Msg#: 3922766 posted 1:11 am on May 30, 2009 (gmt 0)
Mass Injection Compromises More than Twenty-Thousand Web Sites
Threat Type: Malicious Web Site / Malicious Code
Msg#: 3922766 posted 7:22 am on May 30, 2009 (gmt 0)
I run a date check on files. I know when *I* made the change. If dates don't match I take a swift look!
More precisely I maintain a database of edits. I run dirs weekly and have code that compares edits to last update. If those do not match it is kicked out in a report (usually ZERO ITEMS). If there is a change I DID NOT MAKE I look at it. So far, so good!
Msg#: 3922766 posted 8:27 am on May 30, 2009 (gmt 0)
Noticed the JS injection on one of our site. After looking into details and asking around, found that it would be good idea to use SFTP instead of regular one. Even though the JS injection was mainly on the content page, I thought it would be best to restore the site from clean backup and it seemed to have solved the problem.
What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.
This injection was inserting a code from a #*$!x.cn website and I found it while working on the site (firefox + firebug addon) Not sure if it would be recommended to check all the pages manually - it can take ages.