From: Ashley Sheridan on
Hi all,

This isn't exactly a PHP question, but I don't know anyone else with the
collected smarts of this list. Basically, a site I built and am managing
has been identified by Google as a source of malware. Now, I've been
over the source code with a fine-toothed comb and found nothing, I've
gone over the HTML output for anything suspicious, checked ever single
Javascript file out, looked to see the server headers are correct and
aren't malformed, checked the .htaccess is as expected and have run the
site against the unmask parasites website which found no problems except
the 'suspicious' listing which Google has given it.

The Google webmaster tools tell me nothing more than 'Of the 2 pages we
tested on the site over the past 90 days, 2 page(s) resulted in
malicious software being downloaded and installed without user consent.'
It won't tell me what pages, although it tells me that the malicious
software is hosted on one domain and tells me what it is. Needless to
say I can't find that domain string anywhere in the code. I can't find
any hidden iframe tags or hidden Javascript eval() statements.

Basically now, although this is totally beyond my control, the owner of
the site is expecting me to get this sorted asap. I want to, and have
spent the entire day today looking at it, but have really come to the
point where I'm coming unstuck. I can find nothing wrong with the site
at all.

Does anyone have any helpful advice for this sort of thing? Tools that I
can use to check out the site with, or any bit of information that I can
use to fix this? I can give the URL of the site to anyone off-list if
they wish to check it out.

Thanks,
Ash
http://www.ashleysheridan.co.uk


From: Daniel Brown on
On Wed, Apr 28, 2010 at 19:50, Ashley Sheridan <ash(a)ashleysheridan.co.uk> wrote:
>
> The Google webmaster tools tell me nothing more than 'Of the 2 pages we
> tested on the site over the past 90 days, 2 page(s) resulted in
> malicious software being downloaded and installed without user consent.'
> It won't tell me what pages, although it tells me that the malicious
> software is hosted on one domain and tells me what it is. Needless to
> say I can't find that domain string anywhere in the code. I can't find
> any hidden iframe tags or hidden Javascript eval() statements.

Ash, let me know off-list what the domain is and I'll try to do a
scan on it from here this evening.

--
</Daniel P. Brown>
daniel.brown(a)parasane.net || danbrown(a)php.net
http://www.parasane.net/ || http://www.pilotpig.net/
We now offer SAME-DAY SETUP on a new line of servers!
From: Ross McKay on
On Thu, 29 Apr 2010 00:50:52 +0100, Ashley Sheridan wrote:

>This isn't exactly a PHP question, but I don't know anyone else with the
>collected smarts of this list. Basically, a site I built and am managing
>has been identified by Google as a source of malware. [...]

Check the sites you link to. We had a client who had some links to
websites that had been turned into malware sites; just having the links
to the malware sites was enough to mark that website as a source of
malware.

We had to advise the client to only add links for actual people they've
had contact with, not just people who send them email invitations to
exchange links.
--
Ross McKay, Toronto, NSW Australia
"I really hope they find a nice place,
I hope they find it somewhere,
I HOPE THEY GO AWAY"
- Everclear
From: Al on


On 4/28/2010 7:50 PM, Ashley Sheridan wrote:
> Hi all,
>
> This isn't exactly a PHP question, but I don't know anyone else with the
> collected smarts of this list. Basically, a site I built and am managing
> has been identified by Google as a source of malware. Now, I've been
> over the source code with a fine-toothed comb and found nothing, I've
> gone over the HTML output for anything suspicious, checked ever single
> Javascript file out, looked to see the server headers are correct and
> aren't malformed, checked the .htaccess is as expected and have run the
> site against the unmask parasites website which found no problems except
> the 'suspicious' listing which Google has given it.
>
> The Google webmaster tools tell me nothing more than 'Of the 2 pages we
> tested on the site over the past 90 days, 2 page(s) resulted in
> malicious software being downloaded and installed without user consent.'
> It won't tell me what pages, although it tells me that the malicious
> software is hosted on one domain and tells me what it is. Needless to
> say I can't find that domain string anywhere in the code. I can't find
> any hidden iframe tags or hidden Javascript eval() statements.
>
> Basically now, although this is totally beyond my control, the owner of
> the site is expecting me to get this sorted asap. I want to, and have
> spent the entire day today looking at it, but have really come to the
> point where I'm coming unstuck. I can find nothing wrong with the site
> at all.
>
> Does anyone have any helpful advice for this sort of thing? Tools that I
> can use to check out the site with, or any bit of information that I can
> use to fix this? I can give the URL of the site to anyone off-list if
> they wish to check it out.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
Ross had a good suggest about planted links to external malicious sites. One of
the sites I worked on a couple of years ago had this happen. They ask me to look
into it.

There were about 90 htaccess files that redirected the user to a malicious site
whenever there was an error, 404 etc.

About 400 html files had a javascript appended on the end that sent the
visitor's IP and the file's complete URL to a website in Russia.

About 300 php files had some php code that generated html code had likewise sent
the visitor's IP and the file's complete URL to a website in Russia.

About 75 implanted php stand-alone files that were very sophisticated file
manipulators. I would have taken me days to figure out exactly what it was doing.

A couple of years ago I was involved in cleansing a site and wrote a script for
searching it. It uses regex search patterns.

Wild cards "*", covering all directories and leading text, are assumed before
the filename. However, you must include an extension or append "*" to your
filename. Can use "*.htaccess"

It list all the files meeting the criteria e.g.,

Sel File Size[bytes] File Time DirPerms Del DirOwner Dir Time
1 /.htaccess 942 8Aug09 14:33:06 0750 * system 17Apr10 20:38:56

You can select a file and view its source including an htmlentities() version
And select one or a batch to delete.

Has a convenient notepad to record your result stats and add a note. e.g.

1Apr09 21 files; "*.htaccess" => "\*" Addition htaccess files added, OK
19Jul08 6 files; "*.htaccess" => "\*"

Has good PW protection,. etc.

Easy to install, one file, instructions at the top.

I'll send you a zip if you reply and send me addr.

Al...........







From: "Gary ." on
On 4/29/10, Al wrote:
> Ross had a good suggest about planted links to external malicious sites. One
> of
> the sites I worked on a couple of years ago had this happen. They ask me to
> look
> into it.
>
> There were about 90 htaccess files that redirected the user to a malicious
> site
> whenever there was an error, 404 etc.
>
> About 400 html files had a javascript appended on the end that sent the
> visitor's IP and the file's complete URL to a website in Russia.
>
> About 300 php files had some php code that generated html code had likewise
> sent
> the visitor's IP and the file's complete URL to a website in Russia.
[snip remainder of horror story]

How do people get their sites into this state? Is it just me, or
wouldn't a regular comparison of MD5s of the site contents with SCM
contents stop most of that kind of thing (after the event, but still,
better that than continue in that state).