[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

malware attack on Windows 2008 server

Posted on 2013-06-02
6
Medium Priority
?
443 Views
Last Modified: 2013-07-23
Windows Server 2008, IIS 7.5

Hi friends. Your advice, please?

I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.

 The affected web sites have several points in common:

 1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
 2) they use older (circa 2005 or 2006) javascripts
 3) they are old! I built these a long time ago
 4) .js files and .html files are changed
 5) possible common link is older Flash SWF files -- but that is not common on all sites

I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....

I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.

Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?

Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?

 Just trying to get some context. Thank you.

 Eric
0
Comment
Question by:Eric Bourland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 2000 total points
ID: 39214795
I know, it is pain in the ass to close gaps in security, ifyour system is meant for public hosting.

First, regarding FTP, do not allow unsecure plain FTP! Force FTP server to accept only explicit FTP over TLS, and ban user aftr 5 missed passwords. That will help a lot.

Second, patch your server witl latest updates. Some gaps will close just by patching.

Third, in IIS (if you use IIS for web sites) do NOT allow "parent paths", and explicitelly do NOT allow directory browsingg. Ok, you may open parent paths for some web sites that need it, but generally no.

Then, you may use some good web vulnerability scanner, for example this great scanner from Accunetix http://www.acunetix.com/vulnerability-scanner/
For some web stes it takes as much as 6 hours and more to scan, but report is good, with explanations on how to close open security holes.

I have done all these a lot of times, because it is hard to be friendly to all kind of users, but also be properly up to date with security patches and latest software versions. These servers are like bebies - need care all the time.

BTW... if you do not use generic programming languages, but only plain HTML, then most (if not all) security holes are within server security. Is WebDav enabled? Get rid of it. Any open ports, except 21,80? Take care, close everything in INBOUND direction, if not needed explicitly.
Also one VERY IMPORTANT thing I almost forgot to mention is folder permissions. Do different web sites use each its own security credentials? Or are they all under IUSR account? This might pose a huge risk.

Flash can be compromised, also JavaScript....ok, Flash is more vulnerable, but at the moment I don't have any advice on this.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39215903
Dear Lasby,

This is a great deal of very helpful advice. I am pretty sure I have covered most of what you have mentioned but I am going to doublecheck everything. I will get back to you later today.

Thank you again. I hope your day is going well.

Best from Eric
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39216884
Also, apologies -- I meant Labsy, not Lasby. Eric
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 39347715
Labsy, thank you very much for this very useful reply.

best from Eric
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39348881
Glad I was helpful.
BTW... at one of customers I found an infection, which was written specially to steal CuteFTP login information. Check your computer to not have one of these bad guyz!
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39348929
Also, I apologize for being so tardy in closing this question. Life got really busy for a while.

I have done thorough scans of both of my work computers. I use Filezilla... I also take care to keep antimalware solutions updated.

Thanks again. Take care.

Eric
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question