Malicius code injection in web pages

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
c0r2ar0
-


Joined: 06 Oct 2007
Posts: 44

PostPosted: Wed Mar 31, 2010 10:26 pm    Post subject: Malicius code injection in web pages Reply with quote

Hi all,
We are using Abyss X2 2.6 64-bit on our Win2008 web server for about 2 years. We host about 100 domains and everything works great!

Recently we've discovered that some malicius code was injected in a site of our customer, owned by our server. The site is www.rht.it

Now Google shows the security warning but the site is already cleaned. There were index.htm files infected with a javascript malicius code that was trying to show some infected ad banners from other sites.

I was wondering in which way I can prevent this problem. The site was not modified since a long time ago (more than 10 months) so the only way to inject that code is using asp/php/javascript directly through the web server.

No one experienced these problems and know how to fix this???


Thanks in advance to everyone will help!!

Regards,
Paolo
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Thu Apr 01, 2010 3:57 pm    Post subject: Reply with quote

Hello Paolo--

This is what I get:

Safe Browsing
Diagnostic page for rht.it

What is the current listing status for rht.it?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-31, and the last time suspicious content was found on this site was on 2010-03-31.

Malicious software includes 2 scripting exploit(s), 2 worm(s). Successful infection resulted in an average of 1 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including wabubjtwthr.com/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including search.twitter.com/.

This site was hosted on 1 network(s) including AS13284 (BRT).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, rht.it did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message
Back to top View user's profile Send private message
c0r2ar0
-


Joined: 06 Oct 2007
Posts: 44

PostPosted: Thu Apr 01, 2010 6:13 pm    Post subject: Reply with quote

Hi Axis thanks for reply.

I already know those informations from Google and other sites.

The problem is that I'd like to know how to prevent the injection of malicius code inside the website rht.it another time.
I think that since this happened already one time, it could happen again in the future.

I guess there are some settings for Abyss to close this security problem.

Best regards,
Paolo
Back to top View user's profile Send private message
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Thu Apr 01, 2010 6:30 pm    Post subject: Reply with quote

Hi Paolo--

I figured you'd already seen this but the date of it's last reported entry was yesterday.

I guess the question is what kind of site is it? A standard html site? Frontpage? Are you using a CMS or something similar?

There might be something in your server logs that shows the injection. Another clue might be in the "1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including search.twitter.com/." That might be worth looking into.

Regards,
Axis
Back to top View user's profile Send private message
c0r2ar0
-


Joined: 06 Oct 2007
Posts: 44

PostPosted: Thu Apr 01, 2010 6:36 pm    Post subject: Reply with quote

Hi Axis,
I've already done a quick search in my server log but I haven't seen anything interesting (even if I must admin that I've more then 10 megs of txt log for the month of March and I couldn't explore all the log, I must search for something.

I must say that the site is not mine, it's of one of our customer. As I told before we host more than 100 web sites of our customers, so I don't know that website pretty well.

Anyway I've seen that is a plain html website with some javescript in some pages but nothing else. No CMS / ASP / PHP dynamic site... no db use.

I really don't know in which way it could happen!!

Thanks...
Back to top View user's profile Send private message
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Thu May 06, 2010 2:34 am    Post subject: Reply with quote

-None- of your sites use any sort of dynamic code? No PHP, ASP, Perl, SSI, etc?

If that is the case, do you host your server on a network with a poor wireless password/encryption? Could somebody have added those files there from accessing your network?

Who else has access to your system, do you have FTP set up as well?

What system processes are running, and are they all current versions?

Have you scanned your system for viruses?
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
Axis
-


Joined: 29 Sep 2003
Posts: 336

PostPosted: Sun May 09, 2010 4:49 pm    Post subject: Reply with quote

Hello again Paolo--

Do you have any kind of anti-virus running on your server machine?

I know the overhead is high but I cannot imagine running a server without firewall and anti-virus shielding.

Just a thought.

(Oh, I see the problem is solved...what did you do to resolve the problem?)

Regards,
Axis
Back to top View user's profile Send private message
c0r2ar0
-


Joined: 06 Oct 2007
Posts: 44

PostPosted: Sun May 23, 2010 9:59 pm    Post subject: Reply with quote

Toasty wrote:
-None- of your sites use any sort of dynamic code? No PHP, ASP, Perl, SSI, etc?

If that is the case, do you host your server on a network with a poor wireless password/encryption? Could somebody have added those files there from accessing your network?

Who else has access to your system, do you have FTP set up as well?

What system processes are running, and are they all current versions?

Have you scanned your system for viruses?


We're a small webhosting provider and we offer to our customers PHP, ASP, Perl for every website! Of course we've a lot of websites using those languages!

No problem with wireless because our server is directly conneted to the internet on a webfarm with a 10 Mbps network connection. We just have a hardware firewall to block DDOS attacks and unwanted services!

Our system is virus free, we use Eset NOD32 4.0 for realtime system protection and ClamAV for our mail server protection!

The problem is that we got that malicius code only over this website and NOT to the others that we host on the same server... so it is NOT a problem of our server but just of these pages!

Now we fixed this problem removing the malicius code and just making those webpages read-only, so they can modify them only through FTP access.

I think there's some possibility with Abyss to execute some scripts to modify HTML/ASP/PHP web pages directly from the website itself! I think this is the problem...

No one knows a solution, maybe some Abyss settings to prevent this?
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group