Happy Monday morning: Site is listed as suspicious

[Corobori]

Hmmm, what a nice way to start a week ! I just got a message from Google Safe Browsing team that one of my website is listed as beeing suspicious. Here is the report. I just spend some time on it trying to figure out what's wrong but can't find anything. In the past we had a similar issue due to SQL Injection attack but the db looks all right.
The report says "1 page(s) resulted in malicious software being downloaded and installed without user consent".

Anybody around knowing some a tool I could use to track down this issue ? Before requesting a review I'd like to make sure I didn't miss anything.

[Dubbya]

Your site has been compromised.

Someone has placed a javascript at the top of your home page (and possibly other pages) that attempts to run a trojan virus.

The javascript attempts to open an iframe from another site. By saving the javascript with the ".gif" file extension, it relies on the browser to run the script automatically.

You'll need to make sure that your site is secured. To start with, change your login and password as soon as possible.

Search for any and all instances of the following code then delete it.

Code:

es/img/ken.gif></script>

Check your server logs. They may provide an IP address that you can pass along to your Server Administrator or host.

[Corobori]

Thanks for your help.

Searching where is this ken.gif thing. I haven't found it yet. At least it is not in the db and neither in the main pages.

How did you first see the issue without putting your PC at risk ?

[Corobori]

We searched the complete website no ken.gif, we searched the db no ken.gif !

[Dubbya]

You can open the site in Windows Notepad to see the code and to prevent it from executing in a browser window.

DO NOT OPEN THIS LINK IN A BROWSER! USE NOTEPAD
Here's how:

1. Click "Start" then "All Programs"
2. Click "Accessories" then "Notepad"
3. Click "File/Open"
4. In the "File name" box enter "http://www.aryan"
5. Now enter ".es/img/ken.gif" (after "aryan" and without quotes)
6. Under "Files of Type" select "All Files"
7. Click "Okay"

This explains how the user's machine gets infected but not how the hacker gained access to your server.

Check your permissions and ask for help from your host. They may be able to help you in tracking down the problem.

If you have one, I'd check your .htaccess file to a mod rewrite that points the user to the malicious code. Check your server for "response.redirect" code as well.

[Corobori]

Thanks for the tip.

Indeed I could see the script ! As you said it doesn't say how come it's coming to my website. I contacted my hosting company but couldn't help much so far, IIS host by the way.

I also contacted Aryan.es support.

I am downloading the log of the IIS. Anything in particular I should search for ?

[Dubbya]

It appears that you are the victim of a cross site scripting attack. Specifically a "SQL injection attack". The hacker just types in a block of code then hits a form submit button to put it into your database. When the database next executes the page, it loads the code and you're done.

Check your database for the following (minus the quotes):

"script"
"update"
"insert"

Most forums and many other sites that rely on databases use a bit of code to parse code from submitted input.

You might also check to see that any pages that allow users to upload html tags and apply any available security updates that will sanitize user input fields prior to writing them to the DB.

Here are some resources that might prove helpful:

SQL Injection Attacks by Example
SQL Injection - Use a SQL Injection Scanner to Fix It
hackademix.net » Mass Attack FAQ
How To: Protect From SQL Injection in ASP.NET

Here's a good read that has tons of resource links:
Sql Injection virus problem.

Good Luck!

[Corobori]

Quote:

Originally Posted by Dubbya

It appears that you are the victim of a cross site scripting attack. Specifically a "SQL injection attack".

Well actually that was my 1st thought and I checked the db for the keywords you're listing besides .js and ken.gif and didn't find one suspicious row.
To be honest I learned SQL Injection the hard way a while ago and user's input is filtered and also we set a specific SQL user unable to read sysobjects and its friends.
What puzzled me was that the script thing that I could see appeared on the top of the html source not mixed in between the data as I haven't seen on SQL Injection before.

[Corobori]

Quote:

Originally Posted by Dubbya

Check your server for "response.redirect" code as well.

I used your techniques opening up several times the default page of my website and found out that on random basis the script is showing up at the top of the source file I can see it Notepad. Why ? Don't know. Now the website has been off-line for 10 hours so nobody is actually updating the db. I have changed passwords too !

I am wondering what you exactly mean by Check your server for "response.redirect" code as well. I am asking because actually I have several response.redirect in my default page at that point, meaning before the html starts.

[NeoSamurai]

Hi, I am having the same issue with my website. It started about 1 hour ago. I do not think this is a SQL Injection attack as others have mentioned nor do I think this is due to the website being compromised.

I actually think this has something to do with the server and/or IIS injecting this script tag into my website pages. The script tag doesn't always show - just on random reloads.

Also, this tag will show itself on new pages I create that do not link to my database or any other pages and has no functionality.

Having said all that, I don't run the server so I contacted my hosting provider, but in the meantime if anyone has any ideas as to the cause and the fix, I would love to hear it.

[Corobori]

NeoSamurai,
Do you use frames in your pages ?
Do you do "response.redirect" ?

[NeoSamurai]

I do use iframes and response.redirect on various pages. They all point to other pages on my website.

For testing, I have created new pages that use none of that and they too will have the <script> tag inserted on random re-loads. So a brand new blank page not using my master page will have that <script> tag inserted at the top of the page.

[NeoSamurai]

Here's some more information I forgot to mention. I took the exact same code and moved it to another server. I am using the exact same database and so far I don't receive that issue. Still on my old server though, the problem remains.

[Corobori]

Not hosting at webhost4life.com ?

[NeoSamurai]

I am actually hosting there. How you know?

[Corobori]

Actually I didn't know that but as my issue is concerning a website hosted there I just asked you. I suppose they could have some sort of issues there. Did you write to support ? I did yesterday but they haven't found anything yet just in case you could mention my Call Id: 495819
I just updated my ticket letting them know that I might NOT be the only one

[NeoSamurai]

I did send out a support ticket right away last night and about 2 hours ago I received a response stating that a senior person is going to look at this issue.

I am going to update my ticket to mention that you are having the same issue. Thank you for the heads up! I'm sure it has to do with their server...i wonder if we are both on the same one?!...lol

[Corobori]

NeoSamurai,

I reckon we should play lottery this week. Think about the odds on posting an issue in one forum amongst so many of them and bumping into somebody else having the same issue with the same hosting provider !

My ticket hasn't been updated since 3/2/2009 5:23:26 PM their time. I'll keep you updated if something comes up from my side.

I hope we'll some good news soon, this whole thing is pretty stressing, I detected something was wrong on Monday morning 9AM just when going thru some logs I am checking every day. Since then I got hooked on this issue until 1:30 AM this morning. This issue is to be added to SQL Server Data Corruption we had mid February and router issue the last couple of weeks. And hosting renewal time is just around the corner !

[Niche]

Thanks for the tip on the ken gif script thing. I don't have this problem... yet but it is useful to know what to watch out for

[NeoSamurai]

Corobori,

I haven't heard anything back yet. Just wanted to give you a heads up there.

I'm actually moving my website off of their server to another provider. Webhost4life is cheap, but I've run into too many issues and support is slow.

Good luck to you buddy. And I'm definitely buying a lottery ticket!

[Corobori]

I just got the same message about escalating to the senior tecnician to follow up ! Pretty slow actually

[Corobori]

NeoSamurai, no answer from webhost4life.com so far. It appears that my website is not beeing flagged my Google Safe Browsing anymore but as the script was added on a random basis it doesn't make feel much better. The Spanish sites which was hosting the script and was acting as intermediary deleted it, apparently they reacted at my emails.

Did you move your host ? Where ?