Site Hacked.....

Hi all - another update - my server hosts provided me with a log file early today that indicated that I had the ’Reflect’ exploit on my machine - the Modx security notice regarding this exploit is here: http://modxcms.com/forums/index.php/topic,30875.0.html - I was unlucky in that I installed this site in November, before the reocmmended fix for this exploit was announced.

this led me to think that perhaps my problems were all related to this exploit - however something just didnt add up. After running Sophos, MalwareBytes, Norton, ZoneAlarm, Adaware, Spybot S&D, Spyware Doctor and a few others, it seems that I have finally found a virus scanner that has picked it up: Avira AntiVirus Personal.

Avira calls this exploit html/crypted.gen - it hides in hidden Internet Explorer temporary files, by the look of it and was first identified in 2007. It has also foiund a secondary exploit called HTML/Spoofing.gen. Both relate to HTML / Javascript exploits/

I found a forum where users were complaining of Myspace websites being flagged by Avira as containing a virus (way back in 2007). Their first instinct was to flag it as a false positive. This was obviously quite early in the virus phase of distribution - they had exactly the same problem thats plaguing the internet over the last month or so: encrypted javascript code that when de-encrypted quite clear shows a hidden iframe redirecting to advertising sites.

I am running avira on my machine now, and its found two infections - and am hoping for a happy resolution, in terms of removing the infection. Will keep you posted.

Just to let you know, this has taken me 6 days - (which is six days of lost work, as I cannot login to any of my customers domains without risk of comprimising the security and site)  to resolve - long nights up until 3 am, then waking at 8am to continue - trying to hunt this damn thing down. The only virus scanning software that seems to have come close to identifying this virus, for me at least is Avira. This really is an incredibly nasty exploit, in terms of the damage it can do.

Doing nothing about it is simply not an option.

To emphasise the point, if you think you have the exploit ensure you do all of the following:

If you think you are infected, lock down your site - do not allow visitors to become infected, and save your site from being blacklisted by Google.

If you are infected, chances are that you will see the following indicators:

• - You Receive  a warning (AVG warned me that my site was infected). NOTE: you will see the warning only once - subsequent visits to the site seem to produce no warnings, except when i visited in different browsers / machines - this happened to me.
• Internet Explorer may ask you to download an Active X control (Microsoft Database Control Update or something similar) - this control is malware installer, I believe. Do NOT install this.
• Firefox will accept the redirection automatically to the site that hosts the malware.
• Google Chrome identifies the site as hosting or redirecting to a blacklisted site hosting malware. This is probably due to Google crawling these sites and blacklisting them automatically. See my original post above.
• You may experience Adobe Acrobat launching and crashing. This is an indicator that the malware has been installed. This happened to me.

What you need to do:

• Disable Javascript in Adobe Acrobat Reader / Professional (Edit > Preferences > Disable Javascipt) - this is imperitive as Steve rightly says, Adobe have not successfully addressed this issue in any updates or through their security policy. Whether you’re infected or not, EVERYONE should do this!
• Log in to your domain control panel(s) from a seperate, clean machine and change your passwords. Do not visit the actual websites with a clean machine before you do all these steps.
• Look for obscure javascript code and iframe content that is redirecting visitors to your site within your source code. Check in both the output code from the site (ie. View > Page Source) and in your includes / javascript files, etc to confirm you have been infected. You might as well use the infected machine to do this.
• Run a virus scanner to check your machine. Obviously I would recommend Avira AntiVir first. Sophos has also been suggested, as has malwarebytes. Previously I used every single Free / Trial Virus / malware / Antispyware software with no success - others might find they remove it faster.  Delete the infection.
• You should also: turn off system restore to avoid reinfection on PC restart, delete all your temporary files in IE / FF and whatever browser you use, and do a disk cleanup to remove temporary files / temporary internet files, before you run your virus scan.

Once you are clean

• log into your domains using Secure FTP (SFTP)  option.
• Do not save your passwords in Dreamweaver, FileZilla or any other FTP program.
• Restore your site from a backup if you have one.

I hope this information helps - I wouldnt wish this experience on anyone else.

Dan.

And of course you need to set register_globals to OFF to prevent this or a similar hack from happening again (this is the single-most important preventive measure that everyone can and should take).

Quote from: ZAP at Jun 09, 2009, 11:54 PM

And of course you need to set register_globals to OFF to prevent this or a similar hack from happening again (this is the single-most important preventive measure that everyone can and should take).

Yes, but note that the OP had register_globals off to begin with.

BTW, I’m surprised that malwarebytes didn’t find anything.

Avira is certainly looking good in the comparative tests and here’s another plus for it.

Quote from: BobRay at Jun 10, 2009, 03:19 AM

Yes, but note that the OP had register_globals off to begin with.

You’re right. I had confused this post with another older one and didn’t read it carefully before posting. Basically it’s an Adobe Reader bug that can allow a hacker to steal saved passwords from your local (Windows) computer and not a MODx or other script/server vulnerability.

I’d really encourage people who haven’t tried an operating system other than Windows to consider it if your regular needs allow it. Since I switched to Linux my only interaction with viruses has been cleaning my Windows-using friends’ systems and drives. I know that not everyone can switch to Linux or Mac because they absolutely need Windows-only software or use machines provided by their employer, but for those who can you might be surprised at how easy it is to transition away from Windows.

Look for obscure javascript code and iframe content that is redirecting visitors to your site within your source code. Check in both the output code from the site (ie. View > Page Source) and in your includes / javascript files, etc to confirm you have been infected. You might as well use the infected machine to do this.

This can be done using a debug proxy like Fiddler. If an installation is infected, the redirection will be visible in this tool. Check the browser cookies of your sites too, a short cookie with an unreadable name expiring in december 2011 is a indication for this infection.

The other thing is searching the installation (only the javascripts) for "document.cookie.search". This code fragment seems not to be used by other modx files. It seems that only uncompressed javascripts were infected.

Quote from: ZAP at Jun 10, 2009, 03:41 AM

I’d really encourage people who haven’t tried an operating system other than Windows to consider it if your regular needs allow it. Since I switched to Linux my only interaction with viruses has been cleaning my Windows-using friends’ systems and drives. I know that not everyone can switch to Linux or Mac because they absolutely need Windows-only software or use machines provided by their employer, but for those who can you might be surprised at how easy it is to transition away from Windows.

I completely agree. I use windows only for gaming and the occasional photoshop, past that everything is linux. I have used mandrake, red hat, centos, fedora, ubuntu, and now I use openSuse which appears to combine the best of all of those previously listed.

Now, I am trying to figure out WHY ADOBE needs to have any settings whatsoever concerning ftp. Dreamweaver is the only app that should need it, unless you are creating a print job with acrobat., in which case, they should LOCK IT DOWN to only print job files.

This doesn’t have anything to do with Adobe and FTP. It’s a flaw in Adobe that allows a trojan to be installed on your computer. The trojan gets your login and password data (or whatever else it’s been programmed to harvest from your computer) and sends it off to the hackers.

Just to let anyone who has this problem - the current version of adaware with the latest definitions found and quarantied the original trojan file - stored in a PDF document. I did a scan of some my old backup. So I would recommend adaware from grisoft if you have this problem, or you want to protect your self against it.

Just a quick note Ad-Aware is by Lavasoft. Grisoft (Now AVG Technologies, Inc.) produces AVG products including the popular AVG Free. I do agree tho it’s a great utility to run in addition to the likes of Spybot S&D, etc.

Spyware Doctor also works well and can be had free with the Google Pack. The only drawback is the program can be a real resource drain (the full edition at least) so it’s best run only when needed imo.