=============================================================== From: Sean Brewer ------------------------------------------------------ Did you verify that the javascript was actually hostile? I tried that sucuri site check and it thought that one of my client projects was running IIS 6 on Ubuntu, so...yeah. On Thu, Jul 14, 2011 at 9:57 AM, John Aldrich wrote:
=============================================================== From: John Aldrich ------------------------------------------------------ Umm... JSand 1.2.3 is what comes up. And yes, it was hostile.... I'll email you the script directly if you want to take a look at it. Basically there was some stuff added to the bottom of every Javascript file on the website on 7/10/11 that "broke" the website until I republished it using the CMS that 3HD/Neathawk Dubuqe & Puckett created for the site. That at least got it up and running, but if you went to the website in IE, it tried to download something to your computer. Only in IE, though for some strange reason. Not in Firefox or Chrome.
=============================================================== From: Aaron Welch ------------------------------------------------------ Hosted on IIS? -AW l=20 on=20 =20 p=20 t=20
=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You never used javascript to identify which browser a user visited your site with? Ever do any web dev at all? Check the obvious things (.htaccess) and your /tmp directory.... Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4fYhQACgkQABP1RO+tr2T2QwCeOgWld4StXaJ1xUemC28b+Vhe eBkAn22fhv631My1eU7pCKjUyHjv7xzk =3H+O -----END PGP SIGNATURE-----
=============================================================== From: James Nylen ------------------------------------------------------ I'll bet you $100 it was hosted on IIS
=============================================================== From: John Aldrich ------------------------------------------------------ Yep. The site was designed by 3HD.
=============================================================== From: cynicalgeek@gmail.com ------------------------------------------------------ I think the question that Aaron is asking is... Were you running a Microsoft= webserver on a Ubuntu OS????? Sent from my iPhone
=============================================================== From: John Aldrich ------------------------------------------------------ if the ADDED jscript is not hostile, why does Kaspersky list it as a "trojan downloader" and when I remove that particular section of javascript the website malware scanner that was complaining stop complaining? Also, the original web designer took a look at it and said it was hostile. Tell ya what, Dave... I'll send you the offending jscript code. Load it into your website and see what happens.
=============================================================== From: Stephen Haywood ------------------------------------------------------ If you have code on your site that is downloading anything and you didn't put it there then I would consider it hostile and determine how it was put there. Is there an SQLi or XSS vulnerability on the site or did someone upload it using stolen credentials. It is very common for attackers to put malicious code on legitimate Web sites using one of those methods.
=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'll repeat the question for you.... Did you ever use javascript to identify which browser a user visited your site with, and then custom-tailored your code depending on those results? That was in direct reply to your comment regarding some subset of browsers *not* being affected. It could also be an exploit that doesn't affect the browsers that don't attempt a download. Nowhere there did I question the hostility or non-hostility of the code I haven't seen. I also tried to point out some uber obvious places to look (which I'm confused about, because apparently you are hosting IIS on Ubuntu...) if you are hosting on a *nix box. Additions (or creation) of .htaccess files is one way of injecting a script/code into every script of an existing site. /tmp is usually writable by your apache user, and is often an dumping place for things included via .htaccess. I appreciate the gift you sent and all, but I'm not at all the least bit curious which fakeAV virus your site was hacked into redirecting visitors to. Chances are, if Kapersky flags it, the domain(s) it touches will be benign within a day or two if not already. Not fixing the security hole that allowed the upload and not finding the method it was injected just leaves the opportunity for future hacking with updated domain names. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4fmIgACgkQABP1RO+tr2TUPwCgo92bf4LVOHXSuCD/g5mrrbD5 eXcAni/tW13cQ3WZFor4/eRP/uh8mxVN =dyap -----END PGP SIGNATURE-----
=============================================================== From: Sean Brewer ------------------------------------------------------ No. I ran that sucuri scanner on one of my projects and the scanner thought that my project was being hosted on IIS in Ubuntu. Ubuntu yes. IIS, definitely not.
=============================================================== From: John Aldrich ------------------------------------------------------ Sorry... misunderstood your response. I have done what I can at this point. The virtual server is a MICROSOFT WINDOWS server running IIS. I have had VPNtranet lock down FTP so that it can only be accessed from Blueridge's external IP. Not being a web guy, I'm not sure what more I can do. I did also change the editor password for the marketing guy who just left a few weeks ago, on the off-chance that his credentials were somehow stolen or something. The guys from 3HD said that there had been a lot of attempts to FTP into the server, but didn't say whether any hand been successful.