Security Basics mailing list archives
Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!
From: BugBear <gryzli.the.bugbear () gmail com>
Date: Thu, 8 Sep 2011 21:48:22 +0300
Hello, For sure your web site has been compromised. Based on my experience, here are some advices for finding the malicious redirection : 1. You can try filter out the files, that are modified since you encounter the problem. For example, find all files modified after September 6, or maybe day before ... - After you find those files, you can search them for the URL u've mentioned ( carlos.c0m.li ) . If you are lucky, the URL would be there in clear text. - Of course, you can issue the text search to all of your web files. - If you don't find the URL in clear text, you can try to search for "eval / gzinflate / base64_decode" php functions, which are not part of your code. There are lot of cases out there, when the attacker masks the redirection (the iframe) within eval/base64_decode functions (because this way it's harder to find). 2. As dishix () googlemail com said, there is a possibility that the code is injected via SQL Injection. Again you can check this, if you issue a search(carlos.c0m.li or just "carlos") on the database files or through SQL search query for all the tables & records. And i think that your main goal must be finding the source of the problem (not only the infected files/database) - how did they hacked you ? Here are some proposals: - hacked/brute force or spywared/ FTP account - web exploit in your system (RFI,LFI.....) - check your access logs - SQL Injection - this is the most harmless case (in my opinion) Good luck. Best Regards On Thu, 8 Sep 2011 00:01:19 +0430 Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:
Hi. Today I found that Kasper Anti Virus has blocked my site and says to the clients that this site is affected by a Trojan. At the other hand I usually surf the Internet using Firefox. But today I used IE to open my own site. But IE tells me following warning: This page contains content that will not be delivered using a secure HTTPS connection... I traced my site with Fiddler debugging toll and I found that each time I send a request to the site a get request handler is established to the following URL: "http://carlos.c0m.li/iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7" I've searched about "carlos.c0m.li" in the internet and I saw in "Google safe Browsing" something about that host in the following URL: http://google.com/safebrowsing/diagnostic?site=carlos.c0m.li/ Google says that, that host has a maleware. please look at that report and suggest a way to remove this bad thing from my site. I've searched most of my public html directory. but I haven't found any file that makes following http header. I have no idea. How can I find that? ----- this is header that fiddler detects for every file that I open in my site: GET /iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7 HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: carlos.c0m.li HTTP/1.1 404 Not Found Date: Wed, 07 Sep 2011 18:42:02 GMT Server: Apache/2 Accept-Ranges: bytes Vary: Accept-Encoding,User-Agent Content-Encoding: gzip Content-Length: 233 Keep-Alive: timeout=1, max=100 Connection: Keep-Alive Content-Type: text/html ? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Ali Asghar Toraby Parizy (Sep 07)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! charlie (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- RE: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Kropotov, Vladimir B. (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Ali Asghar Toraby Parizy (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 09)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Remo Cornali (Sep 12)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! charlie (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! Henri Salo (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! dishix (Sep 08)
- Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack! BugBear (Sep 09)