Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

someone is injecting html code opening a hidden iframe and pointing a virus site on my web server

Posted on 2007-12-05
3
565 Views
Last Modified: 2013-12-04
i have a web server set to host about 75 web sites. it runs Windows server 2003 and is fully up to date with patches etc. someone dropped code into every html file on the server that redirected to a hidden iframe that was a virus ladden site. the orignal site does appear and the end user is largely unaware other than a breif delay however the virus exploits several apps like quicktime,winzip etc.we thought we found the issue (PHP vuln.)scripted out their changes and removed PHP which was on the box but unused. the issue appeared again today about a week after the first exploit. i have found a couple somewhat similar issues on other forums without any real solutions being posed.  any assist. would be appreciated.
0
Comment
Question by:scsi
3 Comments
 
LVL 5

Accepted Solution

by:
rjmedina earned 300 total points
ID: 20413897
There are a few ways they could be doing this.  First, they've found a new exploit that isn't public yet.  Second, they've simply figured out an ftp or administrator account name and password.  Third, you have an internal problem - one of your own or recently terminated is the source.  These are the most obvious, but there could me more.

If it's the first, all you can do is gather as much data as you can and submit it - however, usually those who submit are very savvy and already know the exact exploit.  If you don't know which exploit they're using it will be hard for you to report it.

However, It sounds like they've compromised one of your accounts and can gain access repeatedly to continue to make the changes.  Or they know the account name and even though you changed the password they were able to figure out the new password.  (Hence the week delay).

I would try to figure out what account they are using and either delete/disable it or turn it against them.  However since they seem to have gained access to your system they probably know all of the account names and many passwords, so you might need to change all account names and passwords.

I would also suggest a honeypot.  If they are scripting their changes to your server then they'll most likely start at the top of the directory tree, so create a folder that is at the top of each directory tree.  If this folder or it's contents are accessed, it will trigger events to lock the account out and notify whoever you specify.  Since they only seem to be attacking this one server, you won't be able to do a traditional isolated honeyput, but hopefully it will be enough to protect you.
(http://en.wikipedia.org/wiki/Honeypot_%28computing%29)

Hope this helps
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 100 total points
ID: 20418063
I would add this: check your logs: 2k3 and firewall. If not enabled yet: enable as much auditing as possible and try to trace back.
You may need to clean the server again and then have it exploited again. Then take the giant puzzle of your logs and put it together.

J.
0
 

Author Comment

by:scsi
ID: 20636836
Thanks for the input guys. issue has been resolved and i find very little out there about it but here is the basic issue. we were running PHP and Perl on that box for a particualr customer and a vuln. in them allowed the original inject. once exposed the GINA to be replaced and much more of the system files with similarly named files that were in fact a hack. this passed all system passwords back to a tracking server and allowed further exploit. we have dug through the trenches of the server and removed all traces and all seems well. Thanks Again for the input!
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read about achieving the basic levels of HRIS security in the workplace.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question