• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 445
  • Last Modified:

malware attack on Windows 2008 server

Windows Server 2008, IIS 7.5

Hi friends. Your advice, please?

I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.

 The affected web sites have several points in common:

 1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
 2) they use older (circa 2005 or 2006) javascripts
 3) they are old! I built these a long time ago
 4) .js files and .html files are changed
 5) possible common link is older Flash SWF files -- but that is not common on all sites

I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....

I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.

Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?

Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?

 Just trying to get some context. Thank you.

Eric Bourland
Eric Bourland
  • 4
  • 2
1 Solution
Andrej PirmanCommented:
I know, it is pain in the ass to close gaps in security, ifyour system is meant for public hosting.

First, regarding FTP, do not allow unsecure plain FTP! Force FTP server to accept only explicit FTP over TLS, and ban user aftr 5 missed passwords. That will help a lot.

Second, patch your server witl latest updates. Some gaps will close just by patching.

Third, in IIS (if you use IIS for web sites) do NOT allow "parent paths", and explicitelly do NOT allow directory browsingg. Ok, you may open parent paths for some web sites that need it, but generally no.

Then, you may use some good web vulnerability scanner, for example this great scanner from Accunetix http://www.acunetix.com/vulnerability-scanner/
For some web stes it takes as much as 6 hours and more to scan, but report is good, with explanations on how to close open security holes.

I have done all these a lot of times, because it is hard to be friendly to all kind of users, but also be properly up to date with security patches and latest software versions. These servers are like bebies - need care all the time.

BTW... if you do not use generic programming languages, but only plain HTML, then most (if not all) security holes are within server security. Is WebDav enabled? Get rid of it. Any open ports, except 21,80? Take care, close everything in INBOUND direction, if not needed explicitly.
Also one VERY IMPORTANT thing I almost forgot to mention is folder permissions. Do different web sites use each its own security credentials? Or are they all under IUSR account? This might pose a huge risk.

Flash can be compromised, also JavaScript....ok, Flash is more vulnerable, but at the moment I don't have any advice on this.
Eric BourlandAuthor Commented:
Dear Lasby,

This is a great deal of very helpful advice. I am pretty sure I have covered most of what you have mentioned but I am going to doublecheck everything. I will get back to you later today.

Thank you again. I hope your day is going well.

Best from Eric
Eric BourlandAuthor Commented:
Also, apologies -- I meant Labsy, not Lasby. Eric
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Eric BourlandAuthor Commented:
Labsy, thank you very much for this very useful reply.

best from Eric
Andrej PirmanCommented:
Glad I was helpful.
BTW... at one of customers I found an infection, which was written specially to steal CuteFTP login information. Check your computer to not have one of these bad guyz!
Eric BourlandAuthor Commented:
Also, I apologize for being so tardy in closing this question. Life got really busy for a while.

I have done thorough scans of both of my work computers. I use Filezilla... I also take care to keep antimalware solutions updated.

Thanks again. Take care.


Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now