Welcome to WebmasterWorld Guest from 54.196.238.210

Forum Moderators: phranque

Message Too Old, No Replies

Massive Obfuscated JS attack on 20,000 sites

     

tangor

1:11 am on May 30, 2009 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Mass Injection Compromises More than Twenty-Thousand Web Sites

Date:05.29.2009

Threat Type: Malicious Web Site / Malicious Code

Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

As posted at Websense:
[securitylabs.websense.com...]

bill

7:12 am on May 30, 2009 (gmt 0)

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

tangor

7:22 am on May 30, 2009 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



I run a date check on files. I know when *I* made the change. If dates don't match I take a swift look!

edit...

More precisely I maintain a database of edits. I run dirs weekly and have code that compares edits to last update. If those do not match it is kicked out in a report (usually ZERO ITEMS). If there is a change I DID NOT MAKE I look at it. So far, so good!

...end edit

Vishal

8:27 am on May 30, 2009 (gmt 0)

10+ Year Member



Noticed the JS injection on one of our site. After looking into details and asking around, found that it would be good idea to use SFTP instead of regular one.
Even though the JS injection was mainly on the content page, I thought it would be best to restore the site from clean backup and it seemed to have solved the problem.

What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

This injection was inserting a code from a #*$!x.cn website and I found it while working on the site (firefox + firebug addon) Not sure if it would be recommended to check all the pages manually - it can take ages.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month