original post at http://drupal.org/node/447100
As version could not be changed I am repeat posting for drupal 5x ( and may be 6x also)
This may not be drupal problem but ftp attack or sort of it
but need some urgent help to clean drupal or any module or utility in drupal
that can detect this.
JS:Redirector-G Malware
Mark Gibson - April 28, 2009 - 15:12
I have been asked to support an old version of drupal 4.7.4 which has been infected with JS:Redirector-G
I have downloaded the site and run TextCrawler which identified 17 infected files
I’ve removed the code and write protected the files in case it was a SQL injection attack. If it is an FTP based attack that won’t prevent it happening again but at least I can identify the files and rectify it quickly now. Once this has been fixed I'll upgrade but I need to find the problem first.
The problem is that the code is still showing up in the browser right after the tag and I need to find where this is in the code or database
These are some of the corrected files, I have checked that they are still uninfected:
\misc\autocomplete.js
\misc\collapse.js
\misc\drupal.js
\misc\progress.js
\misc\textarea.js
\misc\update.js
\misc\upload.js
\modules\epublish\epublish.js
\modules\event\event.js
\modules\img_assist\img_assist.js
\modules\img_assist\img_assist_textarea.js
\modules\img_assist\img_assist_tinymce.js
\files\videos\edit_dates\flashobject.js
\modules\img_assist\drupalimage\editor_plugin.js
\modules\img_assist\drupalimage\editor_plugin_src.js
Index.php
\Sites\default\settings.php
Can anyone tell me how the page is generated and where this could be coming from? It has been inserted between the end of the and the start of the tags
-----------------------------------------------------------------
Urgent
sada.lala - May 6, 2009 - 03:52
newThis is happening with new installation of latest 5x drupal as well as other pages/scripts.
For some pages/scripts cleaning the index files ( index php, index.html) etc corrects
the thing but in drupal apparently it still persists even after cleaning index files or freshly uploading js files.
This issue is reported in avast forums also ( do a google search on JS:Redirector-G )
The hosts say they have no other cgi, files etc that can cause this and apprently
checking the web directory gives no suspicious file.
How can an internal search be made on the drupal files - downloading and searching by windows search do not show the malacious code.
What are the possible files that can give rise to the code when the page is generated?
Some one please help as this is causing av of many legit users problem in visiting the sites.
Comments
if u have checked everything
if u have checked everything but still cant stop the attack, u may need to consider changing your host.
say, just for example, the hacker is one of the staff of your host....
OR, they keep on using "abc" as the psw of the linux root.....
I have not checked everything
I have not checked everything I suppose that is why I posted here
I will like to know which or what file to be checked specifically
If the file / files are not cleaned I will be carrying the same infected
files to the new host.
Is there any senior member here who can answer please ?
Any clues, help ? The nature
Any clues, help ?
The nature of recent attacks seem that filtering input is not sufficient.
There can be ftp attacks or something sort of that.
Which means, a secure cms needs to come with inbuilt utility to check
whether its file have been compromised at cron runs or when such utility
is accessed by the user.
I think this should be a red alert and an inclusion made immediately in the
core download, if not already made.
This is not a bug neither a security issue of drupal directly but affects
Drupal and it will be nice if the security team takes a note of it
We have been seeing a lot of
We have been seeing a lot of websites getting compromised. We scan them for vulnerabilities and find they are relatively secure.
What we have found is that it's not the hosting provider, it's not some vulnerability in the software (Drupal), it's not some hole in a plugin - it's the PC you're using to send the files up to the server.
Too often people think that FTP is a safe and secure protocol - it's not. FTP sends username and password in plain text. It's not encrypted at all.
While we haven't been able to isolate the virus, we've found that people who's websites have been compromised are typically using a PC that's infected with something that sniffs the FTP traffic and obtains the username and password, then the cybercriminals (hackers, crackers, whatever) use their automated systems to continually re-infect your website.
Or we've also seen cases where it automatically looks at the FTP traffic and adds their malscripts (malicious javascript) to certain files as they're being uploaded.
This is why sometimes you'll get a site cleaned, but as they upload a new javascript menu file, for instance, that is the only file that contains the malscript.
Move away from FTP and use something that has SFTP or SCP. We use winSCP. It offers both. I know that IPSwitch offers an FTP program that will do SFTP as well.
How do you find that your PC
How do you find that your PC has been doing that thing?
It has happened with sites using SFTP and unless you are an advertising bot
please do some googling on this fact.
Specifically I asked how you find out the compromised files now and in future abuse.
I am not an advertising bot
I am not an advertising bot and I don't need to do some googling on this fact.
I speak from our experience.
You want to know how we find the compromised files?
We scan for a variety of keywords, combinations of certain words and give each one a score. If the score is above our threshold, we consider it likely to be a compromise.
One keyword you can scan for is unescape. Use TextCrawler with that word and inspect every file the has that in it.
Thanks. The way you found
Thanks. The way you found this post and the tracker showed this was the only post
I thought you were a bot.
Did you read the opening post by Mark Gibson above ? He already mentioned about TextCrawler and how he cleaned some files. The word unescape may be too generic though it is a word indeed in the malware code. In the above post Gibson said he still finds the malware code.
Thus the questions are -
How to thoroughly clean and get rid of the malware stuff?
How to prevent such thing in future?
How a Drupal module can help to detect such thing pro-actively ? Can there be such a module or can there be such a feature in the core?
stay secure from the beginning
I suggest you read
Rather than detecting these things, I feel it is far better to prevent the attacks in the first place.
--
Morris Animal Foundation
Nice book! I just bought it
Nice book!
I just bought it on Amazon. (yes I'm the one)
I can't wait to read it.
We have been dealing with
We have been dealing with this for the past week and it is a nightmare. I have cleaned up the files 3 times and it "seems" to be gone. I have also restricted all ftp access and changed it to secure ftp. Avast found a file in the temp folder in a temp file in the IE folder.
Does anyone know if this will effect a Mac? We are on PC.
thank you!