Author Topic: HTML:Script-inf Detected Having trouble cleaning it up  (Read 6510 times)

0 Members and 1 Guest are viewing this topic.

bengeorge82

  • Guest
HTML:Script-inf Detected Having trouble cleaning it up
« on: August 26, 2010, 06:12:06 PM »
I'm the webmaster for hxxp://www.tamarindovistavillas.com -- have root access, over the past few weeks we've been getting attacked hard and I have cleaned out numerous trojans/malware have reset every password, installed every security update, and have triple checked my permissions, and after a week or so of not entries something got in while i was sleeping and I can't seem to find it.

here is the Avast
8/26/2010 9:21:13 AM   hxxp://tamarindovistavillas.com/ [L] HTML:Script-inf (0)
8/26/2010 9:21:16 AM   hxxp://tamarindovistavillas.com/wp-admin/images/screen-options-left.gif [L] HTML:Script-inf (0)

the first is when you hit the root domain -- though I've combed all the php files and the includes and have found nothing. no script reference or no encode, anyone have any idea where this could be coming from?

The second references a file that does not exist -- even in a core deployment of wordpress the file isn't there.

Virus Total Results we mostly negative except a few:
NOD32   5399   2010.08.26   HTML/ScrInject.B.Gen
ClamAV   0.96.2.0-git   2010.08.26   PUA.HTML.Infected.WebPage-2

Thanks in advance!
« Last Edit: August 26, 2010, 06:16:21 PM by bengeorge82 »


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #2 on: August 26, 2010, 06:37:00 PM »
First - Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rogue" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.


Re the alert on the home page (image1), http://www.virustotal.com/file-scan/report.html?id=3af147943cd0aa9d8a177aa8249f6dd32e0b44867eb35f3b9c1a04b0b72f72f5-1282840386.

This has a script tag after the closing HTML tag a standards no, no and suspect, image2.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

bengeorge82

  • Guest
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #3 on: August 26, 2010, 06:44:53 PM »
I finally found it
FYI its pointing here:
hxxp://nuttypiano.com/Web_Host.js in case others are looking for the code

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #4 on: August 26, 2010, 06:45:31 PM »
Further update the domain in the inserted script tag is considered malicious by a) avast network shield and b) an attack site by firefox safe browsing.

So I would say the alert on that script tag is good.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #5 on: August 26, 2010, 06:50:11 PM »
« Last Edit: August 26, 2010, 06:53:18 PM by Pondus »

bengeorge82

  • Guest
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #6 on: August 26, 2010, 06:52:55 PM »
Thanks guys -- got it wrapped up, now how do you think they injected that there? Is there any precaution I can take to prevent that inject to the index.php?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: HTML:Script-inf Detected Having trouble cleaning it up
« Reply #7 on: August 26, 2010, 06:58:34 PM »
You're welcome.

- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

I suggest that you reread the quoted text in my last but one post and visit the stopbadware.ogr site link that I gave.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security