Solved

someone is injecting html code opening a hidden iframe and pointing a virus site on my web server

Posted on 2007-12-05
3
563 Views
Last Modified: 2013-12-04
i have a web server set to host about 75 web sites. it runs Windows server 2003 and is fully up to date with patches etc. someone dropped code into every html file on the server that redirected to a hidden iframe that was a virus ladden site. the orignal site does appear and the end user is largely unaware other than a breif delay however the virus exploits several apps like quicktime,winzip etc.we thought we found the issue (PHP vuln.)scripted out their changes and removed PHP which was on the box but unused. the issue appeared again today about a week after the first exploit. i have found a couple somewhat similar issues on other forums without any real solutions being posed.  any assist. would be appreciated.
0
Comment
Question by:scsi
3 Comments
 
LVL 5

Accepted Solution

by:
rjmedina earned 300 total points
ID: 20413897
There are a few ways they could be doing this.  First, they've found a new exploit that isn't public yet.  Second, they've simply figured out an ftp or administrator account name and password.  Third, you have an internal problem - one of your own or recently terminated is the source.  These are the most obvious, but there could me more.

If it's the first, all you can do is gather as much data as you can and submit it - however, usually those who submit are very savvy and already know the exact exploit.  If you don't know which exploit they're using it will be hard for you to report it.

However, It sounds like they've compromised one of your accounts and can gain access repeatedly to continue to make the changes.  Or they know the account name and even though you changed the password they were able to figure out the new password.  (Hence the week delay).

I would try to figure out what account they are using and either delete/disable it or turn it against them.  However since they seem to have gained access to your system they probably know all of the account names and many passwords, so you might need to change all account names and passwords.

I would also suggest a honeypot.  If they are scripting their changes to your server then they'll most likely start at the top of the directory tree, so create a folder that is at the top of each directory tree.  If this folder or it's contents are accessed, it will trigger events to lock the account out and notify whoever you specify.  Since they only seem to be attacking this one server, you won't be able to do a traditional isolated honeyput, but hopefully it will be enough to protect you.
(http://en.wikipedia.org/wiki/Honeypot_%28computing%29)

Hope this helps
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 100 total points
ID: 20418063
I would add this: check your logs: 2k3 and firewall. If not enabled yet: enable as much auditing as possible and try to trace back.
You may need to clean the server again and then have it exploited again. Then take the giant puzzle of your logs and put it together.

J.
0
 

Author Comment

by:scsi
ID: 20636836
Thanks for the input guys. issue has been resolved and i find very little out there about it but here is the basic issue. we were running PHP and Perl on that box for a particualr customer and a vuln. in them allowed the original inject. once exposed the GINA to be replaced and much more of the system files with similarly named files that were in fact a hack. this passed all system passwords back to a tracking server and allowed further exploit. we have dug through the trenches of the server and removed all traces and all seems well. Thanks Again for the input!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now