From: Ashley Sheridan on 28 Apr 2010 19:50 Hi all, This isn't exactly a PHP question, but I don't know anyone else with the collected smarts of this list. Basically, a site I built and am managing has been identified by Google as a source of malware. Now, I've been over the source code with a fine-toothed comb and found nothing, I've gone over the HTML output for anything suspicious, checked ever single Javascript file out, looked to see the server headers are correct and aren't malformed, checked the .htaccess is as expected and have run the site against the unmask parasites website which found no problems except the 'suspicious' listing which Google has given it. The Google webmaster tools tell me nothing more than 'Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent.' It won't tell me what pages, although it tells me that the malicious software is hosted on one domain and tells me what it is. Needless to say I can't find that domain string anywhere in the code. I can't find any hidden iframe tags or hidden Javascript eval() statements. Basically now, although this is totally beyond my control, the owner of the site is expecting me to get this sorted asap. I want to, and have spent the entire day today looking at it, but have really come to the point where I'm coming unstuck. I can find nothing wrong with the site at all. Does anyone have any helpful advice for this sort of thing? Tools that I can use to check out the site with, or any bit of information that I can use to fix this? I can give the URL of the site to anyone off-list if they wish to check it out. Thanks, Ash http://www.ashleysheridan.co.uk
From: Daniel Brown on 28 Apr 2010 20:03 On Wed, Apr 28, 2010 at 19:50, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote: > > The Google webmaster tools tell me nothing more than 'Of the 2 pages we > tested on the site over the past 90 days, 2 page(s) resulted in > malicious software being downloaded and installed without user consent.' > It won't tell me what pages, although it tells me that the malicious > software is hosted on one domain and tells me what it is. Needless to > say I can't find that domain string anywhere in the code. I can't find > any hidden iframe tags or hidden Javascript eval() statements. Ash, let me know off-list what the domain is and I'll try to do a scan on it from here this evening. -- </Daniel P. Brown> daniel.brown(a)parasane.net || danbrown(a)php.net http://www.parasane.net/ || http://www.pilotpig.net/ We now offer SAME-DAY SETUP on a new line of servers!
From: Ross McKay on 28 Apr 2010 22:55 On Thu, 29 Apr 2010 00:50:52 +0100, Ashley Sheridan wrote: >This isn't exactly a PHP question, but I don't know anyone else with the >collected smarts of this list. Basically, a site I built and am managing >has been identified by Google as a source of malware. [...] Check the sites you link to. We had a client who had some links to websites that had been turned into malware sites; just having the links to the malware sites was enough to mark that website as a source of malware. We had to advise the client to only add links for actual people they've had contact with, not just people who send them email invitations to exchange links. -- Ross McKay, Toronto, NSW Australia "I really hope they find a nice place, I hope they find it somewhere, I HOPE THEY GO AWAY" - Everclear
From: Al on 29 Apr 2010 11:16 On 4/28/2010 7:50 PM, Ashley Sheridan wrote: > Hi all, > > This isn't exactly a PHP question, but I don't know anyone else with the > collected smarts of this list. Basically, a site I built and am managing > has been identified by Google as a source of malware. Now, I've been > over the source code with a fine-toothed comb and found nothing, I've > gone over the HTML output for anything suspicious, checked ever single > Javascript file out, looked to see the server headers are correct and > aren't malformed, checked the .htaccess is as expected and have run the > site against the unmask parasites website which found no problems except > the 'suspicious' listing which Google has given it. > > The Google webmaster tools tell me nothing more than 'Of the 2 pages we > tested on the site over the past 90 days, 2 page(s) resulted in > malicious software being downloaded and installed without user consent.' > It won't tell me what pages, although it tells me that the malicious > software is hosted on one domain and tells me what it is. Needless to > say I can't find that domain string anywhere in the code. I can't find > any hidden iframe tags or hidden Javascript eval() statements. > > Basically now, although this is totally beyond my control, the owner of > the site is expecting me to get this sorted asap. I want to, and have > spent the entire day today looking at it, but have really come to the > point where I'm coming unstuck. I can find nothing wrong with the site > at all. > > Does anyone have any helpful advice for this sort of thing? Tools that I > can use to check out the site with, or any bit of information that I can > use to fix this? I can give the URL of the site to anyone off-list if > they wish to check it out. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > > Ross had a good suggest about planted links to external malicious sites. One of the sites I worked on a couple of years ago had this happen. They ask me to look into it. There were about 90 htaccess files that redirected the user to a malicious site whenever there was an error, 404 etc. About 400 html files had a javascript appended on the end that sent the visitor's IP and the file's complete URL to a website in Russia. About 300 php files had some php code that generated html code had likewise sent the visitor's IP and the file's complete URL to a website in Russia. About 75 implanted php stand-alone files that were very sophisticated file manipulators. I would have taken me days to figure out exactly what it was doing. A couple of years ago I was involved in cleansing a site and wrote a script for searching it. It uses regex search patterns. Wild cards "*", covering all directories and leading text, are assumed before the filename. However, you must include an extension or append "*" to your filename. Can use "*.htaccess" It list all the files meeting the criteria e.g., Sel File Size[bytes] File Time DirPerms Del DirOwner Dir Time 1 /.htaccess 942 8Aug09 14:33:06 0750 * system 17Apr10 20:38:56 You can select a file and view its source including an htmlentities() version And select one or a batch to delete. Has a convenient notepad to record your result stats and add a note. e.g. 1Apr09 21 files; "*.htaccess" => "\*" Addition htaccess files added, OK 19Jul08 6 files; "*.htaccess" => "\*" Has good PW protection,. etc. Easy to install, one file, instructions at the top. I'll send you a zip if you reply and send me addr. Al...........
From: "Gary ." on 29 Apr 2010 13:35 On 4/29/10, Al wrote: > Ross had a good suggest about planted links to external malicious sites. One > of > the sites I worked on a couple of years ago had this happen. They ask me to > look > into it. > > There were about 90 htaccess files that redirected the user to a malicious > site > whenever there was an error, 404 etc. > > About 400 html files had a javascript appended on the end that sent the > visitor's IP and the file's complete URL to a website in Russia. > > About 300 php files had some php code that generated html code had likewise > sent > the visitor's IP and the file's complete URL to a website in Russia. [snip remainder of horror story] How do people get their sites into this state? Is it just me, or wouldn't a regular comparison of MD5s of the site contents with SCM contents stop most of that kind of thing (after the event, but still, better that than continue in that state).
|
Next
|
Last
Pages: 1 2 Prev: Security/Development Question Next: In need of CVS/SVN checkout script for Production servers |