Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!

From: Henri Salo <henri () nerv fi>
Date: Fri, 9 Sep 2011 09:08:22 +0300
On Fri, Sep 09, 2011 at 01:39:15AM +0430, Ali Asghar Toraby Parizy wrote:

Hi.
First, I should say that I've made my site down to protect our
clients. Also I think if more clients detect this vulnerability in
their anti virus programs, The domain name will put in black lists in
anti virus databases, so I think, I would've do that. Therefore if I
tell you the address it wouldn't solve any problem, because there
isn't any thing there now.
Of-course I've searched all the files more exactly and I found that
there is a strange Java script code in some Php files. Too see the
source of this Java script look at attachment please. Now I know that
it is a hacking attack undoubtedly. But I don't know how a hacker is
able to do such a traffic attack! I contacted hosting service and they
assured me that there isn't any exploit in cpanel or any other stuff
that is related to them. In other hand the only open source program
that I use in our site is word-press. As "Justin Babey" said I think
they've used a bug in word-press for injection.
Now I wanna ask you two important questions. Please see the script in
attachment and answer these questions:
1. first. I want to know if I remove word press and install the latest
version, and clear every file that contains this JavaScript the site
will be secure?
2. If hacker could append this code to the files, He could've read
that Php files too. So he knows any thing even about my own Php
scripts ,now. What do I have to do to defeat against future attacks
that they can do using these exposed sources?
Thanks for your helps.


Update Wordpress, clean PHP-files and hope they won't attack again.

http://secunia.com/advisories/product/1659/?task=advisories
http://secunia.com/advisories/product/3978/?task=advisories
http://secunia.com/advisories/product/6745/?task=advisories

http://osvdb.org/search/search?search%5Bvuln_title%5D=wordpress&search%5Btext_type%5D=titles&search%5Bs_date%5D=&search%5Be_date%5D=&search%5Brefid%5D=&search%5Breferencetypes%5D=&search%5Bvendors%5D=&search%5Bcvss_score_from%5D=&search%5Bcvss_score_to%5D=&search%5Bcvss_av%5D=*&search%5Bcvss_ac%5D=*&search%5Bcvss_a%5D=*&search%5Bcvss_ci%5D=*&search%5Bcvss_ii%5D=*&search%5Bcvss_ai%5D=*&kthx=search

If your site isn't very big it is possibility to do security audit on your components. At least make sure you didn't 
leak user/password data. It could also be helpful if you could go trough access.logs and see when the real attack 
happened and how.

Best regards,
Henri Salo

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: