8 replies to this topic

[JC8]

Hi,

I am a web designer, and one of my clients' websites got hit by malware script. Some strange VB script was added to the index page. I have removed the script, and the site is up and running again. But I have couple questions regarding malware script and hope some of you could kindly provide me some answers.

1. How did malware script get added to the site? A programer told me it picks site randomly and adds the script to it.

2. How can I prevent the website from getting hit by malware script again?

Any help appreciated, thanks!

J

[AdvancedSetup]

The site got hit probably because one or more of the security updates for either the OS or the software installed on it are not up to date or the ACL permissions are set wrong.

I would first check and verify that the Windows updates are all up to date and then maybe run one of the Analyzing tools to check the security settings. Microsoft has a few tools to help lock it down.

[JC8]

AdvancedSetup, on Apr 22 2009, 11:03 PM, said:

The site got hit probably because one or more of the security updates for either the OS or the software installed on it are not up to date or the ACL permissions are set wrong.

I would first check and verify that the Windows updates are all up to date and then maybe run one of the Analyzing tools to check the security settings. Microsoft has a few tools to help lock it down.

Thanks a lot for the reply... and I have a few questions...

How should the ACL permissions be set?

I used ws ftp 6.7 to upload the site, it is a very old version. Is it possible that the software might have some security glitches?

what analying tools should I use to check the security settings?

Thanks again!

[AdvancedSetup]

Yes it's possible that the FTP username / password has been obtained. It is sent in clear text when you connect and is not very secure.

Is this a single server and do you have full admin rights to it or does the Hosting company handle that for you?

Is it Server 2000, 2003 R1 or R2, 2008 ? Do you know what version of IIS and what other Web technologies are installed and running?

Here is at least a start to point you in the right direction.


Installing and Securing IIS Servers (Part 1)
http://www.windowsecurity.com/articles/Ins...vers_Part1.html


Make sure you use the right tool for the right version of Windows. Also be careful as locking things down can and will prevent pages or features from operating as you're used to.

http://technet.micro...y/cc297183.aspx

[JC8]

AdvancedSetup, on Apr 22 2009, 11:37 PM, said:

Yes it's possible that the FTP username / password has been obtained. It is sent in clear text when you connect and is not very secure.

Is this a single server and do you have full admin rights to it or does the Hosting company handle that for you?

Is it Server 2000, 2003 R1 or R2, 2008 ? Do you know what version of IIS and what other Web technologies are installed and running?

Here is at least a start to point you in the right direction.


Installing and Securing IIS Servers (Part 1)
http://www.windowsecurity.com/articles/Ins...vers_Part1.html


Make sure you use the right tool for the right version of Windows. Also be careful as locking things down can and will prevent pages or features from operating as you're used to.

http://technet.micro...y/cc297183.aspx

my hosting company is doteasy, and I don't really know what version of IIS and what other Web technologies are installed. No idea it is Server 2000, 2003 R1 or R2, 2008 either.

Thanks for the articles though, there is a lot to read. I am more of a designer, so it is going to be a challenge to disgest all this technical stuff.

[AdvancedSetup]

Well you really shouldn't need to. The hosting company is responsible for keeping the system up to date and protected unless you or your client purchased a dedicated server that they've taken on the responsibility for all updates and security.

I would contact the hosting provider support and let them know you were attacked and to have them check on it. That's what they do.

[JC8]

Well, my client contacted them and they claimed that their servers are well protected and up to date and said the issue was probably someone gained access to or guessed the account login information. They suggested to change the password information which I did and just hope that it will never happen again.

My pc actually got infected by malwares, and last week I had to reformat the whole hard drive just to get rid of that nasty reader_s.exe. I wonder if it might be the underlying cause of all this ordeal, maybe the password somehow got stolen by some malware, either reader_s.exe or something else...

[miekiemoes]

JC8, on Apr 23 2009, 07:46 AM, said:

My pc actually got infected by malwares, and last week I had to reformat the whole hard drive just to get rid of that nasty reader_s.exe. I wonder if it might be the underlying cause of all this ordeal, maybe the password somehow got stolen by some malware, either reader_s.exe or something else...

That explains all. This is Virut you were dealing with. It also infects webpages (.html, .htm, .asp, .php etc) by inserting an iframe pointing to a malicious site. Read here for more info: http://miekiemoes.blogspot.com/2009/02/vir...s-throwing.html
It also collects info from the pc.
So what most probably happened is, OR, the ftp credentials were gathered, but most likely, the infected webpages were uploaded by you while you were infected.
In either way, please check ALL webpages online and remove any iframe from the code, because these pages are responsible for infecting others as well.
Also, you said you formatted and reinstalled Windows, so not sure what you have backed up while being infected, because 80% of all executables are infected. Also, as I said, all webpages.

[JC8]

The last time I uploaded that index page was like last year, so I don't think I uploaded any infected pages to the site. It is most likely that the ftp info got stolen, and someone hacked into the site.

I have checked all other pages of the site online, they are all clean, only the index page got infected.

I read about the reader_s.exe virus, and I knew it could affect all the exe & html files, so I got rid all of them and didn't back up any of them.

Thanks for the reply and the link to your blog.