Solved

malware attack on Windows 2008 server

Posted on 2013-06-02
6
440 Views
Last Modified: 2013-07-23
Windows Server 2008, IIS 7.5

Hi friends. Your advice, please?

I have spent the past few days urgently cleaning several older web sites on my server that were compromised by malware. A couple of other clients have come to me for help regarding similar malware infection. The malware seems to have been placed on May 24 and 25 2013. On more than one server.

 The affected web sites have several points in common:

 1) they are nondynamic, using static HTML files; ColdFusion, PHP, ASP, etc are not involved.
 2) they use older (circa 2005 or 2006) javascripts
 3) they are old! I built these a long time ago
 4) .js files and .html files are changed
 5) possible common link is older Flash SWF files -- but that is not common on all sites

I have changed FTP passwords for affected sites. I have confirmed that only a couple of IP addresses can actually access the server via Remote Desktop Connection or FTP. So I am not sure how someone got in there and edited files. At least one client has been rather upset....

I am cleaning the HTML files and deleting the old .js and SWF files -- and doing what I can to replace these functions with modern HTML5, etc. Sites that I clean seem to stay clean so far.

Has anyone else heard of any recent (late May 24-25 2013) attacks that use .js or Flash as a vector?

Sites that I have cleaned have stayed clean so far. Do you have any ideas about how I can prevent further malware attacks?

 Just trying to get some context. Thank you.

 Eric
0
Comment
Question by:Eric Bourland
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 18

Accepted Solution

by:
Andrej Pirman earned 500 total points
ID: 39214795
I know, it is pain in the ass to close gaps in security, ifyour system is meant for public hosting.

First, regarding FTP, do not allow unsecure plain FTP! Force FTP server to accept only explicit FTP over TLS, and ban user aftr 5 missed passwords. That will help a lot.

Second, patch your server witl latest updates. Some gaps will close just by patching.

Third, in IIS (if you use IIS for web sites) do NOT allow "parent paths", and explicitelly do NOT allow directory browsingg. Ok, you may open parent paths for some web sites that need it, but generally no.

Then, you may use some good web vulnerability scanner, for example this great scanner from Accunetix http://www.acunetix.com/vulnerability-scanner/
For some web stes it takes as much as 6 hours and more to scan, but report is good, with explanations on how to close open security holes.

I have done all these a lot of times, because it is hard to be friendly to all kind of users, but also be properly up to date with security patches and latest software versions. These servers are like bebies - need care all the time.

BTW... if you do not use generic programming languages, but only plain HTML, then most (if not all) security holes are within server security. Is WebDav enabled? Get rid of it. Any open ports, except 21,80? Take care, close everything in INBOUND direction, if not needed explicitly.
Also one VERY IMPORTANT thing I almost forgot to mention is folder permissions. Do different web sites use each its own security credentials? Or are they all under IUSR account? This might pose a huge risk.

Flash can be compromised, also JavaScript....ok, Flash is more vulnerable, but at the moment I don't have any advice on this.
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39215903
Dear Lasby,

This is a great deal of very helpful advice. I am pretty sure I have covered most of what you have mentioned but I am going to doublecheck everything. I will get back to you later today.

Thank you again. I hope your day is going well.

Best from Eric
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39216884
Also, apologies -- I meant Labsy, not Lasby. Eric
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Closing Comment

by:Eric Bourland
ID: 39347715
Labsy, thank you very much for this very useful reply.

best from Eric
0
 
LVL 18

Expert Comment

by:Andrej Pirman
ID: 39348881
Glad I was helpful.
BTW... at one of customers I found an infection, which was written specially to steal CuteFTP login information. Check your computer to not have one of these bad guyz!
0
 
LVL 3

Author Comment

by:Eric Bourland
ID: 39348929
Also, I apologize for being so tardy in closing this question. Life got really busy for a while.

I have done thorough scans of both of my work computers. I use Filezilla... I also take care to keep antimalware solutions updated.

Thanks again. Take care.

Eric
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question