Solved

malware attack on Windows 2008 server

Posted on 2013-06-02
6
434 Views
Last Modified: 2013-07-23
Windows Server 2008, IIS 7.5

Hi friends. Your advice, please?

I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.

 The affected web sites have several points in common:

 1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
 2) they use older (circa 2005 or 2006) javascripts
 3) they are old! I built these a long time ago
 4) .js files and .html files are changed
 5) possible common link is older Flash SWF files -- but that is not common on all sites

I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....

I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.

Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?

Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?

 Just trying to get some context. Thank you.

 Eric
0
Comment
Question by:Eric Bourland
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 500 total points
ID: 39214795
I know, it is pain in the ass to close gaps in security, ifyour system is meant for public hosting.

First, regarding FTP, do not allow unsecure plain FTP! Force FTP server to accept only explicit FTP over TLS, and ban user aftr 5 missed passwords. That will help a lot.

Second, patch your server witl latest updates. Some gaps will close just by patching.

Third, in IIS (if you use IIS for web sites) do NOT allow "parent paths", and explicitelly do NOT allow directory browsingg. Ok, you may open parent paths for some web sites that need it, but generally no.

Then, you may use some good web vulnerability scanner, for example this great scanner from Accunetix http://www.acunetix.com/vulnerability-scanner/
For some web stes it takes as much as 6 hours and more to scan, but report is good, with explanations on how to close open security holes.

I have done all these a lot of times, because it is hard to be friendly to all kind of users, but also be properly up to date with security patches and latest software versions. These servers are like bebies - need care all the time.

BTW... if you do not use generic programming languages, but only plain HTML, then most (if not all) security holes are within server security. Is WebDav enabled? Get rid of it. Any open ports, except 21,80? Take care, close everything in INBOUND direction, if not needed explicitly.
Also one VERY IMPORTANT thing I almost forgot to mention is folder permissions. Do different web sites use each its own security credentials? Or are they all under IUSR account? This might pose a huge risk.

Flash can be compromised, also JavaScript....ok, Flash is more vulnerable, but at the moment I don't have any advice on this.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39215903
Dear Lasby,

This is a great deal of very helpful advice. I am pretty sure I have covered most of what you have mentioned but I am going to doublecheck everything. I will get back to you later today.

Thank you again. I hope your day is going well.

Best from Eric
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39216884
Also, apologies -- I meant Labsy, not Lasby. Eric
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 39347715
Labsy, thank you very much for this very useful reply.

best from Eric
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39348881
Glad I was helpful.
BTW... at one of customers I found an infection, which was written specially to steal CuteFTP login information. Check your computer to not have one of these bad guyz!
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39348929
Also, I apologize for being so tardy in closing this question. Life got really busy for a while.

I have done thorough scans of both of my work computers. I use Filezilla... I also take care to keep antimalware solutions updated.

Thanks again. Take care.

Eric
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Redirected folders in a windows domain can be quite useful for a number of reasons, one of them being that with redirected application data, you can give users more seamless experience when logging into different workstations.  For example, if a use…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now