Suspicious happenings

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

What operating system were you running when the bug appeared?
What database platform is your site using?
What version of mojoPortal are you running?
What version of .NET do you use?
What steps are necessary to reproduce the issue? Compare expected results vs actual results.

This thread is closed to new posts. You must sign in to post in the forums.

4/14/2010 9:08:31 AM

Tim Butler

Total Posts 108

View Posts

Suspicious happenings

Hey there,

I've been travelling around for a few weeks and got back to looking at my site yesterday and its suddenly gone down for no apparent reason. Its just a personal site, but its worrying me as it was fine before i left, but I have more important sites up running mojoportal.

www.timbutler.org

Things i've noticed.

Google

scarlet warning page comes up from time to time about addthis.net being an unsafe website with malicious programs on, and apparently my site references it

newgeocheck.js

This file appears in every folder on the server

I can only assume my sites been attacked, for some unknown reason.

I deleted the db, and ran the install script again, which ran fine, but when i try to navigate to the homepage, or enter the login page directly it shows the

'We're sorry but a server error has occurred while trying to process your request.' error

I'll keep this site up for 24hrs incase anyone would like to take a stab at it, but please let me know if anyone else has experienced this.

One possibility is that i didnt change the admin username and pw before i left, so maybe theres a script running out there looking for mojoportal sites with the default username and password.

Any thoughts or commons are welcome

Many Thanks

Tim

4/14/2010 9:46:28 AM

Joe Audette

Total Posts 18439

View Posts

Re: Suspicious happenings

Hi Tim,

Clearly your file system has been hacked. I would not have deleted the db because there was no reason to assume that the db content had been compromised. There is also no reason at this point to believe that the file system was compromised due to any vulnerability in mojoPortal. In shared hosting some other app on the server could have been compromised and if the server file system permissions were not sufficiently hardened then it could write files into other applications on the server. Probably this javascript file it wrote into all your folders is malware and probably it also modified as many other files on disk as possible to add a link to the javascript file so that it could try to infect visitors of your web site.

So the errors are probably because the mojoPortal files have been modified. I would have first deleted all those javascript files then I would have uploaded the mojoPortal files for whatever version you are running to make sure the files were restored back to their correct version.

Then I would have contacted my host and asked if they know about any sites on the same server being hacked. Also I would download the IS logs and inspect them for any clues. If files were uploaded due to some fault in mojoPortal you would expect to see evidence of it in the logs.

Basically, the web process that runs your web site runs in the context of the identity of the application pool and this identity needs read permissions to the whole web tree and needs full control only of /Data and /App_Data. In an ideal world each web site would have its own application pool with a different user and that user would have the needed permissions (and be the only user other than your ftp user that has file permissions on your site) but no other sites would use the same user for the application pool. This would give process isolation and file system permissions would be isolated to the particular site. Unfortunately in the real world often many sites use the same application pool and user because having separate ones requires more server overhead in terms of memory and processes. So there could be another app running in the same app pool or as the same user and if that app is compromised it can write to other folders on the server where the user has permissions to write and thus it can copy that javascript file everywhere it can and modify as many files as possible to include the script. Also unfortunately, many hosts may make the whole web tree permissions allow full control which is more permission than needed but doing this reduces support requests for the host when people try to install applications. If the file and folder permissions were as recommended then it would not have been possible to write files anywhere except beneath /Data and App_Data, the rest of the web file tree would be read only.

So even after restoring the mojoPortal files you would need to try to find out how those files were created or they may come back again.

Hope it helps,

Joe

4/14/2010 10:44:41 AM

Tim Butler

Total Posts 108

View Posts

Re: Suspicious happenings

Hi Joe,

Thanks for your reply.

I only restored the db to see if it would work as it was a easy thing to try at the time.

hmm, all folders have read write permissions, my fault as i didnt realise the /App_Data also had to have these permissions so when i just gave the /Data folder read write permissions of course the site didnt work.

Thanks for your advice. I will contact them and inform them whats happend and keep an eye on my other sites.

cheers

Tim

You must sign in to post in the forums. This thread is closed to new posts.