Solved

someone is injecting html code opening a hidden iframe and pointing a virus site on my web server

Posted on 2007-12-05
3
562 Views
Last Modified: 2013-12-04
i have a web server set to host about 75 web sites. it runs Windows server 2003 and is fully up to date with patches etc. someone dropped code into every html file on the server that redirected to a hidden iframe that was a virus ladden site. the orignal site does appear and the end user is largely unaware other than a breif delay however the virus exploits several apps like quicktime,winzip etc.we thought we found the issue (PHP vuln.)scripted out their changes and removed PHP which was on the box but unused. the issue appeared again today about a week after the first exploit. i have found a couple somewhat similar issues on other forums without any real solutions being posed.  any assist. would be appreciated.
0
Comment
Question by:scsi
3 Comments
 
LVL 5

Accepted Solution

by:
rjmedina earned 300 total points
ID: 20413897
There are a few ways they could be doing this.  First, they've found a new exploit that isn't public yet.  Second, they've simply figured out an ftp or administrator account name and password.  Third, you have an internal problem - one of your own or recently terminated is the source.  These are the most obvious, but there could me more.

If it's the first, all you can do is gather as much data as you can and submit it - however, usually those who submit are very savvy and already know the exact exploit.  If you don't know which exploit they're using it will be hard for you to report it.

However, It sounds like they've compromised one of your accounts and can gain access repeatedly to continue to make the changes.  Or they know the account name and even though you changed the password they were able to figure out the new password.  (Hence the week delay).

I would try to figure out what account they are using and either delete/disable it or turn it against them.  However since they seem to have gained access to your system they probably know all of the account names and many passwords, so you might need to change all account names and passwords.

I would also suggest a honeypot.  If they are scripting their changes to your server then they'll most likely start at the top of the directory tree, so create a folder that is at the top of each directory tree.  If this folder or it's contents are accessed, it will trigger events to lock the account out and notify whoever you specify.  Since they only seem to be attacking this one server, you won't be able to do a traditional isolated honeyput, but hopefully it will be enough to protect you.
(http://en.wikipedia.org/wiki/Honeypot_%28computing%29)

Hope this helps
0
 
LVL 18

Assisted Solution

by:PowerIT
PowerIT earned 100 total points
ID: 20418063
I would add this: check your logs: 2k3 and firewall. If not enabled yet: enable as much auditing as possible and try to trace back.
You may need to clean the server again and then have it exploited again. Then take the giant puzzle of your logs and put it together.

J.
0
 

Author Comment

by:scsi
ID: 20636836
Thanks for the input guys. issue has been resolved and i find very little out there about it but here is the basic issue. we were running PHP and Perl on that box for a particualr customer and a vuln. in them allowed the original inject. once exposed the GINA to be replaced and much more of the system files with similarly named files that were in fact a hack. this passed all system passwords back to a tracking server and allowed further exploit. we have dug through the trenches of the server and removed all traces and all seems well. Thanks Again for the input!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

A brand new malware strain was recently discovered by security researchers at Palo Alto Networks dubbed “AceDeceiver.” This new strain of iOS malware can successfully infect non-jailbroken devices and jailbroken devices alike.
Read about achieving the basic levels of HRIS security in the workplace.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now