Topic: Rogue scripts hit my site

[bborzell]

I'm getting my weather site up again after a fair amount of software, hosting company and equipment snafus converged to render the whole thing to a back burner status for quite a while.

Now that things are getting back together, I need to address a script thing that seemed to attack my site before I shut things down (actually, just let the thing lie dormant).  After cleaning out all the script crap from my site and disabling WxFlash until I could get it back up in a clean form, I noticed that the weird scripts were inching their way back in my site access log.  Here is one that sneaked in last night:

/WxFlash/scripts/_images/infantryman-s-fighting-forum/cjs-rocken-web-page.html

Has anyone ever seen anything like this crop up at your site where your are running WxFlash?  I guess I should be thankful, I only have this one where I used to have hundreds a day hit the site.

Thanks.

BTW, I can trace to source to a yahoo webcrawler location.

...Bob

[saratogaWX]

Ouch!  It's always a mess when the website get's hit.

A few questions which may help diagnose how the rogue script get in:

1) was there a scripts/_images/infantryman-s-fighting-forum/cjs-rocken-web-page.html created on your website (including the scripts directory?  (WFlash default is a 'Scripts' directory, not a 'scripts' directory AFAIK).
2) do you have access to the raw Apache logs for your website?  The raw FTP logs for your website?
 ( if so, I have some analysis programs I can run on copies of the logs to do some sleuthing for you .. PM me if you're interested and have access to the logs)
3) are any other files/directories on your website looking 'strange' (new directories? new files?)

It's unlikely that someone sneaked in via the WFlash updates or methods as they confine writing to specific text files in their own directory (and the filename isn't specified directly by URL).

Best regards,
Ken

[bborzell]

Ouch!  It's always a mess when the website get's hit.

A few questions which may help diagnose how the rogue script get in:

1) was there a scripts/_images/infantryman-s-fighting-forum/cjs-rocken-web-page.html created on your website (including the scripts directory?  (WFlash default is a 'Scripts' directory, not a 'scripts' directory AFAIK).
2) do you have access to the raw Apache logs for your website?  The raw FTP logs for your website?
 ( if so, I have some analysis programs I can run on copies of the logs to do some sleuthing for you .. PM me if you're interested and have access to the logs)
3) are any other files/directories on your website looking 'strange' (new directories? new files?)

It's unlikely that someone sneaked in via the WFlash updates or methods as they confine writing to specific text files in their own directory (and the filename isn't specified directly by URL).

Best regards,
Ken

Hi Ken...

Thanks for the response.  I zapped all the files I didn't recognize as mine so I can't recall much about them except that the first bit of evidence that I had a problem was the appearance of odd windows/statements on the main page which was them a WeatherLink load. 

The example I posted in my OP was taken from the log for today.  It returned a 404 error for whomever sent it my way.  I believe that the literally hundreds of such files that I uncovered might well have had a "Scripts" directory listed.

I can get the RAW Apache logs for for the last 300 hits.  The hits that actually created the adverse effects on the website have already rolled off the log and I didn't think to archive them (I am now doing so).  I am interested in checking into the origin of the files that I have available to me.  I will PM you on that.

At this time, I don't see any odd files or directories.  I reviewed permissions with my hosting company and, after I had gone in and made what I thought were moves to the good for security, they confirmed that I have permissions set to a fairly protective level.

I'll DL the logs and send you a PM.  Thanks.

...Bob

BTW, I isolated the IP addresses for the 6 sites that appeared to be hitting with "infantryman like" scripts and blacklisted them  I'll give it several hours and check the access logs again and see if that had any effect.

[bborzell]

Hi Ken...

I tried to PM you but the verification process wouldn't display the letters and the sound window wouldn't open.  I have made a txt file of the raw log and have it available to send to you.  Most of the IPs listed are not getting through currently as I made a list and then blocked them at my site.  Let me know the best way to proceed.  Thanks.

...Bob

[W3DRM]

Have you asked your hosting company if they can provide you with any backups they may have containing the rogue files Ken was asking about? That may be one way to get additional information.