directory and files not existing?

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 5:12 pm on Jan 6, 2010 (gmt 0)

It doesn't sound like you have the "feature" installed, so there is no way for people using said plug-in could leave a comment using it AFIK. I wouldn't worry about it, because it doesn't impact your site. If the directory doesn't exist then the files that would be in that directory also don't exist. My bet is that if you look at your logs for those entries you will see that the response code is 404, which means the files were not found.

gouri

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 5:26 pm on Jan 6, 2010 (gmt 0)

I looked at the response code for the entries that I mentioned and it said that the requests could not be completed and it is most likely because of a 404.

Just as you said.

Thanks.

ergophobe

WebmasterWorld Administrator ergophobe us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4052477 posted 5:40 pm on Jan 6, 2010 (gmt 0)

gouri, don't worry about it. It's just related to the client people are using

[webmasterworld.com...]

They are requesting a file that things like the MS Discuss toolbar looks for. You don't have it, so no worries. You can't stop people from making a request to your server.

If you don't like seeing the entry in your logs for the 404, you could crete empty files with those names, but that's more bandwidth than just sending a 404.

gouri

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 6:31 pm on Jan 6, 2010 (gmt 0)

Thanks for the link to the thread. It is very relevant to what I was asking about.

Also, thank you for the explanation and suggestions.

pageoneresults

WebmasterWorld Senior Member pageoneresults us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4052477 posted 6:47 pm on Jan 6, 2010 (gmt 0)

This malware is so devious that I wouldn't be at all surprised if it has programming to avoid being seen by Google's safe browsing diagnostics.

Yours truly was hit with the motherload yesterday (2009-01-05) after performing a search in Google and landing on a site that sent Firefox into a slight coma for about 10 seconds. When it recovered, the nastiness began. Everything that tedster outlined happened to me. I've spent the better part of the last 14 hours scanning, removing, chasing, uninstalling, etc. I've almost go it off the system, there is one last piece somewhere and it looks like my scan just finished. Darn, 4 more objects found. This thing dropped trojans all over the place. It disabled ALL of my detection software and went to town. I had to delete the iexplore.exe which allowed me to get into the system and start doing cleanup. If that iexplore.exe is on your system, get rid of it first or it will continue to phone home every 30-60 seconds.

Oh, this thing is nasty. And, it's my first time being hit with Malware. I've worked hard to prevent this type of thing from happening. It has totally wiped out all the detection software I had in place, had to uninstall all of it.

Still cleaning up... :(

moTi

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4052477 posted 8:46 pm on Jan 6, 2010 (gmt 0)

in all seriousness, is it an epidemic? i mean, it's like with an embarrassing sexually transmitted disease - no one likes to talk about, because everyone thinks, the others would laugh at him and blame him for his incautiousness..

did all parties pretend there isn't an issue or did i perhaps miss a greater discussion about the lack of malware protection?

so we can stand by the fact, that there are instances, when an average user with at least standard system settings and virus- and malware protection turned on is defenseless against this kind of trojans - that is, when he simply visits an infected web page. it clearly looks like it could really happen to anyone right now. bad enough.

what's more, it seems to me that the subject effective malware combat is shifted in circles between os-producers, anti-malware-producers, browser-producers and "programming language supervisors". no one feels responsible.

the consequence of this market failure is, that the world's biggest search engine google is forced to step in and provide us with warning pages when we want to visit certain websites through their serps. otherwise the infected visitors would perceive a bad search experience and would not use google any more, as they would blame the mess on google.

as this form of malware protection is far from perfect, the consumer has lost the case.

do i have a point?

[edited by: moTi at 9:04 pm (utc) on Jan. 6, 2010]

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 8:59 pm on Jan 6, 2010 (gmt 0)

do i have a point?

Yes you have a very valid point.

The epidemic, however, is not new. For the past at least five years, almost every computer I've worked on whether a client's or friend's has had some form of malware on it for many years now. It is only when appropriate security measures are in place and a little reeducation of users is conducted that they stop getting infected (reeducation doesn't always work).

Rather than no one taking responsibility, everyone needs to take responsibility be it: OS, browser, or security software developers; ISPs; web hosting providers; website developers; or the end user themselves.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4052477 posted 10:03 pm on Jan 6, 2010 (gmt 0)

Safe browsing:

Firefox with NoScript and turn off ALL javascript, iframes, redirects, PDF, Flash and pretty much everything else UNLESS you know the web site very well, and even then treat with extreme caution.

For preference get a Linux machine for browsing. It's not virus-proof but Windows is far worse and is not updated with patches anywhere near as often as (eg) Linux Ubuntu - bug fixes are introduced as and when, not three weeks later. And please don't say Apple is safe from viruses - it's at least as vulnerable as Windows now! Ditto some "personal" tools such as phones.

Do NOT trust AV software. It can get rid of quite a lot but a) it needs to know the latest virus that was only launched ten minutes ago; b) it can be disabled by a virus (that's as of several years ago); c) it can produce false positives; d) you probably haven't got it connected to your web browser anyway.

Google uses (used?) a third party service for virus detection that is only as good as the AV detection system it uses; see above.

Visit the zdnet security blog (which I've been told before I mustn't link to but which is an absolute MUST read) and review it at least daily. A short while ago I posted hereabouts details from a zdnet article giving the number of virus sites that google was listing; I forget how many now but it was a LARGE number.

Web sites:

Ensure you do NOT use web browsers on your server, nor email tools, either of which can get your server infected. Ensure your username and password are VERY good (12 alpha/numeric/symbol characters). Only use SSL-protected FTP with good passwords (and never anonymous). If you use SSH then be very careful: I had it enabled for an hour on a server and got hit thousands of times with hack attempts in that time. Keep an updated AV running on a regular schedule with emailed reports. Lock down IIS servers VERY carefully. Keep the software updated with the latest patches. I accept many web site owners cannot manage all of the above but ask your hosting service what THEY are doing.

One thing I have learned, as a web site designer and hoster, is that most site owners seldom actually look at their sites.

Blogs and forums are prime targets for planting virus links and again, many blog owners never monitor them or simply get bored and go away. If you have a blog or forum, keep the software up to date and run it moderated if possible.

General:

The tendency of botnet owners now is to spin off new domains at the rate of hundreds a day and switch them around whenever one is killed by (eg) google or the server's owner. The domains are usually aimed at compromised servers so watch out for any suspicious files on your server and keep an eye on (eg) IIS Manager for unexpected domains.

If you run a DNS server ensure it is safe.

And so it goes. Keeping a server clean requires continual vigilance. Ridding it of viruses can take days and lose you trade and customer confidence.

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 10:44 pm on Jan 6, 2010 (gmt 0)

Safe browsing:
Firefox with NoScript and turn off ALL javascript, iframes, redirects, PDF, Flash and pretty much everything else UNLESS you know the web site very well, and even then treat with extreme caution.

Why not just surf the web using Lynx? Your suggestion is just as extreme. Killing off all JavaScripts cripples a lot of great functionality and aren't a serious threat. PDF's aren't a threat, although I wish they would spawn outside of the browser window (I get this fixed and then after the next browser/Acrobat update it reverts to in the browser window, really annoying). Flash can be handled using the extension FlashBlock, this prevents Flash objects from loading and running but still provides a quick play button to let them run. Iframes are mostly used for ads so this isn't too big of a loss. Redirects are necessary on many forum sites, maybe just set browser to warn about redirects and give you a choice. I do personally disable Java, but mostly for browser performance reasons, plus I almost never need it.

For preference get a Linux machine for browsing. It's not virus-proof but Windows is far worse

Let's not start a OS pissing contest. To each his own when it comes to OS. I'm perfectly happy with WinXP and never get an infection.

Do NOT trust AV software. It can get rid of quite a lot but a) it needs to know the latest virus that was only launched ten minutes ago; b) it can be disabled by a virus (that's as of several years ago); c) it can produce false positives; d) you probably haven't got it connected to your web browser anyway.

A good anti-virus program automatically connects to one's browser, but an anti-virus program can't be the first nor last line of defense.

Google uses (used?) a third party service for virus detection that is only as good as the AV detection system it uses; see above.

Google is only a layer of defense. As stated above computer security is about having multiple layers.

Web sites:
Ensure you do NOT use web browsers on your server, nor email tools, either of which can get your server infected. Ensure your username and password are VERY good (12 alpha/numeric/symbol characters). Only use SSL-protected FTP with good passwords (and never anonymous). If you use SSH then be very careful: I had it enabled for an hour on a server and got hit thousands of times with hack attempts in that time. Keep an updated AV running on a regular schedule with emailed reports. Lock down IIS servers VERY carefully. Keep the software updated with the latest patches. I accept many web site owners cannot manage all of the above but ask your hosting service what THEY are doing.

What can go a long way towards simplifying this is to use a fully managed web hosting service with a really good web hosting company. They'll keep the server updated and secured, all you have to worry about are web applications and how you connect to the server to update stuff. One common vector for infecting servers is via a compromised work station that is used to edit and upload code. Malicious code get added to the scripts on the server by the infected workstation and then uploaded to the server via the methods used to connect the work station to the server or get uploaded the next time the developer FTPs files over to the server.

One thing I have learned, as a web site designer and hoster, is that most site owners seldom actually look at their sites.
Blogs and forums are prime targets for planting virus links and again, many blog owners never monitor them or simply get bored and go away. If you have a blog or forum, keep the software up to date and run it moderated if possible.

The best way to manage a blog or forum is to premoderate all posts by new/unknown individuals. Nothing ever gets posted to my blog until I've approved it and all posts on my forums by new users have to be approved. Once a new forum user has a track record of not being a spammer they get promoted and their posts get posted automatically. HOWEVER, I make sure all posts get read by someone who can nix them and I don't let dynamic content.

dstiles

WebmasterWorld Senior Member dstiles us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4052477 posted 10:14 pm on Jan 7, 2010 (gmt 0)

Ken, you really should view some threat profiles. :)

Javascript is a major player in the installation of viruses, either directly or by redirection to infected web sites, through browsers or other JS-inclusive clients such as Flash and Acrobat. I accept it's not the only exploit around.

From a heading dated ten days ago on the site I mentioned: "Adobe plugs gaping holes in Flash Media Server" and a couple of weeks before that "Adobe confirms PDF zero-day attacks. Disable JavaScript now". Some of these exploits have been in place for years and depend heavily on in-document javascript. Javascript originating from web sites is even more likely to infect since not everyone downloads unknown PDF files. As to Java, I haven't had that enabled at all for at least six years and ActiveX only for very controlled Windows updates.

Lynx is obviously a non-starter because it only gives text. :)

Firefox, even with everything disabled, still gives an excellent presentation of most sites, even those which only display Flash - the option is always there for you to chance it whether through NoScript or FlashBlocker. Personally I do not view Flash on web sites: if they don't have textual content I go away. Nor do I view Movies. I often visit dozens of sites a day, including reviewing sites for my directory, and have a pretty good user experience even with everything turned off.

I did not intend to imply one should always use Linux. Only one of my machines is Linux but I do use it almost exclusively for browsing - not entirely for safety but that played a large part in my decision. I haven't had a virus on any of my machines, Windows nor Linux. It is a fact, though, that Windows machines, including servers, are more likely to be infected, probably due to lack of care by the majority of users who have no idea about security, threats or any other invasion. Linux users are generally more experienced computer users and the OS is easier to update, hence offering less of an exploit surface.

As to means of defence, of course they are ALL only layers of protection.

My advice re: web hosting was primarily aimed at dedicated servers. As to managed hosting companies, how many do you think really do manage their servers correctly and safely? A vast number of (probably most) infected servers are on server farms - even Amazon AWS is at least partially infected: ok, no surprise there. :) How many are managed and how many dedicated I have no idea, but I suspect dedicated servers are more cared-for since their users are likely to have more technical ability and knowledge. Yes, it's possible to choose a good managed OR dedicated hosting service but a lot of web site owners simply go for the cheapest, as witness the number of UK sites that use USA servers.

Although I agree that some infected workstations may upload code to servers via FTP most malware is installed through infected machines managed as a botnet. It is not efficient to infect a desktop machine with a server virus on the off chance that it will get uploaded via FTP: that is highly unlikely as very few people have FTP access to web servers. Where the desktop has become part of a botnet and is used to attack servers the attack on the server (in my experience) is through attempted SQL injection and through exploitable services such as php applications (boards, ecommerce etc). Most of the attempts I see appear to have rudimentary web services installed on the infected desktop but that is, I think, part of the infestation rather than poor OS setup. It is far more efficient to install a virus on a server direct from the botnet, and botnet managers are becoming frighteningly efficient. Where infection of a server is via FTP I suspect that's how it got onto the desktop in the first place, possibly through visiting suspect FTP servers, although that is surmise.

By the way, Ken, my post was not aimed at your comments if that was your perception of my post. You made your post whilst I was writing mine and I read it only after my own submission. :)

KenB

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4052477 posted 11:06 pm on Jan 7, 2010 (gmt 0)

The ultimate question, which was the point I was making with Lynx, is how much functionality are you going to give up for a little extra security. At some point the functional loss out weighs very marginal improvements in security. The key is risk management, not risk elimination.

In regards to the workstation to server exploit vector, I personally know a webmaster whom I consider to be really good at this stuff who got hit precisely in the manner I described. His local workstation was compromised, it rewrote some of his HTML code, which then got inserted into his site. I don't know the software specifics, but the workstation is certainly a weak link in a hardened server environment.

Maybe a lot of the really big players (like AWS) are sloppy about security in regards to individual websites they host, especially those companies who try to be all things to all people (e.g. support every server OS/software environment). There are companies who specialize in one OS environment and are cautious about what they allow. My web host for instance only does FreeBSD servers running Apache.

In general, most web developers are not server security gurus and probably shouldn't be trying to manage their own servers. It is far better and more secure to use fully managed servers using a company who takes security seriously. Let them keep up with the server patches, there is enough to deal with in regards to website development. The catch is the companies that are competing for business via rock bottom prices AREN'T the ones taking security seriously. Good well managed web hosting is not cheap.

aleksl



 
Msg#: 4052477 posted 1:55 am on Jan 8, 2010 (gmt 0)

I was just hit with this nasty, NASTY thingy today. Luckily, I am familiar with the previous version, so I know what it is.

soo....this thing is BAD. Aside from going right through Firefox from an infected server to your machine, it installs a fake antivirus, dozen trojans and a rootkit. It also disables Windows Safe mode.

Seb7: AVG did the job each time.

no it didn't. had to upgrade from 8.5 to 9, 8.5 didn't see anything. AVG version 9 got several trojans, and got happy.

The only soft that worked last time I saw this bugger, and this time as well was little known tool called Malwarebytes' Anti-Malware. Upgrate to latest version, download updates, boom - it also catches a rootkit, although it isn't easy to delete it.

moTi: how can it technically be in 2009, that a properly standard-protected system is infected simply by visiting a web page without manually downloading anything? why is it impossible to eliminate these occurrences with some simple os/browser patch or tweak of some kind?

this loads a ROOTKIT, which can do practically anything to your computer. Read up on it.

For preference get a Linux machine for browsing. It's not virus-proof but Windows is far worse

Well, rootkits were invented on non-windows OS, including *nix. The only difference is whether you run a popular OS.

This 37 message thread spans 2 pages: 37 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved