1

I am facing the following situation:

Some of my websites started getting infected by malware infection (iframes loading malware scripts).

I have tried everything that comes to my mind.

  • I checked FTP logs to find out if access was made via ftp.
  • I downloaded the home directories and scanned all files. Many times. My hosting company (very helpful so far) scanned my affected accounts. 2 or 3 times each.
  • I manually checked the code of all the files that are requested by the page that has the injected code.
  • I scanned for file size and file creation changes.

I found nothing.

One of these websites got listed as infected by google. I deleted all files from the server and used the production copy on my dev server. Before that, I changed the password to something theoretically unbreachable (password length 50 containing varchar and specialchars + max 5 failed attempts before the server locks down for brute force attack) and switched all my connections to SSL.

Note: SQL injection is out of the question as it uses no database.

Then I requested a new review through google webmaster tools. The site was found clean. That was 5 days ago. Today it is infected again!

I am out of ideas.

Any help?

AVG Report Code that is being injected to my pages

Spiros
  • 121
  • 4
  • If your backup production files have a vulnerability that's how they got back in. Assuming you deleted every single file and restored from backup. The other possibility is your backups are infected or a rogue php file exists giving attacks a backdoor into your site. Have you tested on http://sitecheck.sucuri.net/scanner/ – Anagio Jul 21 '12 at 19:27
  • 1
    Are you using shared hosting or dedicated server? What applications are listening to the outside world? Have you updated any third party application/plugin before(or soon after) restoring your dev copy? (BTW - is that the iframe produced by the malware?) – milo5b Jul 21 '12 at 19:30
  • It's a VPS, using Cpanel / WHM. Yes, that is the iframe (the code underneath the avg window here, I think you can see it better here: http://i.stack.imgur.com/1vkCv.jpg – Spiros Jul 22 '12 at 16:15
  • How are the sites being built? Using third party? Wordpress? How do you transfer data to your server? I assume FTP but what program do you use (Dreamweaver? VS? Mozilla FileClient etc) – Dave Jul 23 '12 at 08:22
  • Hi. I found the solution. Looks like Apache got infected. Have a look at my answer. Thanks for your comments. – Spiros Jul 24 '12 at 06:05
  • http://forum.lowyat.net/topic/2434138 same here :< – xDragonZ Jul 24 '12 at 12:43

1 Answers1

1

The problem got solved. After doing some research, I found out that Apache itself can be used to deliver malware.

Some more info on that http://www.symantec.com/connect/blogs/extending-apache-serve-malware-0

and http://www.stopthehacker.com/2011/05/23/apache-used-to-inject-malware/

Lot's of more info if you google it.

Thanks for your comments.

Spiros
  • 121
  • 4
  • how did you fix your Apache server was there a module you had to disable and remove what were the steps to detect it? – Anagio Jul 24 '12 at 06:24
  • The issue was handled by my hosting provider (the server is managed), so I am not sure of the details. But is seems that attackers somehow manage to install an apache filter that creates the problems. – Spiros Jul 24 '12 at 07:57
  • Please read my forum post too, it seems like my host provider having the same issue http://forum.lowyat.net/topic/2434736/all I have provided scan report too – xDragonZ Jul 24 '12 at 12:42