nanog mailing list archives
RE: Malicious code just found on web server
From: "Chuck Schick" <chasjs () warp8 com>
Date: Tue, 21 Apr 2009 11:51:16 -0600
We have seen this twice recently....we have tracked it back to a worm which steals unencrypted ftp information from a desktop. We tracked it down because it occured on 7 or 8 sites that were on different servers both Linux and Windows...some had no database associated with them. The only common thing on these sites was they all had the same web developer, she confirmed she was using filezilla which does not encrypt the passwords she also confirmed that she had found a virus/worm on her machine a few weeks before. The same thing was found on other websites that she maintained that we did not host. FTP logs confirmed that a bot was making the changes through FTP. The bot seems to inject a java script and IFrame in all pages that are named index.* - it changed HTML, php and asp extensions. Chuck Schick Warp 8, Inc. (303)-421-5140 www.warp8.com -----Original Message----- From: Mike Lewinski [mailto:mike () rockynet com] Sent: Monday, April 20, 2009 11:23 AM To: nanog () nanog org Subject: Re: Malicious code just found on web server Paul Ferguson wrote:
Most likely SQL injection. At any given time, there are hundreds of thousands of "legitimate" websites out there that are unwittingly harboring malicious code.
Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced. Mike
Current thread:
- Malicious code just found on web server Russell Berg (Apr 17)
- Re: Malicious code just found on web server Neil (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Mike Lewinski (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- RE: Malicious code just found on web server Chuck Schick (Apr 21)
- Re: Malicious code just found on web server Nathan Ward (Apr 21)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Nick Chapman (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Ingo Flaschberger (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- Re: Malicious code just found on web server Kevin Oberman (Apr 21)
- Re: Malicious code just found on web server Neil (Apr 20)
- <Possible follow-ups>
- RE: Malicious code just found on web server Russell Berg (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)