4

something seems to have either hacked a webserver, or we have some sort of semi-malicious code running that keeps injecting code into our website. it seems to affect just a couple of coldfusion and html file. we've run malwarebytes, spybot, and AVG antivirus and removed any entries they find, though there weren't many. I'm in the process of researching and installing some Intrusion Detection software (like Snort or OSSEC) to see if this will help me find the culprit, but i was wondering if anyone had ever seen anything like this or knew where malicious code could be hiding.

it appears to inject the following code:

<iframe scrolling="no" frameborder="0" src="http://www.collegefun4u.com/" width="0" height="0"></iframe>

into a couple of files every night, at completely random times.

This is on a Windows 2003 server, running Coldfusion MX7. Nothing appears in the logs/event viewer when these files are changed.

user44650
  • 137
  • 4
  • 11
  • Any more details? What's the system is installed there? Windows, Linux or Unix? What web servers is running? Can you provide some additional logs? UPDATE: I assuming it's Windows (based on AVG)? Which version? – kenorb Aug 09 '12 at 13:24
  • Do you have a backup of your source code somewhere like version control to run a diff against? – Justin Dearing Aug 09 '12 at 13:27
  • we have a development server which is not affected by this, only the external facing server is doing this. when the files are changed, we replace the changed file with the original from the dev server, but nightly whatever is running changes the files again. – user44650 Aug 09 '12 at 13:30
  • Is it possible to completely replace the live site from a known clean backup or dev server? (Just in case there is some malicious code on the webserver you haven't found) – DaveP Aug 09 '12 at 13:35

1 Answers1

4

The first thing to do is immediately check out what collegefun4u is all about.

Requesting the site in a safe way and unpacking the JS code behind it, we get:

www.collegefun4u.com/ benign
[nothing detected] www.collegefun4u.com/
     status: (referer=http:/twitter.com/trends/) saved 1205 bytes 3667a08e039642842c11744f464163baa186e4da
     info: [decodingLevel=0] found JavaScript
     error: undefined variable s
     info: [1] no JavaScript
     file: 3667a08e039642842c11744f464163baa186e4da: 1205 bytes
     file: f9e4048e7e87436e12343dbcd9d467a31f0c972e: 93 bytes

Decoded Files
3667/a08e039642842c11744f464163baa186e4da from www.collegefun4u.com/ (1205 bytes, 17 hidden)

<html>
<head>
<title>Top 3 Webhosting</title>
<meta content="text/html; charset=iso-8859-1" http-equiv='Content-Type'>
<body>
<script> </script>
<table border='0' cellspacing='0' cellpadding='0' width='960' height="100%">
<tbody>
<tr>
    <td>
        <a target="_self" href="http://rover.ebay.com/rover/1/711-53200-19255-0/1?icep_ff3=1&pub=5574678674&toolid=10001&campid=5335950793&customid=&ipn=psmain&icep_vectorid=229466&kwid=902099&mtid=824&kw=lg">Shopping In Ebay For The Cheapest</a>
    </td>
    <td>
        <a href="http://stats.justhost.com/track?c998ec72c307330822d1608c2d6651a1f">JustHost</a>
    </td>
    <td>
        <a href="http://secure.hostgator.com/~affiliat/cgi-bin/affiliates/clickthru.cgi?id=hydmedia-">Hostgator</a>
    </td>
</tr>
</tbody>
</table>
</body>
<script type="text/javascript">    var _gaq = _gaq || [];   _gaq.push(['_setAccount', 'UA-33569939-1']);   _gaq.push(['_trackPageview']);    (function() {var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);   })();  </script>
</html>

f9e4/048e7e87436e12343dbcd9d467a31f0c972e from www.collegefun4u.com/ (93 bytes)

//jsunpack.called CreateElement script  //jsunpack.url http://www.google-analytics.com/ga.js

Note that I beautified the HTML for easier reading.

As you can see, it at least does not try to harm your users in any way but just inserts some Webhosting (learned from the title) spam, three links in a table that span across your whole screen. It should also be noted that they're analysis your traffic through Google Analytics.

Looking further on the internet, I've found a similar cause that appears to have the same problem as you. A request to his page later loads in the collegefun4u site. URL Query is quite smart and tells us it detected BlackHole exploit kit HTTP GET request.

Exactly, the BlackHole exploit kit is gaining fame these days to adjust files on servers. They simply use zero day exploits in various types of server software to be able to adjust files to be able to spam or infect many clients.

The bottom line of the story here is three fold:

  1. Track the versions of your server and its software and make sure everything is update, this goes from Apache / IIS to Plesk to your framework to PHPMyAdmin and beyond.

  2. Make sure you configured anything facing the internet to not be able to write to your disk, this mostly means configuring Plesk / PHP / File Permissions right.

  3. If it continues to happen, make sure that you log file accesses so that you know which process is doing this. On Windows you have Process Monitor for this, set it to filter on .html and/or .js files so you don't fill your page file with all accesses. This might learn you more...

Tamara Wijsman
  • 388
  • 2
  • 4
  • 16