Page being hijacked! - Page 2 - Webmaster Forums - Webmaster forum for HTML, PHP, ASP, CSS and more

brettrigby · 11-16-2006, 02:07 AM

AND...

I have been keeping track of the files that are infected each day, and the time that I saved them last, as well as the time the file was last edited by this 'problem'.

As it happens, it appears that the files are being edited by this other program and are date-stamping them to exactly the same date and time that I did when I removed it!

Is it me, or am I going mad?

fred · 11-27-2006, 11:15 AM

Quote:

Originally Posted by cool da man

I have a huge problem with pages on my server being hijacked. A snippet of code gets added after the end of a closed html tag. the code contain a link to a website with javascript or iframe tags.

This code basically open dozens of websites (popups) there fore disabling my website.

The code appears on different pages within the site every 2-4hours even when is change permissions to the actual file. it seems to be copying the file each time and overwriting it.

the code contains the following data,
coon.js
nb88.cn

I have change the permission for each folder on the server but its still comes back.

Also ive noticed that the code does not appear when i have 2 connections open to the server using Terminal Services, but as soon as 1 closes the code appears.

I need a solutions to this, any comments are welcome.

I can help you with this. Please call 1-416-640-3440

fred

brettrigby · 12-03-2006, 01:00 AM

Hi Fred,

Are you able to also help me? Unfortunately, I live in the UK... is there any suggestions you can offer online?

Kind regards,

Brett

visio · 12-03-2006, 11:55 AM

probably Fred is the one who hijacked the site!
first post, and why he doesn't just tells us the problem?, ummm, freddy?

visio · 12-03-2006, 12:17 PM

my suggestion is clean up the site make sure it is working and then for the next few days check where your visitors did when they arrived at your site, check also the logs, you will most probably find:
http://yoursite.com?page=http://anothersite/something?
this would be the culprit.
what happens is that sometimes a script has some kind of vulnerability, and not one but a number of people will go around exploiting it, sometimes just for the sake of disturbing.
At this right moment I'm deleting a script I have for a article directory to replace it with another one, because on the last week I used up 14 giga of bandwidth. Some kind of vulnerability on the old script. and I got this vistor:
http://marketerscenter.com/articles/...usic.com/c.in?
plus a number of others with the same script I think the original came from agroup called chaos!

casey3353 · 12-12-2006, 09:59 PM

I've got this same problem. I've been working away at it for a while and I'll discuss what I've found.

For me, I have 3 websites on the one server. I was getting a combination of <script> tags and iframes, like what's been described already. These were being inserted into header and footer include files which get loaded into every page.

The suspicious things I found were:
Iexplore.exe process being run under the "System" account
A suspicious service being run called "Dns Service". This service runs an executable at c:\program files\common files\system\setup

There's a few other things, like registry settings, but I haven't gotten to the bottom of it all just yet. If you try doing a search through your regedit for "dnssvr" or "Dns Service", you'll find these keys. To delete these keys, you need to adjust the permissions.

The event logs get deleted whenever this "Dns Service" service is run.

Under all of "C:\program files", there's new permissions giving "TERMINAL SERVICE USER" group modify access, recursive through all subdirectories.

I think this is one of the key ways it keeps itself infected, by logging in under a new terminal server session as a service account (not sure how, but bare with me) and running a heap of commands, setting the dns service back up if it's deleted, before clearing the event logs. To back this up was an earlier post of how the problem wouldn't happen if people were logged in via terminal server (the process wouldn't be able to run as the server would be at it's limit of 2 in administrator mode)

In my particular case, I didn't find any other user accounts created, and I've changed all my passwords. In the past, i've tried deleting these hidden files under "C:\program files\common files\system\" and the suspicious registry keys. However, even doing this much wouldn't fix the problem, so I'm going to assume there's some other file that's reinfecting somehow and setting everything back up.

I've also run ewido and AVG antivirus. The first time I did this, I found a backdoor, which is how I think this problem all started. Since then I haven't found anything else.

I'm still investigating this, and I'll report back if/when I find more.

casey3353 · 12-12-2006, 10:05 PM

Just re-reading my reply, I hope I have made enough sense. If you have any questions, please feel free to ask.

At this point, I've successfully stopped and deleted this service, and i'm waiting for the signs that it's reinfected again and re-inserted the "<script>" code back into my pages. I've got some debugging programs running to catch it in the act, and hopefully can figure this out.

casey3353 · 12-15-2006, 01:51 AM

Okay so I've figured this out.

It's a vulnerability with your DB access and querystring/form data manipulation, which allows a hacker to inject SQL code into your DB. I know this doesn't sound like it could cause someone alter files, but it's quite elaborate.

In the "master" DB on a MS SQL server, there's an extended stored procedure called "xp_cmdshell" which allows SQL to perform cmd line instructions. Apparently it's a stored procedure that's required for replication and a number of other things.

So... what do they do? They send through a series of commands in the form of http requests to create a .vbs script in your c: root. This .vbs script is just a downloader which saves the result to the C-drive. This is how they can download their trojan to your computer. They then run this trojan, which then is basically a rootkit. I didn't go into how the trojan exactly works but Ewido picked it up, which is a relief. They use the trojan to run commands and insert code into your pages. It's quite sneaky, as it can even get around the acls (I'd tried setting "deny" permissions on the change action on files which were being changed)

So how do you fix the problem? Fix your initial Database logins to not have dbo or sa access to the DB server. Lock down your DB access. There's a heap of writeup's on how to do this. Also, fix your DB requests so that you replace single quotes ' with double single quotes ''
replace(vString, "'", "'')

FWIW, the trojan executables are downloaded from
NB88

this is an very small example of what the page requests look like. This example will just delete any boot.vbs script and create the first line in a new file.

Code:

page.asp?id=2';exec%20master.dbo.xp_cmdshell%20'del%20C:\boot.vbs'
page.asp?id=2';exec%20master.dbo.xp_cmdshell%20'echo%20on%20error%20Resume%20Next%20%20%20%20%20%20%20%20%20%20%20%20>>%20C:\boot.vbs';exec%20master.dbo.sp_dropextendedproc%20'xp_cmdshell'

DeadBeet · 12-15-2006, 08:55 AM

very nice example!

fred · 12-15-2006, 03:55 PM

This is fred again. I had similar problem and spent 3weeks without sleep. I was able to stop these Chineese Bxxxxxds. I have no sympathy for some of these guys.

I have had no problems since then.

I have a full solution but cannot publish this here as the culprits might change accordingly. I will and can surely help. Email me at fredthetiger@hotmail.com your request\.