Massive Obfuscated JS attack on 20,000 sites

Forum Moderators: phranque

Message Too Old, No Replies

Massive Obfuscated JS attack on 20,000 sites

tangor

1:11 am on May 30, 2009 (gmt 0)

Mass Injection Compromises More than Twenty-Thousand Web Sites
Date:05.29.2009
Threat Type: Malicious Web Site / Malicious Code
Websense Security Labs™ Threatseeker™ Network has detected that a large compromise of legitimate Web sites is currently taking place around the globe. Thousands of legitimate Web sites have been discovered to be injected with malicious Javascript, obfuscated code that leads to an active exploit site. The active exploit site uses a name similar to the legitimate Google Analytics domain (google-analytics.com), which provides statistical services to Web sites.

As posted at Websense:
[securitylabs.websense.com...]

bill

7:12 am on May 30, 2009 (gmt 0)

What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

tangor

7:22 am on May 30, 2009 (gmt 0)

I run a date check on files. I know when *I* made the change. If dates don't match I take a swift look!

edit...

More precisely I maintain a database of edits. I run dirs weekly and have code that compares edits to last update. If those do not match it is kicked out in a report (usually ZERO ITEMS). If there is a change I DID NOT MAKE I look at it. So far, so good!

...end edit

Vishal

8:27 am on May 30, 2009 (gmt 0)

Noticed the JS injection on one of our site. After looking into details and asking around, found that it would be good idea to use SFTP instead of regular one.
Even though the JS injection was mainly on the content page, I thought it would be best to restore the site from clean backup and it seemed to have solved the problem.

What's the best way to monitor your sites for these sorts of attacks? Manually checking the source isn't a good way to be safe.

This injection was inserting a code from a #*$!x.cn website and I found it while working on the site (firefox + firebug addon) Not sure if it would be recommended to check all the pages manually - it can take ages.