Solved

.JS file being hacked

Posted on 2008-10-01
22
496 Views
Last Modified: 2010-05-18
I have some .js files that reside on an IIS 6.0 windows 2003 box, the files reside in a .js folder, the server has u ptodate A/V protection from Symantec,  last full scans report no problems, the server resides behind a firewall with port 80 open the rest locked down, IIUSER only has read permission to this folder, however some of these files get regularly hacked with a form of injection, i.e document.write ('<iframe src='dodgy site from china'>') which redirects users of to the dodgy site when the js is executed. The server is fully patched with all the latest security patches. Any help would be greatly appreciated
0
Comment
Question by:longbloke69
  • 11
  • 7
  • 2
  • +1
22 Comments
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22612728
This normally happens as a result of input fields not properly being sanitized.  make sure whatever input fields you have are sanitised to only allow the type of data they are designed for and to parse special characters like &<>*(!@ correctly.
0
 

Author Comment

by:longbloke69
ID: 22612740
thanks for this, but how through an input field could a user write to a .js file I could understand for SQL but how for .js
0
 
LVL 5

Expert Comment

by:NutrientMS
ID: 22612739
Sorry, the common name for this is Cross Site Scripting and there is a lot of good information out there about it.

http://www.devshed.com/c/a/Security/A-Quick-Look-at-Cross-Site-Scripting/
0
 

Author Comment

by:longbloke69
ID: 22612764
thanks but this doesnot explain how the code is physically written to the .js file that resides on the server
0
 
LVL 2

Expert Comment

by:devshb
ID: 22613208
Is the js file definitely being physically altered (ie the dodgy code being physically inserted into the raw js file), or is the js file more dynamic (eg treated like an asp file which has embeded javascript in it with bits that are created on the fly by vbscript)

If it's physically altering it, perhaps you have some kind of admin tool/script which generates/maintains those js files (ie like a cms system), and the hacker is using a vulnerability in that to amend the file.

If your site uses a database for some aspects then it's worth scanning the database for injections, because it's possible that a hacker could have injected something into your other data which has then put a keylogger on your own pc so that they can, for example, get to find out your ftp login.

ie your physical js file change might just be the end-result/symptom of a higher-level/different hack.

If I were you, I'd make sure anyone with access to the server/database has up to date anti-virus definitions/software and do a full disk scan on their pc, then change all the ftp/database pwds, then scan/clean the database.

see also:
http://www.sqlinjectionscanner.com/
0
 

Author Comment

by:longbloke69
ID: 22613278
Hey Dvshb,
It is the file that is physically being altered ie hardcoded into the raw js file. I will run a full security audit, however ftp is blocked on the firewall apart from one ip address and the logs are not showing anything that could be regarded as malicious. The db's are clean with no injects happening, will update this when all changes have been made. Also note that when the changes are made varies from 12-24hours....
Thks
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22622617
So the problem is probably that you have write permission allowed on that directory or file in IIS. Please right click on the directory and go to properties and on the directory tab uncheck everything except for "Read".
If nothing else (except for log visits and index) is checked and you're having this problem then something funny is going on.
Also, do you have FTP access to this site? Do you manage it with FTP? If so, it is possible hackers sniffed your password since FTP doesn't encrypt login info. However, they'd probably do a lot more damage than that if this was the case.
0
 

Author Comment

by:longbloke69
ID: 22622809
There are no write permissions on this folder with IUSER account or any other user account apart from Administrator, everything is set to read only. I use file zilla as my ftp server client on this and the logs are not showing anything malicious.......
0
 
LVL 2

Expert Comment

by:devshb
ID: 22622949
It seems to point to just 2 possibilities then as far as I can see

1) The hacker knows the logins and is manually uploading the file (perhaps a virus/keylogger is still on someone's pc who access the ftp, or there's a higher level password such as a hosting control panel pwd which a hacker has managed to get and which hasn't been changed yet, or a remote terminal login)
or
2) There's an as yet unfound virus on the server which is doing it
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22627440
I agree with devshb... Those have got to be the only 2.
BUT you said you use filezilla as your server client - do you mean that filezilla is running on your computer or on the server? Because if it's just on your computer then you're not seeing all the logs.
0
 

Author Comment

by:longbloke69
ID: 22632131
I am running FileZilla server on the server? make sense
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:longbloke69
ID: 22632171
Just thinking on the same box is an instance of sql, which has mixed authentication could a hack use the windows authentcaition whic is also an admin account to somehow write to the js directory....just a thought
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22635738
Well can you check the FTP logs on the server? That will give you an aswer as to what's been going on. That's the most likely avenue of attack, although I don't know why they'd just mess with a JS file when they could take over the whole site (identity thieves maybe?).
 While it's not usually a good idea to share SQL on the same box, this is not very likely at all. The default behaviour of SQL is to encrypt all authentication data.
0
 

Author Comment

by:longbloke69
ID: 22648618
there is nothing un toward in the ftp logs, have downloaded spybot and run this and this does not throw anything up....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653528
Again, you did check the SERVER logs (meaning the ones ON THE SERVER) and not the ones on your computer?
Cheers!
0
 

Author Comment

by:longbloke69
ID: 22653629
yes I mean the server logs
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22653865
Hmmm... is the server hosted somewhere or is this your server?
If it is hosted on a shared server then it's possible someone else's account is getting hacked and your files are being affected.
If it IS hosted contact your provider and investigate further there.
Cheers!
0
 

Author Comment

by:longbloke69
ID: 22657505
Its on one of our many dedicated servers, I disabled FTP yesterday and the hack has come back again.....
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22660805
Fully dedicated - as in YOU have COMPLETE control over it? No VPS?
Either way - contact your host and see if they can detect anything.
Cheers!
0
 

Author Comment

by:longbloke69
ID: 22660910
I have total control over this......interesting I have just had a call from head of security at a major US company who have just had the same problem and have identified the source and have found our ip's. They are experiencing the same problem with exactly the same inject, they are working with major A/V software vendors on a patch.....so looking like a new virus release which has hit us...
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22661340
You have a virus no doubt. And it looks as if your servers are spreading it.
Wow.
Best of luck to you although I have no idea how to fix it.
Let me know what happened!
Cheers!
0
 

Accepted Solution

by:
longbloke69 earned 0 total points
ID: 22739283
reformatted the server and now no more hacks, only was to resolve
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Article by: DanRollins
This article describes a JavaScript program that creates a maze made of hexagonal cells.  In Part 2 (http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/A_7850-Hex-Maze-Part-2.html), we'll extend the program by adding a depth-…
Prologue It is often required to host multiple websites on a single instance of IIS, mostly in development environments instead of on production servers. I am sure it is not much a preferred solution on production servers but this is at least a pos…
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now