2

Despite all my work to harden my website, someone has managed to hack it.

When loading the homepage in IE8, the page appears to load normally. Then, the status bar briefly displays a request to a domain that is just a jumble of letters followed by .com. It opens a Windows Media Player window, and as that opens the IE screen goes red with a "this site has been reported as unsafe" warning on it.

In Chrome, the site loads normally, and I get a warning that the Java plugin needs my permission to run. I did not grant permission.

In Firefox, everything looks normal, but in my NoScript menu there is an item labeled "http://undefined", which I of course blocked.

The good news is that I was able to capture a screen movie of the problem in IE and was able to note the malware domain for research.

When I first noted the problem I started Wireshark and have logged everything in and out of my PC since. This provided me with multiple DNS requests with domain names linked to the attack. I have also downloaded the server logs. Our entire site has been moved into a holding directory and an 'unavailable' message has been put at the root of our domain. I have changed our server login password.

I downloaded a copy of our homepage from the server and analyzed it. The malicious domain is nowhere to be found in it. I utilize a few external JavaScript libraries, such as jQuery, that are loaded from remote servers. I am wondering if something could have happened on one of those servers?

Now I'm not quite sure what to do next. I am a creator, not a security expert. My current position does not have an IT or Information Security department to get assistance from, so I am seeking help from anyone who may recognize the symptoms of this attack.

UPDATE: I found malicious files in my server identical to what was described at https://stackoverflow.com/questions/6686354/virus-problem-google-verify-php-and-ftp-passwords

Update Oct. 26: After reviewing log files, I found that the hack was done via FTP. Evidently my login was stolen somehow.

Community
  • 1
Paul S.
  • 123
  • 4

1 Answers1

8

Steps to take in an attack like this:

  • In this particular case, it is important to cease serving the site, so firewalling it off would be appropriate -- either at a gateway device or by pulling the plug.
  • Next you would need to image everything you can. Some data can only be obtained live from the machine. I found a decent Windows-focused guide for you from CERT.
  • From there you need to take steps to identify how you were compromised and prevent it from happening again.
  • When you've discovered the necessary steps to secure the machine, use a new image.

The symptoms of this attack are that something has managed to alter the data being served by your website. They may be limited to just the files being served up by the site or they may have compromised the entire system.

You'll have to spend your time comparing good data to the damaged data. Hashing all the files between the directories is a handy way to start.

Beyond that, I think you've got a lot of time and learning ahead of you, or an outsourced forensics / malware / general security expert who is looking forward to you as a client.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • Jeff, Thank you for taking time to respond. Yes, I have a lot of learning to do in the security aspect of web development. I have taken steps against SQLi and XSS, but clearly the site has weak spots. – Paul S. Oct 08 '11 at 00:28