Home page logo
/

basics logo Security Basics mailing list archives

Re: There is a strange get request header in all web pages of my site? I'm worry about Trojan attack!
From: BugBear <gryzli.the.bugbear () gmail com>
Date: Thu, 8 Sep 2011 21:48:22 +0300

Hello, 

For sure your web site has been compromised. Based
on my experience, here are some advices for finding the malicious
redirection : 

1. You can try filter out the files, that are modified since you
encounter the problem. For example, find all files modified after
September 6, or maybe day before ...

- After you find those files, you can search them for the URL u've
  mentioned ( carlos.c0m.li ) . If you are lucky, the URL would be
  there in  clear text.
        - Of course, you can issue the text search to all of your web
          files.

- If you don't find the URL in clear text, you can try to search for
  "eval / gzinflate / base64_decode" php functions, which are not part
  of your code. There are lot of cases out there, when the attacker
  masks the redirection (the iframe) within eval/base64_decode functions
  (because this way it's harder to find).

2. As dishix () googlemail com said, there is a possibility that the code
is injected via SQL Injection. Again you can check this, if you issue
a search(carlos.c0m.li or just "carlos") on the database files or
through SQL search query for all the tables & records.


And i think that your main goal must be finding the source of the
problem (not only the infected files/database) - how did they hacked
you ? Here are some proposals: 
- hacked/brute force or spywared/ FTP account
- web exploit in your system (RFI,LFI.....) - check your access logs
- SQL Injection - this is the most harmless case (in my opinion)

Good luck.

Best Regards

On Thu, 8 Sep 2011 00:01:19 +0430
Ali Asghar Toraby Parizy <aliasghar.toraby () gmail com> wrote:

Hi.
Today I found that Kasper Anti Virus has blocked my site and says to
the clients that this site is affected by a Trojan.
At the other hand I usually surf the Internet using Firefox. But today
I used IE to open my own site. But IE tells me following warning:
This page contains content that will not be delivered using a secure
HTTPS connection...
I traced my site with Fiddler debugging toll and I found that each
time I send a request to the site a get request handler is established
to the following URL:
"http://carlos.c0m.li/iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7";
I've searched about "carlos.c0m.li" in the internet and I saw in
"Google safe Browsing" something about that host in the following URL:
http://google.com/safebrowsing/diagnostic?site=carlos.c0m.li/
Google says that, that host has a maleware. please look at that report
and suggest a way to remove this bad thing from my site.
I've searched most of my public html directory. but I haven't found
any file that makes following http header. I have no idea. How can I
find that?


----- this is header that fiddler detects for every file that I open
in my site: GET /iframe.php?id=v4pfa24nw91yhoszkdmoh413ywv6cp7
HTTP/1.1 Accept: application/x-ms-application, image/jpeg,
application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64;
Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR
3.0.30729; Media Center PC 6.0; InfoPath.2; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Connection: Keep-Alive
Host: carlos.c0m.li


HTTP/1.1 404 Not Found
Date: Wed, 07 Sep 2011 18:42:02 GMT
Server: Apache/2
Accept-Ranges: bytes
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 233
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html

 ?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing
management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault