We have just received the following message with regards to malicious software. However, I really don’t know where to start in attempting to resolve the matter. Any advice / guidance would be very much appreciated. Trying to work through things systematically – but don’t really know where the best place to start is!
We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page to
users who visit these pages by clicking a search result on Google.com.
Below is an example URL on your site which can cause users to be infected
(space inserted to prevent accidental clicking in case your mail client
auto-links URLs):
http://otiumlifestyle.com
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//otiumlifestyle.com/
Yup, definately infected…
Since its not legal to probe your site without permission, we can’t scan without your approval. So please do this at: http://www.sitesecuritymonitor.com/badware-busters-landing-page/?utm_campaign=Badwarebusters&utm_source=Badwarebusters
Otherwise, immediately change your FTP passwords on your site, scan your PC for viruses as well.
PS> Don’t save your password on your PC, most likely thats where it came from.
hmmm …
Since its not legal to probe your site without permission, we can’t scan without your approval
@ssm … perhaps you could educate the rest of us about the particular situations in which it is not “legal” to scan a site without permission? Since the helpers on the forum do not “probe” for the purpose of performing a vulnerability assessment, I am assuming that the tools that they use for malware scans don’t fall into the area of not being “legal” to use without explicit permission.
On the other hand, I doubt that most people know the difference in the malware scan you perform and the vulnerability assessment that you perform. I suspect that the vulnerability assessment is the part that may not be legal without permission. Please clarify. I shudder to think that the helpers here are legally unable to use the tools available to them to help an OP identify malware on their sites.
Hi,
I’m not a lawyer either, but I think it’s OK to reveal symptoms that can be obtained from the data websites return for regular legitimate requests. Such information can only help webmasters and site visitors detect and address the problem (either resolve the issue or keep away from the site that can be dangerous for browsing).
On the other hand, hackers and people with malicious intents who know how to exploit security holes behind those symptoms, already have tools and experience to obtain this (and much more) information without malware scanners.
So limiting access to malware scanners to only verified owners is like leaving those webmasters (not all of them have enough knowlage and skills) without help of the community.
Of course this doesn’t apply to vulnerability scanners like ssm (e.g. that instead of symptoms report real exploitable security holes). Such scans should be conducted of behalf of site owners and responsible exucutives, since not only can such scan reveal real exploitable hole to strangers, they can also effectively DOS sites or corrupt data (in case of buggy site software). So it is important to choose proper time for scans and proper version (try the scan on a development site before scanning your production site). So, unauthorized scans are generally not acceptable.
Denis
@otiumlifestyle
I will assume that running a malware scan through Dasient (on your behalf) is not illegal without your explicit permission, since you are asking for assistance here. Since representatives from Dasient have provided links to scans without getting specific permission from site owners, I have assumed the best and taken the liberty of requesting their QuickScan, on your behalf.
https://wam.dasient.com/wam/diagnose?scan_id=192084
This should give you something to start with. I was already able to see the obfuscated code on your home page. The scan just confirms it and provides a historical record of the findings.
I’m not sure what is going on with the [https] page listed in the Dasient scan, but it still is something to look into.
You may find the following guidelines helpful …
*Let your hosting provider know that your site has been hacked and see if they can help determine how the site was hacked and fix that problem.
*Clean your local computer of any virus/trojan capable of capturing FTP credentials and change all of your passwords. Do not store them in the FTP client.
*In addition to removing any unauthorized coding or additional pages, upgrade any blog, forum, gallery, CMS or other script to reduce vulnerabilities created by outdated code
*After cleaning and securing your site, “Request a Review” through your Google Webmaster Tools Account . Sites must be added and ownership verified first.
The following documents provide detailed instructions for thoroughly evaluating, cleaning and securing your site.
How to remove the ‘This site may harm your computer’
http://25yearsofprogramming.com/blog/20071223.htm
How to prevent your site from getting hacked. How to repair a damaged site. Website security precautions
http://25yearsofprogramming.com/blog/20070705.htm
Kaleh…definately the vulnerability scan is over the fence for sure. We get alot of requests from non site owners (100’s a day sometimes) so we watch this closely.
We’re looking into the malware scanning, but consider this:
- You find a malwared site, and submit for a free scan from dasient. Dasient responds with the problem (say an insertion). Of so, reviewing it, you see that perhaps its a SQL injection flaw, or a local file insertion. Now you know more about the site, the server, the code and potentially, if you know what you are doing, how to further leverage that flaw (and all postings on this site, google snarfs daily and indexes).
So, I know someone I don’t like, I ask here for a ‘scan’. Scan results get posted, with the full dump, up to and including the site URL, malware dump and recommendation for fix.
Consider that some of these postings here are NOT the site owners (could happen, and I’m sure does – based on what we get from this site for scan requests sometimes), and the results are posted here, with NO efforts to confirm ownership, authenticity, etc.
I want everyone to help of course, but I fear everyone (esp in the scanning business) is one lawsuit away from trouble. We try our best, but aren’t perfect. Its a fine line between helping those in need, and helping those that don’t own and want :)
I don’t know, I’m not a lawyer. Our counsel is working on this issue as we speak, but of course, this is yet another area of Internet law that isn’t litigated, thus defined.
Doing an offline malware scan (from my uneducated side) is probably ok, but providing the results (including dumps, file locations, etc.) IMO is exposing way, way too much. Thats why we don’t post results online here. I think its too risky, and since google/yahoo, etc. indexes this service quickly, I think the risks are too high for ‘full disclosure’ of the problem.
Its almost like going to another forum and posting source code for a review, in full view of the world.
Anyways, I’m simply stating that SSM dictates offline (from badwarebusters) report delivery, and an effort to confirm identity/site ownership for legal and perhaps more importantly, what we consider ethical reasons. Perhaps Maxim has a different idea, but this is where we are.
Cheers!
John
I suspect that if StopBadware felt there was a problem with the information sharing that has been a part of this community, since the beginning, that guidelines to prohibit it would have been put in place.
This is a community oriented self-help forum where we all learn from the experiences of others. I feel that the type of assistance that is provided here is critical to the smaller site owners being enabled to help themselves. If they need more assistance, it’s great to have professional services available for them. But, many of them do not want professional services, so the open sharing of information is valuable to them.
For those who offer vulnerability scanning that goes above and beyond the type of assistance that folks come here looking for, it is understandable that you should not do such a scan without proof of ownership and permission. However, in the absence of that permission, surely you can offer assistance outside of vulnerability scanning?
If someone wants that “extra” service … fine … great … offer it and do your due diligence as far as protecting yourself and the site owner. But, please allow the OP the luxury of getting public assistance if they are not interested in vulnerability scanning.
As far as ownership goes, I can’t see that proof of ownership can be obtained by simply providing an email address that matches the site’s domain. How do you know that a disgruntled employee is not the one requesting the scan?
I think it is important that everyone fully understand (without having to access your site) what kind of scanning is actually being offered, and that it is above and beyond what is necessary to identify the malware that is causing them problems.
Offline delivery of your vulnerability scanning results is 100% understandable. No one would expect you to expose the sites’ vulnerabilities in public.
However, since the majority of the hacks we know about, in today’s climate, are often related to compromised passwords on a local machine, I can’t see that there is a great need for secrecy about what is going on with those particular sites.
The specific vulnerability (at this point in time) for those sites, is that the local computer is infected, and the hackers have the login credentials. Unless someone else can get that information from the OP (or the hackers) what more harm can be done by simply discussing the details of what is going on with the site, in public?
Yes … all sites probably have all kinds of vulnerabilities that were not the current cause of their problems, and those could be addressed to avoid potential future problems. But … when we are talking about local computers giving up login credentials … sharing the symptoms and cures seems more helpful than harmful.
Considering that most of the hacks are automated, I really doubt that anyone is sitting around reading BadwareBusters so that they can pick up on a vulnerability on a particular site and cause them more grief.
I will be curious to hear Maxim’s take on the issues.
Disclaimer: I’m not a lawyer, either, so I’m commenting only on ethics and the expected behavior on this site.
I believe that anything that could be observed by visiting a publicly-accessible website, viewing the site’s source code, or watching the traffic to/from the client while visiting the site is fair game for public posting and discussion. This covers quite a bit of territory.
Where I believe someone might cross the line into unethical behavior is if they:
- Perform full penetration or vulnerability scanning against a site without the owner’s permission, especially if such a scan carries risks to the site or if it requires making requests that are substantially different or much higher volume than those generated by ordinary user visits to the site.
- Publish or make available to someone without authorization of the site owner a vulnerability in that site that is not widely known and that isn’t the cause of a current compromise.
A reasonable comparison would be physical security of a building on a public street. Suppose someone notices in the police blotter section of a newspaper that my house has been broken into three times. He decides to drive by my house, snap a photo of the front, and publish it in a newspaper column, along with an explanation of why he thinks the house might have been a target (e.g., no exterior lights), the apparent result of the last break-in (the cut screen on the front window), and a few things that could be done to make it safer (install a porch light). That seems well within his (and the newspaper’s) rights, even if somewhat alarming to me as the homeowner.
On the other hand, if this guy started casing my house, tapping on the walls with a hammer, etc., and then published a column about the valuables to be found inside my house, the details of my daily routine, and the fact that I have a key hidden under the doormat, that wouldn’t be okay at all.
As for free online scanning services, I’d say the need to verify site ownership depends on the type of scanning and the results that are provided. When verification is called for, I’d expect the vendor to go beyond an honor system (i.e., asking the user to affirm that s/he is the site owner) and actually verify the user’s credentials, as Google’s Webmaster Tools does by requiring the owner to make a change to the site’s contents.
With regard to BadwareBusters.org, I want to reiterate that the purpose of this site is to encourage open discussion about fighting badware. This requires the members of the community to balance the need for discretion, as indicated above and in Denis’s and John’s posts, with the requirement of transparency. One thing we definitely don’t want to see this site turn into is a marketplace with vendors just hawking their wares to everyone who comes in looking for help. This is why we ask vendors to refrain from soliciting business (paid or unpaid) except as a by-product of providing valuable public guidance to the original poster.
Interesting discussion everyone.
It might be useful to write out a bullet list of “expected behavior” for members associated with commercial organizations directly related with malware identification/scanning services/Pen testing etc.. It could help to guide people in the future as to how to present their ideas to the requests for assistance.
Furthermore, if it helps, a sign/icon/avatar of some sort could be associated with members associated with such organizations to quickly identify them to a new user, (as not being “totally benevolent” ..for the lack of a more appropriate term) when an answer/pointer is provided.
Lets make this great group even more awesome!
Safe surfing everyone.
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Twitter: @stopthehacker
Facebook: stopthehacker
Jaal: Protecting the Internet, one website at a time™
I agree as well. However I hear from some customers especially those who have large web sites, find it pretty confusing to try and find help when they have to go through a lot of postings just to figure out what to do next.
I personally would like to see a commercial area of the site so that people who do want to pay are able to find a solution quickly.
Consider that some of these sites are commercial enterprises and don’t have time to wade through a lot of things to get what they need.
I don’t know what the solution is however everyone is sent here when there’s a problem and some people are perfectly willing to pay for someone to find a solution for them.
I think with a commercial section you would give more focus to the users and also eliminate the risks that to discuss above.
Any ways that’s my 2¢
Hi,
This is a known attack that uses Twitter API (“search.twitter.com” in your tags) to generate a domain name of the currently active malicious site.
Most likely it’s indeed a password related problem. So all the above advices are correct.
You can read more about it in my article: Twitter API Still Attracts Hackers
Denis – www.UnmaskParasites.com
