Unplug the webserver without shutting it down to avoid shutdown scripts. Analyze the hard disk through another computer as a data drive and see if you can determine the culprit through log files and things of that nature. Verify that the code is safe and then restore it from a backup.
This happened to a client of mine recently that was hosted on ipower. I'm not sure if your hosting environment was Apache based, but if it was be sure to double check for .htaccess files that you did not create, particularly above the webroot and inside of image directories, as they tend to inject some nastiness there as well (they were redirecting people depending on where they came from in the refer). Also check any that you did create for code that you did not write.
We had been hacked from same guys apparently! Or bots, in our case. They used SQL injection in URL on some old classic ASP sites that nobody maintain anymore. We found attacking IPs and blocked them in IIS. Now we must refactor all old ASP. So, my advice is to take a look at IIS logs first, to find if problem is in your site's code or server configuration.
Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.
If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.
The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.
Revert your site back to a known good status and, if need be, upgrade to the latest version.
There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?
I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:
The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the browser gets a tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:
The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.
If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.
Hopefully this gives you some more info to work with.
EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.
You mention your Dad was using a website publishing tool.
If the publishing tool publishes from his computer to the server, it may be the case that his local files are clean, and that he just needs to republish to the server.
He should see if there's a different login method to his server than plain FTP, though... that's not very secure because it sends his password as clear-text over the internet.
Is the site just plain static HTML? i.e. he hasn't managed to code himself an upload page that permits anyone driving by to upload compromised scripts/pages?
Why not ask webhost4life if they have any FTP logs available and report the issue to them. You never know, they may be quite receptive and find out for you exactly what happened?
I work for a shared hoster and we always welcome reports such as these and can usually pinpoint the exact vector of attack based and advise as to where the customer went wrong.
发布评论
评论(8)
拔掉网络服务器而不关闭它以避免关闭脚本。 通过另一台计算机作为数据驱动器来分析硬盘,看看是否可以通过日志文件和类似性质的东西来确定罪魁祸首。 验证代码是否安全,然后从备份中恢复。
Unplug the webserver without shutting it down to avoid shutdown scripts. Analyze the hard disk through another computer as a data drive and see if you can determine the culprit through log files and things of that nature. Verify that the code is safe and then restore it from a backup.
我最近在 ipower 上托管的一个客户就发生了这种情况。 我不确定您的托管环境是否是基于 Apache 的,但如果确实如此,请务必仔细检查您未创建的 .htaccess 文件,特别是在 webroot 之上和图像目录内部,因为它们往往会在那里注入一些肮脏的内容(他们根据人们在推荐中的来源来重定向人们)。 另请检查您为非您编写的代码创建的任何内容。
This happened to a client of mine recently that was hosted on ipower. I'm not sure if your hosting environment was Apache based, but if it was be sure to double check for .htaccess files that you did not create, particularly above the webroot and inside of image directories, as they tend to inject some nastiness there as well (they were redirecting people depending on where they came from in the refer). Also check any that you did create for code that you did not write.
显然我们是被同一个人黑客攻击的! 在我们的例子中,或者是机器人。 他们在一些不再有人维护的旧经典 ASP 站点上的 URL 中使用了 SQL 注入。 我们发现了攻击IP并在IIS中阻止了它们。 现在我们必须重构所有旧的 ASP。
因此,我的建议是首先查看 IIS 日志,找出问题是否出在您站点的代码或服务器配置中。
We had been hacked from same guys apparently! Or bots, in our case. They used SQL injection in URL on some old classic ASP sites that nobody maintain anymore. We found attacking IPs and blocked them in IIS. Now we must refactor all old ASP.
So, my advice is to take a look at IIS logs first, to find if problem is in your site's code or server configuration.
尝试收集尽可能多的信息。 查看主机是否可以为您提供一个日志,显示与您的帐户建立的所有 FTP 连接。 您可以使用这些来查看是否是用于进行更改并可能获取 IP 地址的 FTP 连接。
如果您使用的是预打包软件,例如 Wordpress、Drupal 或其他任何您没有编写代码的软件,则上传代码中可能存在允许此类修改的漏洞。 如果是定制的,请仔细检查允许用户上传文件或修改现有文件的所有位置。
第二件事是按原样转储站点并检查所有内容是否有其他修改。 这可能只是他们所做的一项修改,但如果他们通过 FTP 进入,谁知道上面还有什么。
将您的站点恢复到已知的良好状态,并根据需要升级到最新版本。
您还必须考虑一定程度的回报。 损害是否值得尝试追踪此人,还是您只是生活、学习和使用更强的密码?
Try and gather as much information as you can. See if the host can give you a log showing all the FTP connections that were made to your account. You can use those to see if it was even an FTP connection that was used to make the change and possibly get an IP address.
If you're using a prepacked software like Wordpress, Drupal, or anything else that you didn't code there may be vulnerabilities in upload code that allows for this sort of modification. If it is custom built, double check any places where you allow users to upload files or modify existing files.
The second thing would be to take a dump of the site as-is and check everything for other modifications. It may just be one single modification they made, but if they got in via FTP who knows what else is up there.
Revert your site back to a known good status and, if need be, upgrade to the latest version.
There is a level of return you have to take into account too. Is the damage worth trying to track the person down or is this something where you just live and learn and use stronger passwords?
我知道这有点晚了,但是 JavaScript 提到的 URL 在已知是 6 月份开始的 ASPRox 机器人复兴的一部分的网站列表中提到了(至少在那时我们被标记为它)。 下面提到了有关它的一些详细信息:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
令人讨厌的事情是,实际上每个 varchar 类型字段数据库被“感染”并吐出对此 URL 的引用,浏览器在其中获得一个微小的 iframe,将其变成机器人。 可以在此处找到对此问题的基本 SQL 修复:
http ://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx
但可怕的是,该病毒会在系统表中查找要感染的值和大量共享数据托管计划还为其客户共享数据库空间。 因此,很可能甚至不是您父亲的网站被感染,而是他的托管集群中其他人的网站编写了一些糟糕的代码并为 SQL 注入攻击打开了大门。
如果他还没有这样做,我会向他们的主机发送一封紧急电子邮件,并为他们提供一个 SQL 代码的链接,以修复整个系统。 您可以修复自己受影响的数据库表,但最有可能进行感染的机器人将再次穿过该漏洞并感染整个数据库。
希望这能为您提供更多可供使用的信息。
编辑:再快速思考一下,如果他使用其中一个主机在线设计工具来构建他的网站,所有这些内容可能都位于一列中并以这种方式被感染。
I know this is a little late in the game, but the URL mentioned for the JavaScript is mentioned in a list of sites known to have been part of the ASPRox bot resurgence that started up in June (at least that's when we were getting flagged with it). Some details about it are mentioned below:
http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx
The nasty thing about this is that effectively every varchar type field in the database is "infected" to spit out a reference to this URL, in which the browser gets a tiny iframe that turns it into a bot. A basic SQL fix for this can be found here:
http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx
The scary thing though is that the virus looks to the system tables for values to infect and a lot of shared hosting plans also share the database space for their clients. So most likely it wasn't even your dad's site that was infected, but somebody else's site within his hosting cluster that wrote some poor code and opened the door to SQL Injection attack.
If he hasn't done so yet, I'd send an URGENT e-mail to their host and give them a link to that SQL code to fix the entire system. You can fix your own affected database tables, but most likely the bots that are doing the infection are going to pass right through that hole again and infect the whole lot.
Hopefully this gives you some more info to work with.
EDIT: One more quick thought, if he's using one of the hosts online design tools for building his website, all of that content is probably sitting in a column and was infected that way.
你提到你爸爸正在使用网站发布工具。
如果发布工具从他的电脑发布到服务器,可能他的本地文件是干净的,他只需要重新发布到服务器即可。
他应该看看他的服务器是否有不同于普通 FTP 的登录方法,不过……这不是很安全,因为它通过互联网以明文形式发送他的密码。
You mention your Dad was using a website publishing tool.
If the publishing tool publishes from his computer to the server, it may be the case that his local files are clean, and that he just needs to republish to the server.
He should see if there's a different login method to his server than plain FTP, though... that's not very secure because it sends his password as clear-text over the internet.
有了六个字符的密码,他可能已经被暴力破解了。 这比他的 ftp 被拦截的可能性更大,但也有可能是这样。
从更强的密码开始。 (8 个字符仍然相当弱)
查看此链接是否指向互联网 安全博客很有帮助。
With a six word character password, he may have been brute forced. That is more likely than his ftp being intercepted, but it could be that too.
Start with a stronger password. (8 characters is still fairly weak)
See if this link to an internet security blog is helpful.
该网站只是纯静态 HTML 吗? 即他没有设法为自己编写一个上传页面,允许任何人开车路过上传受损的脚本/页面?
为什么不询问 webhost4life 是否有可用的 FTP 日志并向他们报告问题。 你永远不知道,他们可能会很乐于接受并为你找出到底发生了什么?
我在一家共享托管服务商工作,我们总是欢迎此类报告,并且通常可以查明确切的攻击向量,并就客户出错的地方提出建议。
Is the site just plain static HTML? i.e. he hasn't managed to code himself an upload page that permits anyone driving by to upload compromised scripts/pages?
Why not ask webhost4life if they have any FTP logs available and report the issue to them. You never know, they may be quite receptive and find out for you exactly what happened?
I work for a shared hoster and we always welcome reports such as these and can usually pinpoint the exact vector of attack based and advise as to where the customer went wrong.