VO-BB - 20 YEARS OLD!

[chriswagner]

This morning I was notified by a client of mine who I had designed their web site that google was reporting:

VISITING THIS SITE MAY HARM YOUR COMPUTER

That was part of the results returned from google.

I went to the site itself and the web page started trying to download files onto my computer. Well this was not right because I didn’t design the page to do that. So, I promptly shut my internet explorer down and went on a search to find out what happened.

I logged into their hosting service and looked at who the last person who logged into the web site to do changes was.. it reported back that the last login was from IP address 58.65.232.33, it looks like it comes from Australia, but other reports have that IP originating from China.

When I looked in the index.html file there was a new piece of code that was put there..

Which is really a bunch of escape codes that look like a bunch of nothing, but looks very strange.

This was put after the closing html tag -

This wasn’t very informative, so I did more searching and found a translation of the escape codes which came out to be a malicious piece of html that inserts a hidden frame in your web page...

So, the code was hijacking my clients site and attempting to download mal-ware or spy ware onto the computer of anyone who visited the site. It also screwed up their listing in google, quite possibly it will require contacting google to get it re-listed.

The fix was simple:

1. Remove the infected index.html file
2. Upload the old index.html file that wasn’t infected
3. Change the password to the ftp account

I cannot stress enough the importance of a secure ftp password. It should be changed as often as the battery in your smoke detectors. Also use upper case, lower case and numbers. A simple and effective way to complicate a password is to use a writing style called l33t. (That’s LEET, the e’s are 3’s.. ) So if your password is PASSWORD you can use l33t to change it up to P@ssW0rD. Makes it harder to guess and it’s still rather easy for you to remember.

Keep an eye on your site, notify your webmaster of any strange things happening… and change the passwords on a regular basis!

Chris

[Deirdre]

Um, Chris, I am going to truncate that code so some wiseguy doesn't use it.
_________________
DBCooperVO.com
IMDB

[bobsouer]

Deirdre,

You have many good ideas. That was certainly one of them!
_________________
Be well,
Bob Souer (just think of lemons)
The second nicest guy in voiceover.
+1-724-613-2749
Source Connect, phone patch, pony express

[chriswagner]

Thanks, I had my moment of trust thinking that no one would want to use that code since it was malicious.. and I put it there so if someone saw it they might recognize it and pull it out right away.

whoops.. thanks!

I've taken out not only the rest of the escape code, but the html script itself which is just as dangerous as the coded piece. The only difference is one you can't readily read, the other you can.

Chris

[Deirdre]

Well, the first set of encrypted code was almost 600 characters long with no line break and made this page very very hard to read.
I wouldn't mind it if you put back the code's front and back ends— that would make it recognizable.
_________________
DBCooperVO.com
IMDB

[louzucaro]

It wouldn't really matter...it's not a specific code (making it harder to track down) but a "type" of code. A lot of these types of attacks are of the buffer overflow variety, which means that the specific text isn't as important as the length of it.
_________________
Lou Zucaro
http://www.voicehero.com

"Well, yeah, there's my favorite leaf!"

[Yoda117]

isc.sans.org

www.cert.org

http://en.wikipedia.org/wiki/Password_strength

Good info on "strong passwords" there.
_________________
Voiceovers by Gregory Houser
Philadelphia based Voice Actor

Blog - A man, a martini, and a lot of microphones

[bobbinbeamo]

Excellent information here, everyone. Thanks.
_________________
Bobbin Beam
www.bobbinbeam.com
blog.bobbinbeam.com

[Eddie Eagle]

Looks like Hong Kong but could be accessed from a user anywhere that may be proxying.

58.65.232.33 = [ oracle.dmain.name ]

(Asked whois.apnic.net:43 about 58.65.232.33)

inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: HostFresh
descr: Internet Service Provider
country: HK
admin-c: PL466-AP
tech-c: PL466-AP
status: ALLOCATED PORTABLE
mnt-by: APNIC-HM
mnt-lower: MAINT-HK-HOSTFRESH
mnt-routes: MAINT-HK-HOSTFRESH
remarks: Please send Spam & Abuse report to
remarks: abuse@hostfresh.com

remarks: --------------------------
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: --------------------------
changed: hm-changed@apnic.net
20060612
changed: hm-changed@apnic.net
20060613
changed: hm-changed@apnic.net
20061018
source: APNIC
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com

address: No. 500 Post Office Tuen Mun N.T. Hong Kong
phone: 852-35979788
fax-no: 852-24522539
country: HK
changed: ipadmin@hostfresh.com
20071025
mnt-by: MAINT-HK-HOSTFRESH
source: APNIC

(Asked whois.arin.net:43 about +58.65.232.33) (show)

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois: //whois.apnic.net
NetRange: 58.0.0.0 - 58.255.255.255
CIDR: 58.0.0.0/8
NetName: APNIC-58
NetHandle: NET-58-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SECRIPENET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help refer to http://www.apnic.net/info/faq/abuse
RegDate: 2004-05-04
Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: 61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

ARIN WHOIS database last updated 2008-08-12 19: 10
Enter ? for additional hints on searching ARIN's WHOIS database.

[billelder]

I had the same thing happen t my site, except they put links in the code and added hundreds of megabytes to my web pages. I think I posted here about it. Same solution. But in my case the code was on every page, not just the index pages. So, you may want to check those too.

Sorry for your trouble.

Backups! Always keep a backup.

[louzucaro]

What I don't get is how they got in...was the site originally set up with anonymous FTP access or did it have a username/password combo like 'admin/password'?
_________________
Lou Zucaro
http://www.voicehero.com

"Well, yeah, there's my favorite leaf!"

[chriswagner]

Well the good thing is that there was only one page, the site is a flash site, so there was only the index page.

As far as how they got in, the username and password weren't the admin/password type of combinations.. it was a set of words though and a lot of times these people will use a dictionary attack to crack in, if they know the username.

In this case I have NO clue as to how the got in, however there is a much stronger password there now.

[glittlefield]

Well, there's always encrypted connections, too. Even the strongest password can be sniffed out and captured.
_________________
Greg Littlefield
VO-BB Member #59

[Yoda117]

should be interesting to see what a full dump of the logs reveal.
_________________
Voiceovers by Gregory Houser
Philadelphia based Voice Actor

Blog - A man, a martini, and a lot of microphones