Security Basics mailing list archives
Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!
From: Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com>
Date: Fri, 9 Sep 2011 01:39:15 +0430
Hi. First, I should say that I've made my site down to protect our clients. Also I think if more clients detect this vulnerability in their anti virus programs, The domain name will put in black lists in anti virus databases, so I think, I would've do that. Therefore if I tell you the address it wouldn't solve any problem, because there isn't any thing there now. Of-course I've searched all the files more exactly and I found that there is a strange Java script code in some Php files. Too see the source of this Java script look at attachment please. Now I know that it is a hacking attack undoubtedly. But I don't know how a hacker is able to do such a traffic attack! I contacted hosting service and they assured me that there isn't any exploit in cpanel or any other stuff that is related to them. In other hand the only open source program that I use in our site is word-press. As "Justin Babey" said I think they've used a bug in word-press for injection. Now I wanna ask you two important questions. Please see the script in attachment and answer these questions: 1. first. I want to know if I remove word press and install the latest version, and clear every file that contains this JavaScript the site will be secure? 2. If hacker could append this code to the files, He could've read that Php files too. So he knows any thing even about my own Php scripts ,now. What do I have to do to defeat against future attacks that they can do using these exposed sources? Thanks for your helps. On Thu, Sep 8, 2011 at 8:41 PM, Henri Salo <henri () nerv fi> wrote:
On Thu, Sep 08, 2011 at 09:51:42AM +0100, charlie () funkymunkey com wrote:That's isn't 'a' header, its a whole GET request and response. I'm assuming there is a bit of javascript that appears on every page of your site that makes the browser send this GET request. The best option would be to load up your website in a browser and look through the code or look through the code on the web server and find out where that request is coming from. At least you can be sure that nothing malicious is going on from your website as this request is met by a 404 meaning that the supposed malicious script does not exist.No he should NOT go there using normal browser. If this is drive-by attack URL might get to be alive and he would get infected. At least I suggest him to disable javascript, but that might not help if URL is using other attack vector like vulnerability of PDF-reader or browser. I would like to investigate this issue, but I haven't received URL to the web-site even I requested it. Best regards, Henri Salo ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Attachment:
javascript
Description:
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Ali Asghar Toraby Parizy (Sep 07)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! charlie (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- RE: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Kropotov, Vladimir B. (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Ali Asghar Toraby Parizy (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Remo Cornali (Sep 12)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! charlie (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! dishix (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! BugBear (Sep 09)