store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Oct 20, 2014 9:01 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Lorem Ipsum JavaScript exploit
Unread postPosted: Sat Feb 04, 2012 10:35 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
I found an instance of the 'January 2012 code mutation' mentioned in this blog post on a server protected by ASL: http://blog.unmaskparasites.com/2012/01 ... n-malware/

The ClamAV rules don't block this one apparently?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Lorem Ipsum JavaScript exploit
Unread postPosted: Sat Feb 04, 2012 11:57 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
Sure, they detect it:

Heres the PHP:

clamscan src/malware/incoming/20111212/index.php
index.php: Atomicorp.malicious.javascript.injector.20111212224703.UNOFFICIAL FOUND

And even the latest obfuscated javascript:

clamscan 1.js
1.js: Atomicorp.malicious.javascript.20111211224413.UNOFFICIAL FOUND

But a scanner can only detect what it can see, so for example if you dont have realtime malware protection turned on (or can not due to resource issues) then we're limited to looking at what upload tools we can hook, such as ftp and web. If they used something else, like Plesk file manager or ssh to upload it then theres no opportunity to see the payload. With realtime malware protection it doesnt matter how it gets there, its gonna be seen. Other less resource intensive methods are limited to the technologies used on the system to allow users to upload content.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Lorem Ipsum JavaScript exploit
Unread postPosted: Sat Feb 04, 2012 12:06 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Sat Aug 20, 2005 9:30 am
Posts: 2812
Location: The Netherlands
Realtime scanning is not enabled, but SSH access is not enabled either for this domain user and ClamAV is enabled for ProFTPd. So SSH and FTP couldn't have been the ways this happened. The attacker must have gone through Plesk then?

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
 
 Post subject: Re: Lorem Ipsum JavaScript exploit
Unread postPosted: Sat Feb 04, 2012 12:09 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3656
Location: Chantilly, VA
More than likely. When Plesk changed to lighthttpd for the control panel that eliminated anyway to hook the stream. So if you allow uploads via Plesk Control Panel (which is on by default if memory serves), then a bad guy could get around FTP and web upload scanning on a system with realtime malware disabled. You'd need to either disable uploads via Plesk, or enable real time scanning.

Nothings gonna be more effective or fool proof than real time scanning.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group