The mother of all viruses...on my server

sist_si · 2 Feb 2007 at 17:54

The mother of all viruses indeed. This one has been killing me for 3 days now.
If ANYONE has ANY help on this kind of thing let me know....we're stumped.

We have a server with a rather large reputable hosting company. It has about 50-60 ASP, database driven sites on it. The wheels are in motion for a migration next week but I need a fix for this if possible. I'm having to do a 'clean upload' every 3 hours on 4 infected sites.

Basically, on Wednesday one of the sites reported unusual activity. When you go to the homepage it starts refreshing your browser at an incredible rate (an attack on you the client). This occured because something had gained access to a folder in the site and dropped a javascript include / iframe tag into the code in a couple of places!

This, as far as I know is down to an XSS or SQL Injection attack.

Now, we've cleaned the code and tightened up the Db, removed the offending code and even locked the permissions to read only on the folder being hacked on each site but it keeps coming back!!!

Our Virus checker finds zip.

I believe this is a Rootkit Virus (basically hidden to the OS) but several Rootkit scanners have revealed nowt either.

All ports are locked out by a Cisco firewall and the only access to anything that isn't on port 80 is via a VPN with key.

I'm lost now!!

I just wanna know if we can stop it re-spawning for a few days!
Any help will be met with fee beer for the person that helps me solve it all.

sist_si · 2 Feb 2007 at 17:58

At the moment we have AVG installed on the server

Should probably have mentioned it's a win 2003 server.

sist_si · 2 Feb 2007 at 18:06

Cheers will do.
Got any recommendations?

We tried PandaSoft as a trial and that was pretty good. Norton do server version of theirs too don't they.

sist_si · 2 Feb 2007 at 18:15

Cheers Richdog.
I think I will be pushing for Panda as I myself was impressed. We previosuly had Sophos and were burned....the less said about that virus s/ware the better...

Anyway, RootKitRevealer is being run so we'll see what it does for us! I hope it finds and kills this thing....

sist_si · 4 Feb 2007 at 01:01

we have full access to the server via remote desktop. Don't really use a control panel.

When we migrate, we'll be uploading the code from our local safe version then just moving over the databases from the current server.
We're also gonna go through the code and make sure every form field validates and removes/converts potential malicious caharacters (i.e. <>()'). We also need to double check any upload forms to check both client and server side for malicious flietypes and then we'll then lock down the users on the databases where not already to be only datereader/datawriters on the specific objects needed.

sist_si · 8 Feb 2007 at 19:14

just thought i'd post an update about this on here...partly to thank people who helped and partly to get others to take heed of the dangers of security holes on your web servers.

Basically, the server in question is now dead. It had seemed we'd got past the virus and we were in the process of migrating to another server to be 100% safe. However, the rootkit virus / intrusion came back, locked us and the datacenter out of windows completly and left us in a real mess. It had full admin permissions on the server and had stopped back ups of databases as well as web files.
The solution was extreme but seems to have worked - we put a new freshly installed drive in, mounted the old infected drive, extracted the data we needed and have spent literally 48 hours putting the sites up on the new server. Not fun. Thanks to Richdog we have Panda Antivirus now and a much more secure server.

Basically, these are the potential causes of the problem. If you run a web server and know of any of these - get them fixed now!

1. SQL Databases with db_owner permissions - down grade your website users to data_writer / data_reader permissions and lock out create permissions on your db if they are not needed.

2. ASP Pages - If you use classic ASP and don't filter form submissions or even querystring parameters that are passed to the DB you're wide open. There are many potential unsafe characters including:
', #, <, >, (, )
Just Google XSS Injection and SQL Injection and you'll see what I mean!

3. Virus Software - DO NOT let it expire!

If anyone can add any advice then please do. I probably haven't covered everything!

sist_si · 9 Feb 2007 at 14:44

I know, it was basically online while we had the new server set up so we could extract the info we needed off it. We didn't get it done in time though so all the above resulted!