0

One of our sites has been compromised and we have had a warning email from google. The site has been blocked by Google in Firefox, has anyone seen this type of attack before?

Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-19, and the last time suspicious content was found on this site was on 2009-11-19.

Malicious software includes 1 trojan(s). Successful infection resulted in an average of 6 new process(es) on the target machine.

Malicious software is hosted on 1 domain(s), including googleanalyticsresearchengine.eu/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including web-bureau.com/.

This site was hosted on 1 network(s) including AS31727 (NODE4).

2 Answers2

1

Not one that I have seen specifically, but it tells you that your page has been altered to request content (probably an iframe that attempts to load a drive-by hack onto the client's machine, or a javascript file to create a pop-under that does similar).

You need to take the web server offline ASAP as you may be unwittingly infecting your visitors with something nasty. After a machine has been hacked into it is generally recommend that you completely rebuild it as you do not know what extra backdoors the hacker left behind to allow the attacker back in again once you clean the infection (unless you know for sure that the change was made entirely due to an unprivileged user account having an insecure password that was guessed, or a specific unpatched script that allowed the change in a way that would not allow deeper changes).

If you provide more specific details (OS, web server, what apps/scripts you have installed, ...) we might be able to provide more specific help.

David Spillett
  • 22,754
  • 45
  • 67
  • You are correct, I checked the site fusing Firebug and there is the following line directly after the opening body tag -

    The site is a Joomla site, I am on Mac OS using Filezilla/Dreamweaver for my Ftp. I have checked web-bureau.com and it looks like a normal site. I have checked my web files and cannot locate where the iframe is being injected into the code.

     –  Nov 23 '09 at 10:53
  • It may be being added by a javascript file loaded from another server. Also my answer assumed this is your own server (hence the question being asked on serverfault) rather than a shared server - is this correct? – David Spillett Nov 23 '09 at 11:03
0

We regularly see customers with websites that have been defaced or otherwise modified, to the point that we just wrote a blog article on how to avoid getting your website infected with malware. Basically, they usually get in by one of a few different methods:

  • Guessing passwords
  • Breaking into the web application code
  • Breaking into the developer's workstation, and either getting the FTP password from there or modifying the local version of the site
womble
  • 96,255
  • 29
  • 175
  • 230