Solved

someone is injecting html code opening a hidden iframe and pointing a virus site on my web server

Posted on 2007-12-05
3
568 Views
Last Modified: 2013-12-04
i have a web server set to host about 75 web sites. it runs Windows server 2003 and is fully up to date with patches etc. someone dropped code into every html file on the server that redirected to a hidden iframe that was a virus ladden site. the orignal site does appear and the end user is largely unaware other than a breif delay however the virus exploits several apps like quicktime,winzip etc.we thought we found the issue (PHP vuln.)scripted out their changes and removed PHP which was on the box but unused. the issue appeared again today about a week after the first exploit. i have found a couple somewhat similar issues on other forums without any real solutions being posed.  any assist. would be appreciated.
0
Comment
Question by:scsi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Accepted Solution

by:
rjmedina earned 300 total points
ID: 20413897
There are a few ways they could be doing this.  First, they've found a new exploit that isn't public yet.  Second, they've simply figured out an ftp or administrator account name and password.  Third, you have an internal problem - one of your own or recently terminated is the source.  These are the most obvious, but there could me more.

If it's the first, all you can do is gather as much data as you can and submit it - however, usually those who submit are very savvy and already know the exact exploit.  If you don't know which exploit they're using it will be hard for you to report it.

However, It sounds like they've compromised one of your accounts and can gain access repeatedly to continue to make the changes.  Or they know the account name and even though you changed the password they were able to figure out the new password.  (Hence the week delay).

I would try to figure out what account they are using and either delete/disable it or turn it against them.  However since they seem to have gained access to your system they probably know all of the account names and many passwords, so you might need to change all account names and passwords.

I would also suggest a honeypot.  If they are scripting their changes to your server then they'll most likely start at the top of the directory tree, so create a folder that is at the top of each directory tree.  If this folder or it's contents are accessed, it will trigger events to lock the account out and notify whoever you specify.  Since they only seem to be attacking this one server, you won't be able to do a traditional isolated honeyput, but hopefully it will be enough to protect you.
(http://en.wikipedia.org/wiki/Honeypot_%28computing%29)

Hope this helps
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 100 total points
ID: 20418063
I would add this: check your logs: 2k3 and firewall. If not enabled yet: enable as much auditing as possible and try to trace back.
You may need to clean the server again and then have it exploited again. Then take the giant puzzle of your logs and put it together.

J.
0
 

Author Comment

by:scsi
ID: 20636836
Thanks for the input guys. issue has been resolved and i find very little out there about it but here is the basic issue. we were running PHP and Perl on that box for a particualr customer and a vuln. in them allowed the original inject. once exposed the GINA to be replaced and much more of the system files with similarly named files that were in fact a hack. this passed all system passwords back to a tracking server and allowed further exploit. we have dug through the trenches of the server and removed all traces and all seems well. Thanks Again for the input!
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question