View previous topic :: View next topic |
Author |
Message |
c0r2ar0 -
Joined: 06 Oct 2007 Posts: 44
|
Posted: Wed Mar 31, 2010 10:26 pm Post subject: Malicius code injection in web pages |
|
|
Hi all,
We are using Abyss X2 2.6 64-bit on our Win2008 web server for about 2 years. We host about 100 domains and everything works great!
Recently we've discovered that some malicius code was injected in a site of our customer, owned by our server. The site is www.rht.it
Now Google shows the security warning but the site is already cleaned. There were index.htm files infected with a javascript malicius code that was trying to show some infected ad banners from other sites.
I was wondering in which way I can prevent this problem. The site was not modified since a long time ago (more than 10 months) so the only way to inject that code is using asp/php/javascript directly through the web server.
No one experienced these problems and know how to fix this???
Thanks in advance to everyone will help!!
Regards,
Paolo |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Thu Apr 01, 2010 3:57 pm Post subject: |
|
|
Hello Paolo--
This is what I get:
Safe Browsing
Diagnostic page for rht.it
What is the current listing status for rht.it?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-31, and the last time suspicious content was found on this site was on 2010-03-31.
Malicious software includes 2 scripting exploit(s), 2 worm(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 1 domain(s), including wabubjtwthr.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including search.twitter.com/.
This site was hosted on 1 network(s) including AS13284 (BRT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, rht.it did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message |
|
Back to top |
|
|
c0r2ar0 -
Joined: 06 Oct 2007 Posts: 44
|
Posted: Thu Apr 01, 2010 6:13 pm Post subject: |
|
|
Hi Axis thanks for reply.
I already know those informations from Google and other sites.
The problem is that I'd like to know how to prevent the injection of malicius code inside the website rht.it another time.
I think that since this happened already one time, it could happen again in the future.
I guess there are some settings for Abyss to close this security problem.
Best regards,
Paolo |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Thu Apr 01, 2010 6:30 pm Post subject: |
|
|
Hi Paolo--
I figured you'd already seen this but the date of it's last reported entry was yesterday.
I guess the question is what kind of site is it? A standard html site? Frontpage? Are you using a CMS or something similar?
There might be something in your server logs that shows the injection. Another clue might be in the "1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including search.twitter.com/." That might be worth looking into.
Regards,
Axis |
|
Back to top |
|
|
c0r2ar0 -
Joined: 06 Oct 2007 Posts: 44
|
Posted: Thu Apr 01, 2010 6:36 pm Post subject: |
|
|
Hi Axis,
I've already done a quick search in my server log but I haven't seen anything interesting (even if I must admin that I've more then 10 megs of txt log for the month of March and I couldn't explore all the log, I must search for something.
I must say that the site is not mine, it's of one of our customer. As I told before we host more than 100 web sites of our customers, so I don't know that website pretty well.
Anyway I've seen that is a plain html website with some javescript in some pages but nothing else. No CMS / ASP / PHP dynamic site... no db use.
I really don't know in which way it could happen!!
Thanks... |
|
Back to top |
|
|
Toasty -
Joined: 21 Feb 2008 Posts: 298 Location: Chicago, IL
|
Posted: Thu May 06, 2010 2:34 am Post subject: |
|
|
-None- of your sites use any sort of dynamic code? No PHP, ASP, Perl, SSI, etc?
If that is the case, do you host your server on a network with a poor wireless password/encryption? Could somebody have added those files there from accessing your network?
Who else has access to your system, do you have FTP set up as well?
What system processes are running, and are they all current versions?
Have you scanned your system for viruses? _________________ Audit the secure configuration of your server headers! |
|
Back to top |
|
|
Axis -
Joined: 29 Sep 2003 Posts: 336
|
Posted: Sun May 09, 2010 4:49 pm Post subject: |
|
|
Hello again Paolo--
Do you have any kind of anti-virus running on your server machine?
I know the overhead is high but I cannot imagine running a server without firewall and anti-virus shielding.
Just a thought.
(Oh, I see the problem is solved...what did you do to resolve the problem?)
Regards,
Axis |
|
Back to top |
|
|
c0r2ar0 -
Joined: 06 Oct 2007 Posts: 44
|
Posted: Sun May 23, 2010 9:59 pm Post subject: |
|
|
Toasty wrote: | -None- of your sites use any sort of dynamic code? No PHP, ASP, Perl, SSI, etc?
If that is the case, do you host your server on a network with a poor wireless password/encryption? Could somebody have added those files there from accessing your network?
Who else has access to your system, do you have FTP set up as well?
What system processes are running, and are they all current versions?
Have you scanned your system for viruses? |
We're a small webhosting provider and we offer to our customers PHP, ASP, Perl for every website! Of course we've a lot of websites using those languages!
No problem with wireless because our server is directly conneted to the internet on a webfarm with a 10 Mbps network connection. We just have a hardware firewall to block DDOS attacks and unwanted services!
Our system is virus free, we use Eset NOD32 4.0 for realtime system protection and ClamAV for our mail server protection!
The problem is that we got that malicius code only over this website and NOT to the others that we host on the same server... so it is NOT a problem of our server but just of these pages!
Now we fixed this problem removing the malicius code and just making those webpages read-only, so they can modify them only through FTP access.
I think there's some possibility with Abyss to execute some scripts to modify HTML/ASP/PHP web pages directly from the website itself! I think this is the problem...
No one knows a solution, maybe some Abyss settings to prevent this? |
|
Back to top |
|
|
|