Prabhakar Kasi's Raptor.in

Finally a good complete solution

The malware script usually attacks web pages and sometimes even databases. You need to figure out which got attacked. If the attack was on your webpage follow these steps

1. Download the current content of the site and perform a security audit on every file of your site. Check through the code for IFRAME injections.
2. Clean any such injection by deleting the unwanted code.
3. Change your FTP passwords and in future make this a practice to frequently change your passwords to ensure high security.t
4. Scan your local system with a good Antivirus and Malware remover, to make sure that your system is infection free.
5. Upload the new files to the web server.
6. In your web server Avoid 777 permissions on any file or folder.

In case your database server was attacked delete the old contents and restore with a clean data dump.

Once you complete these steps your site will be clean and free from the infection.  It usually takes 2-3 days for search engines to mark your site as clean.

It will take 2-3 days sometimes a weeks time for search engines to index your infection free files.

If you are using Google Webmaster tools you will need to submit your site for verification. Doing this will reduce the time taken to fix the error displayed by your browsers.

Popularity: 4% [?]

Recently Iframe and obfuscated javascript exploits have become a serious threat.

It looks like the attack usually has two stages.

1. Account passwords harvesting. On the first state they collect passwords for the accounts. We will call this stage “account passwords harvesting”. Details on how they do that are fuzzy. The truth is that on a typical Linux server it might enough to get just one user account password to be in a reasonably good position to get the root via some king of little known or unpatched exploit. Zones and jails are better in this respect as they protect other users from easily compromised “suckers” who happily use passwords like 123456 or use infected with spyware PCs at home. Actually the complexity of the password should be beefed up to at least 8 characters. But this does not help if the user computer is infected with a keylogger. ISPs need to handle vastly difference classes of users and security is always as good as the weakest link.

2. Mass modification of index files. On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage “mass modification of index files”. It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (i.e. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. This attack stresses the fact that Web browsers should now be installed on VM and used with a special disposable image of Windows. Please consider using Microsoft Virtual PC or VMware and opening a separate instance of OS for browsing if you did not do it already.  Read the rest of this entry »

Popularity: 9% [?]