2

My web server has been badly infected by unknown cause. Every single page from any of websites hosted on the server will get injected by an iframe script.

  • Day 1: our web server software was Apache. After being confident that no web script has been modified, we looked at this article (https://blog.sucuri.net/2013/01/server-side-iframe-injections-via-apache-modules-and-sshd-backdoor.html) which said a Apache module might be compromised so all TCP packet will be modified before sending to the web broswsers.

  • Day 2: We replaced Apache by Nginx. It ran fine for a day without a problem.

  • Day 3: Our customers informed us of the same problem and Google Chrome sends out the warning "Site not safe" message to all websites hosted on server.

Desperately, we backup everything, change the hard drive, install a brand new OS (FreeBSD 10.2, previously FreeBSD 8.4). With bare OS and new Nginx server, we tested the request to the server, the request still get infected with iframe.

We run newest clamav, rkhunter but nothing has been found.

Photo show the test to nginx request with the infection

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59
Bill.N
  • 59
  • 4
  • If i understand this correctly you are saying a brand new server, with new software, your backup never touches the new server and when you load Nginx for the first time you still get this iframe injection on the default landing page? – Anthony Fornito Dec 30 '16 at 15:24
  • @AnthonyFornito: it is the same server, just new hard drive and new software. Yes, I still get the injection for the default page. I still have no idea where to look for solution. – Bill.N Dec 30 '16 at 16:09
  • You got me, damn Russians. – Anthony Fornito Dec 30 '16 at 16:14
  • Is it the same domain name, IP address? So when you load the new server, and setup the site, install Nginx are you browsing by IP or Domain name? Not that I think it makes a difference. – Anthony Fornito Dec 30 '16 at 16:17
  • Also just to confirm you did not load the backups to the new server before you tested the new site correct? – Anthony Fornito Dec 30 '16 at 16:20
  • Check this out, similar but not duplicate http://stackoverflow.com/questions/11955634/iframe-injection-attack-followed-us-to-new-server – Anthony Fornito Dec 30 '16 at 16:22
  • Yes, to make sure that the web codes are not culprit, I tested without anything (as the photo shows it it the default Nginx welcome page). I dont know why a clean install did not solve the problem. Perhaps it resides in the fireware? – Bill.N Dec 30 '16 at 16:29
  • Its possible, Looking online im seeing a lot of articles from as far back as 2011, some suggest it could infect router firmware, the browsers, but how is it able to write to files on a new OS if the Permission are set correctly? – Anthony Fornito Dec 30 '16 at 16:39
  • It might not be able to write file to the OS, it might just intercept the TCP traffic and inject code in there. It's just my best guess – Bill.N Dec 30 '16 at 16:43
  • Im curious if the same thing will happen if you use a different flavor of linux like Centos, – Anthony Fornito Dec 30 '16 at 18:55
  • Is there any kind of proxy in front of your web server? – Katherine Villyard Dec 30 '16 at 22:26
  • 2
    Possible duplicate of [How do I deal with a compromised server?](http://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server) – user9517 Dec 30 '16 at 22:27
  • You also need to make sure your own computers aren't compromised. – Michael Hampton Dec 30 '16 at 22:29
  • As mentioned, my desperate measure is to install new OS on new hardware. In OS, only nginx and clamav are installed, nothing else. But the test still shows the iframe injection. I suspected something to to with the higher lever than the OS. – Bill.N Dec 31 '16 at 02:56

1 Answers1

3

It seems that the problem has been solved after convincing the hosting provider to check their network router.

I hope it wont occur again. Thanks everyone for commenting.

Bill.N
  • 59
  • 4
  • 1
    Using https rather than http should prevent this from happening in the future, even if the network your server is on is compromised again. – 84104 Jan 06 '17 at 18:35
  • Can we get a little more detail as to what happened? What did the hosting provider find? – Anthony Fornito Jan 09 '17 at 18:39