homepage Welcome to WebmasterWorld Guest from 54.204.249.184
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
Forum Library, Charter, Moderators: phranque

Website Technology Issues Forum

    
Massive Obfuscated JS attack on 20,000 sites
tangor




msg:3922768
 1:11 am on May 30, 2009 (gmt 0)

Mass Injection Compromises More than Twenty-Thousand Web Sites

Date:05.29.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

As posted at Websense:
[securitylabs.websense.com...]

 

bill




msg:3922847
 7:12 am on May 30, 2009 (gmt 0)

What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

tangor




msg:3922852
 7:22 am on May 30, 2009 (gmt 0)

I run a date check on files. I know when *I* made the change. If dates don't match I take a swift look!

edit...

More precisely I maintain a database of edits. I run dirs weekly and have code that compares edits to last update. If those do not match it is kicked out in a report (usually ZERO ITEMS). If there is a change I DID NOT MAKE I look at it. So far, so good!

...end edit

Vishal




msg:3922900
 8:27 am on May 30, 2009 (gmt 0)

Noticed the JS injection on one of our site. After looking into details and asking around, found that it would be good idea to use SFTP instead of regular one.
Even though the JS injection was mainly on the content page, I thought it would be best to restore the site from clean backup and it seemed to have solved the problem.

What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

This injection was inserting a code from a #*$!x.cn website and I found it while working on the site (firefox + firebug addon) Not sure if it would be recommended to check all the pages manually - it can take ages.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Hardware and OS Related Technologies / Website Technology Issues
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved