Written By:
lprent - Date published:
10:05 pm, April 22nd, 2008 - 6 comments
Categories: admin -
Tags: admin
A reader pointed out a set of hidden spam links that had attached themselves to the footer of the site.
I’d noticed them previously and thought that I’d corrected them (see comment). But they turned up again. Turns out it was from an interesting flaw in the website, and was being inserted from outside. I’ve hardened up the problem area(s) and I’ll monitor for a repitition.
It is likely that I’ll need to take the site down for a few hours in the early morning on Sunday to do some further maintenance. So don’t get too surprised to get a unexpected screen around that time.
Lynn
The server will be getting hardware changes this evening starting at 10pm NZDT.
The site will be off line for some hours.
Lynn:
This played havoc with my computer earlier – I believe one of those spam links led to a trojan virus website?
I’ve just finished scanning the backups (5 times daily) for the last 2 weeks and 3 days that the links show up. There was no client side script or binary objects which would have been required to do anything active. It looks like the links didn’t change much either, so there was no active updating going on between times at the server.
Thats what I expected. If it had then I’d have noticed a lot earlier. My AV is quite aggressive and would have been popping up warnings about unauthorized action when I was accessing the site. But it doesn’t object to passive links unless I click on them and it finds something it doesn’t like.
The links were in a hidden DIV so you would not have been able to click on one to activate it. Could have led to that kind of site (I didn’t look). But the intent of the hidden div appears to have been to simply carry the links to increase their google score. Most of the links were to sites like travel agents, real esate, financial services, cheap airfares, hotel bookings, and other such junk. Someone commercial was freeloading on the sites popularity.
It just added extra weight to all of the pages delivered on the blog – but probably less than one of Steves graphs or a_y_b’s graphics, because the text would usually have been compressed, and their graphs and pictures don’t.
Anyway, the AV at the server would have noticed a virus or trojian. It isn’t particularly bright compared to Kaspersky, but it does update daily and scans in a auto-protect mode.
It is highly unlikely that you caught payload from this site.
//============================================
Some general advice on viruses, trojians etc. I’d recommend buying Kaspersky – it has been protecting all of my file servers, mail servers, web servers and workstations very well since 2003. Hopefully I’ll be replacing the AV on The Standard’s server with it.
The most likely cause of your infection is still from e-mail. My mail server discards 74% of mail as spam daily, and a high proportion of those either contain viruses or have links to them. You can get viruses from webpages, but usually you have to click something to download it (unless you have activeX enabled on IE5/6 – urrghh).
I’d advise using Firefox or Safari even if you have a good AV. IE7 is better than IE6, but it is still inadequete in a lot of directions. In my opinion, especially in security areas. It is noisy about security, but not as inherently safe as Firefox.
Lynn:
Interesting comments. I’m not a techy, so this really is your area of expertise.
Here’s the thing: I don’t open executable file attachments – from anyone. I give you my word that, when I visited this blog earlier today, my computer packed up – more or less straight away. I wasn’t running anything else in the background. I can only assume that there was some malicious code in there somewhere which destablished my OS.
It sounds like you’ve fixed the problem – whatever it was – but I’d be interested to know if anyone else had the same experience as me.
I would doubt that it came from here (there is no absolute certainty in IT). But I’d be interested as well. It is a problem that should have been solved long ago by adequete use of AV’s.
There are quite a lot of interesting (to me anyway) techniques going on around websites at present. It isn’t an area that I’ve looked at extensively for a number of years. But it does keep coming up. There are a lot of routes into systems, and not just by clicked on executables.
For instance a friend forwarded an e-mail a few days ago to have a look at because the wording was quite threatening, and it turned up in both of her mail boxes. It had a link to a webpage which I opened in a sniffer. The front of the site had a routine bit of porn. But there was a IFRAME on the page that had some very well written vbscript that would have worked in older IE’s, and outlooks.
I’ve seen trojian insertors turn up in video and audio codexes. The “install this to play this video” for something on a web page targeted at windows media player.
Some rather stupid applications use open protocols like tftp to update drivers. I caught one of them pulling in a virus a year or so ago presumably because someone was capturing the packets at a router.
I’m not going to bother detailing the access points that are detailed on the net. But it is why there are so many security updates coming through on windows over the last few years.
Generally the best defense is to have very good antivirus and scanners (and keep them updated!) plus use the hardware firewall on your router.
Every outbreak that I’ve seen in the last 4-5 years has also had no or antique anti-virus at the client side.
The hardware firewall.. Most machines visible on the net have port scans done on them at least every 30 minutes looking for open ports. One server I help maintain in the US gets scanned on average every 4 seconds.
Actually, my PC choked as well. When I accessed the site it asked me if I wanted to download a plugin (redirected to a-b-c.com I think?), which I tried to decline but by that stage IE had locked up and I had to reboot. The PC ran pretty badly for a while but eventually sorted itself out, antivirus didn’t find anything when I ran it.
I’ve had that happen a couple of times in the last few days (in IE7).
Once on here and once on another site. It was asking for different plugins in each case. One was some kind of graphics protocol and the other was something that I’ve forgotten – shockwave?. Displayed in the bar just under the tab bar in IE7.
The defining factor was that it jammed IE7, and put one CPU core into 100%. The rest of the machine went really sluggish. Because the machines are multi-CPU/multi-core, I just killed IE7.
I never allow plugins for Internet Explorer, and routinely get that type of message. I’d attributed the jam up to one of microsoft’s automatic downgrades. It was only the jam that was unusual.
Just in case you hadn’t realised. I don’t like Internet Explorer. I only use it because I still have to write HTML/css/js for it sometimes. IMHO it is too non-standard to code for easily, and outright dangerous on security.