Client's site hacked
- Thread starter antic
- Start date
in most cases, we can't do anything as it is code related, but I am still investigating, in fact I am just really getting started as last week when all this came up I was not able to dedicated any time to it.
thingwarbler
Perch
I've had a client site (joomla install) repeatedly hit w/ changes to an index.php file (addition of long lists of bogus links hidden at the top of the file). No big deal to remove, but even w/ file permissions strongly enforced and a change of FTP credentials for the site, the junk keeps coming back. It's not clear to me what more to do about this to prevent it from happening again -- it's already compromised our google ranking (they sent us the "clean up your code or else" notice a few days ago) and affects the functionality of the site as well.
look in the HTTP logs for every POST request and analyze them, I've seen such many times on mambo/joomla. Every time it has been a component and most of those not part of the core or normal, event calendars, shoutboxes and the like seem the most hit.
I have fixed my affected sites, but there is still an issue when clicking my site from google search results, as described here: http://www.google.com/support/forum/p/Web+Search/thread?tid=1657b31803903a08&hl=en
In other words if I type in the site directly it's OK, but if it's a link from google search results then it redirects to another site. the link above says it may be in the system files of the server rather than the site.
In other words if I type in the site directly it's OK, but if it's a link from google search results then it redirects to another site. the link above says it may be in the system files of the server rather than the site.
I am highly suspect of it being in system files to be honest, and don't even think it if were such would affect anything because the system files are not your web root.
I'd take that with a grain of mustard seed
If I find something I will gladly share.
antic
Perch
Just an update, I believe the script injection problem described in this thread is the result of the Grumblar exploit, which Jodo as just alerted us about here: http://support.jodohost.com/showthread.php?t=16921
This page [blog.unmaskparasites.com], which describes the exploit, shows a javascript very similar to the ones we've encountered here. Injected Javascript uses encoded strings in a similar way, and .htaccess also modified. Looks like this "Grumblar" exploit may have been the culprit.
Avast Home seems to successfully identify an infected site when you browse to it.
I'm curious... all I can find out about this thing, even from us-cert.gov, is that "Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware." But HOW? I mean, what exactly is installed on the local PC and how does it get there? I can't find any precise info on how it works.
Stephen said:
This page [blog.unmaskparasites.com], which describes the exploit, shows a javascript very similar to the ones we've encountered here. Injected Javascript uses encoded strings in a similar way, and .htaccess also modified. Looks like this "Grumblar" exploit may have been the culprit.
Avast Home seems to successfully identify an infected site when you browse to it.
I'm curious... all I can find out about this thing, even from us-cert.gov, is that "Users who visit these compromised websites and have not applied updates for known PDF and Flash Player vulnerabilities may become infected with malware." But HOW? I mean, what exactly is installed on the local PC and how does it get there? I can't find any precise info on how it works.
antic
Perch
Ah.. apologies to Indian - he posted about Grumblar on the previous page. :horn:
I still can't connect the dots though.. how does the malware get on the PC via Adobe apps? A friend got infected with Grumblar the other day - their Google searches were being redirected to malicious sites. However, they got infected in the "traditional" way: received a bogus email, apparently from Facebook, saying someone had "friended" them. God I hate that word. Surely no other language gets mangled as much as English!
Anyway the "read message" link in the email took them to a fake Facebook page where they were asked to download a program so they could see the message. Like.. is any FB message important enough to install an app to see it?! Unfortunately, their copy of AVG didn't trap the trojan, but still detects infected dlls every day. Thanks AVG.. you look real busy now.
I still can't connect the dots though.. how does the malware get on the PC via Adobe apps? A friend got infected with Grumblar the other day - their Google searches were being redirected to malicious sites. However, they got infected in the "traditional" way: received a bogus email, apparently from Facebook, saying someone had "friended" them. God I hate that word. Surely no other language gets mangled as much as English!
Anyway the "read message" link in the email took them to a fake Facebook page where they were asked to download a program so they could see the message. Like.. is any FB message important enough to install an app to see it?! Unfortunately, their copy of AVG didn't trap the trojan, but still detects infected dlls every day. Thanks AVG.. you look real busy now.