The mother of all viruses...on my server

sist_si

sist_si

sist_si

Associate
Joined
28 Nov 2004
Posts
1,237
Location
Birmingham
The mother of all viruses indeed. This one has been killing me for 3 days now.
If ANYONE has ANY help on this kind of thing let me know....we're stumped.

We have a server with a rather large reputable hosting company. It has about 50-60 ASP, database driven sites on it. The wheels are in motion for a migration next week but I need a fix for this if possible. I'm having to do a 'clean upload' every 3 hours on 4 infected sites.

Basically, on Wednesday one of the sites reported unusual activity. When you go to the homepage it starts refreshing your browser at an incredible rate (an attack on you the client). This occured because something had gained access to a folder in the site and dropped a javascript include / iframe tag into the code in a couple of places!

This, as far as I know is down to an XSS or SQL Injection attack.

Now, we've cleaned the code and tightened up the Db, removed the offending code and even locked the permissions to read only on the folder being hacked on each site but it keeps coming back!!!

Our Virus checker finds zip.

I believe this is a Rootkit Virus (basically hidden to the OS) but several Rootkit scanners have revealed nowt either.

All ports are locked out by a Cisco firewall and the only access to anything that isn't on port 80 is via a VPN with key.

I'm lost now!! :)
I just wanna know if we can stop it re-spawning for a few days!
Any help will be met with fee beer for the person that helps me solve it all.
 
At the moment we have AVG installed on the server

Should probably have mentioned it's a win 2003 server.
 
Cheers will do.
Got any recommendations?

We tried PandaSoft as a trial and that was pretty good. Norton do server version of theirs too don't they.
 
sist_si said:
Cheers will do.
Got any recommendations?

We tried PandaSoft as a trial and that was pretty good. Norton do server version of theirs too don't they.
Click to expand...

Well I work for Panda currently and I am being 100% honest and objective when I say that our corporate product is excellent... and the support is top-notch. I know all of the UK corporate support team personally and they are all very very good at their job, and great blokes to boot. Contact them here and get some advice http://www.pandasoftware.co.uk/2007/06600-contactus.htm

Alternatively, NOD32 and Kaspersky are good too but not sure on support. Avoid Norton.

So I personally reccommend you give it a try and see how it goes. If your company can afford it then I would definately reccommend a Gatedefender Integra, those things are the shizz, everyone who buys one loves them, review here http://www.pcpro.co.uk/reviews/100206/panda-gatedefender-integra-100.html :)
 
Cheers Richdog.
I think I will be pushing for Panda as I myself was impressed. We previosuly had Sophos and were burned....the less said about that virus s/ware the better...

Anyway, RootKitRevealer is being run so we'll see what it does for us! I hope it finds and kills this thing....
 
Basically if you have been rooted I wouldn't bother trying to clean it up correctly and do a fresh install from a trusted medium. Binaries can be modified so they report incorrect results and things hidden very well. There's no guarantee that any of the anti-virus products will pick it up since it could be custom code which there are no signitures out there for yet... (There are lots of private undetectable rootkits out there...)
 
Una, he's migrating next week so no point reinstalling.

sist_si you've just got to be careful not to pass on the virus to your new server. Do you use a control panel?
 
we have full access to the server via remote desktop. Don't really use a control panel.

When we migrate, we'll be uploading the code from our local safe version then just moving over the databases from the current server.
We're also gonna go through the code and make sure every form field validates and removes/converts potential malicious caharacters (i.e. <>()'). We also need to double check any upload forms to check both client and server side for malicious flietypes and then we'll then lock down the users on the databases where not already to be only datereader/datawriters on the specific objects needed.
 
just thought i'd post an update about this on here...partly to thank people who helped and partly to get others to take heed of the dangers of security holes on your web servers.

Basically, the server in question is now dead. It had seemed we'd got past the virus and we were in the process of migrating to another server to be 100% safe. However, the rootkit virus / intrusion came back, locked us and the datacenter out of windows completly and left us in a real mess. It had full admin permissions on the server and had stopped back ups of databases as well as web files.
The solution was extreme but seems to have worked - we put a new freshly installed drive in, mounted the old infected drive, extracted the data we needed and have spent literally 48 hours putting the sites up on the new server. Not fun. Thanks to Richdog we have Panda Antivirus now and a much more secure server.

Basically, these are the potential causes of the problem. If you run a web server and know of any of these - get them fixed now!

1. SQL Databases with db_owner permissions - down grade your website users to data_writer / data_reader permissions and lock out create permissions on your db if they are not needed.

2. ASP Pages - If you use classic ASP and don't filter form submissions or even querystring parameters that are passed to the DB you're wide open. There are many potential unsafe characters including:
', #, <, >, (, )
Just Google XSS Injection and SQL Injection and you'll see what I mean!

3. Virus Software - DO NOT let it expire! :)

If anyone can add any advice then please do. I probably haven't covered everything!
 
You said:
If anyone can add any advice then please do. I probably haven't covered everything!
Click to expand...
Why on *Earth* were you leaving an infected server online? That's not a good idea a) for your data and b) for the other servers/users the infection may be targeting!

Your solution was not extreme, it was standard practice.

Live 'n' learn eh, we've all been there :)
 
I know, it was basically online while we had the new server set up so we could extract the info we needed off it. We didn't get it done in time though so all the above resulted!
 
You must log in or register to reply here.
Back
Top Bottom