hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Website hit with tejary.net virus
Reply

Forum Jump

Website hit with tejary.net virus

Reply Post New Thread In Hosting Security and Technology Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #1  
Old 04-13-2009, 09:48 AM
reddem0n reddem0n is offline
Aspiring Evangelist
 
Join Date: Feb 2004
Posts: 364

Website hit with tejary.net virus


Hello All,

I've been trying to scour the internet trying to find out more information about this worm, but all I find are millions of sites that are infected with it.

If anyone has any information on this virus h**p://tejary.net/h.js

it looks like it has overwrited everything in the database - ..most of everything - seems like a type of sql injection script

please advise, we have just been infected overnight .

__________________
“Intelligence is not to make no mistakes, but quickly to see how to make them good.” - Bertolt Brecht

Reply With Quote


Sponsored Links
  #2  
Old 04-13-2009, 10:15 AM
reddem0n reddem0n is offline
Aspiring Evangelist
 
Join Date: Feb 2004
Posts: 364
Nevermind, disregard above message.

__________________
“Intelligence is not to make no mistakes, but quickly to see how to make them good.” - Bertolt Brecht

Reply With Quote
  #3  
Old 04-14-2009, 04:55 AM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,972
I am facing the same problem. Did you get a solution for this?

__________________
Prashant T.

Don't run after Success. Run after Excellence and Success will soon follow.

Reply With Quote
Sponsored Links
  #4  
Old 04-15-2009, 07:33 AM
WeWatch WeWatch is offline
Junior Guru
 
Join Date: Oct 2008
Location: Chicago, IL
Posts: 182
It's a SQL injection. A Google search shows over 45,000 entries so it is a mass attack.

It's currently hitting Cold Fusion and ASP based sites mostly. Restore database from known good point and filter all data input.

__________________
Thomas J. Raef
WeWatchYourWebsite - so you don't have to!

Reply With Quote
  #5  
Old 04-15-2009, 10:22 AM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,972
Recently a few of my customer websites have been infected with the same. Is there a way to prevent it?

__________________
Prashant T.

Don't run after Success. Run after Excellence and Success will soon follow.

Reply With Quote
  #6  
Old 04-15-2009, 11:16 AM
WeWatch WeWatch is offline
Junior Guru
 
Join Date: Oct 2008
Location: Chicago, IL
Posts: 182
Yes. But upon further detailed analysis, we believe it's a SQL injection. We've reviewed a number of the sites and have found the script is placed in too many seemingly random spots in the HTML to be a SQL injection attack.

It does occur most frequently in .asp, .aspx and .cfm sites.

Would you care to provide one of the websites so we can perform a vulnerability scan?

Many of the sites that show up in Google when searching for tejary.net/h.js have their "This site may harm your computer" label so I would think people would want to get their sites secure fairly quick.

Let me know or PM me.

Thank you.

__________________
Thomas J. Raef
WeWatchYourWebsite - so you don't have to!

Reply With Quote
  #7  
Old 04-15-2009, 11:24 AM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,972
I have seen a few websites designed in pure html being injected with this virus.

__________________
Prashant T.

Don't run after Success. Run after Excellence and Success will soon follow.

Reply With Quote
  #8  
Old 04-15-2009, 11:02 PM
GOT GOT is offline
WHT Addict
 
Join Date: Jun 2002
Location: Portsmouth, VA
Posts: 161
We fought this on a CF server for a long time. In our case, they were coming in on a cold fusion based forum system. We firewalled the IPs the attack was coming from and disabled the forum. It took us five days to track all this down.

Since disabling the forum and firewalling, they have not gotten back in.

__________________
---
Jon Berry
Proactive Server Management
http://www.got-management.com

Reply With Quote
  #9  
Old 04-16-2009, 01:27 AM
nickgl nickgl is offline
New Member
 
Join Date: Apr 2009
Posts: 1
We have seen this recently as well. In our case, the person who set up the server didn't know what they were doing.

They attack came from the following IP address:
61.236.71.195

If it's the same in your case, you can search your weblogs on that IP and you may be able to see what they are up to.

The attacker was able to upload a file to the web server through a compromised FTP account or possibly through a poorly coded file upload feature. The file was named tuckt.cfm.

They were able to run the file through a web browser using the cfexecute tag to open a command prompt into the server. So, if you are on a CF oriented server, make sure to disable cfexecute. You may want to also change all your FTP passwords and use a FTP server like filezilla where you can ban IPs that fail too many login attempts. You may also need to make sure that certain file types can't be uploaded from a web site (as through an image upload feature).

While you are locating the hole another thing that you can do to contain this is use software like Fusion Reactor to set up content filters that will remove the harmful URLs before they get to the browser.

This is happening on ASP and PHP sites as well, but I can't give you as much info about those scenarios.

Reply With Quote
  #10  
Old 04-16-2009, 05:06 AM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,972
In my case, it was on html websites as well as asp and asp.net websites which were infected. From my findings, it seems to be done through Mpack. But I am not able to trace the origin of the attack from any log. I also have scanned the server with Nod32 antivirus, but it could not find any virus/trojan on the server.

__________________
Prashant T.

Don't run after Success. Run after Excellence and Success will soon follow.

Reply With Quote
  #11  
Old 04-16-2009, 08:32 AM
WeWatch WeWatch is offline
Junior Guru
 
Join Date: Oct 2008
Location: Chicago, IL
Posts: 182
Rarely will you find a virus or trojan on the webserver. They don't want you to know how they got in.

The infectious file will reside on their server. All you'll find on your server is the modified html/cfm/asp/php code which pulls the infectious file down from their server onto the PC of a visitor to your site.

__________________
Thomas J. Raef
WeWatchYourWebsite - so you don't have to!

Reply With Quote
  #12  
Old 07-02-2009, 09:26 PM
reddem0n reddem0n is offline
Aspiring Evangelist
 
Join Date: Feb 2004
Posts: 364
Our only way of resolving this issue was using cfparam's instead of the old cfqueries. We haven't seen any attack since. Has anyone else been able to find any other fixes for this?

__________________
“Intelligence is not to make no mistakes, but quickly to see how to make them good.” - Bertolt Brecht

Reply With Quote
  #13  
Old 07-03-2009, 02:47 AM
prashant1979 prashant1979 is offline
Eternal Learner
 
Join Date: Jul 2007
Posts: 1,972
What are cfparams and cfqueries? Are they related to Coldfusion?

__________________
Prashant T.

Don't run after Success. Run after Excellence and Success will soon follow.

Reply With Quote
  #14  
Old 07-03-2009, 10:52 AM
reddem0n reddem0n is offline
Aspiring Evangelist
 
Join Date: Feb 2004
Posts: 364
Yes they are related to coldfusion mssql database queries. Basically limits anything suspicious from passing into any forms on our site.

__________________
“Intelligence is not to make no mistakes, but quickly to see how to make them good.” - Bertolt Brecht

Reply With Quote
Reply

Related posts from TheWhir.com
Title Type Date Posted
Designer-Focused Website Builder Webydo Closes $7 Million Funding Round Web Hosting News 2014-06-24 12:11:52
Malware Distributors Using Major US Cloud Computing Services: Report Web Hosting News 2014-01-16 16:18:15
UKFast Launches Fund to Help Business Customers Bolster Security Web Hosting News 2013-08-27 10:19:05
Commtouch Report: Spam, Malware Continues to Increase in Q1 2013 Web Hosting News 2013-05-02 10:44:28
VIDEO: Yola CEO Talks About Website Builder and Web Hosting Partners Whir Tv 2014-05-02 14:58:34


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?