BadMalWeb

Man-in-the-Middle (MITM) Exploits; what they are and how to STOP them

2007-10-16T20:01:00.000-07:00

Most of us defend our PCs, websites and servers with an increasing variety of “anti” tools; however it is equally important to understand how or where an assault comes from. So when personally considering your own PC or Internet security this takes a proactive offensive view “I can do something to STOP…” rather than a passive “hiding in the bunker ” defensive position. The best form of defense is offence?

The main route for many web site hacks, defacement, and denial of service (DDoS) attacks is Man-in-the-Middle (MITM) exploits. It is a very easy concept to understand for all of us; consider an unknown person is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised. It has a very techie background for those who want to know more – check out Wikipedia for the background or definitions. Here I will solely deal with a pragmatic approach of what you can do to STOP any MTIM.

Firstly a healthy element of paranoia helps, consider from the PC you are reading this article with, what possible connections are there? Home or office network, local ISP, regional backbone routers, international re-routers, DNS servers, server farms, ad networks, web site host, and finally the web site, MITM could be lurking inside anyone of these connections, points or nodes, and as we know so well at StopBadware, within a script on a web site. Worried? Don’t be; just assume the MITM is there, you have the all the solutions at hand and mostly free. The answer is in the technical background “cryptography”, i.e. encryption, passwords, Chmod (website file permissions), and CAPTCHA (establishing the user is a human). Action checklist for all:

Email: use a digital ID or certificate (low cost), PGP encryption (pretty good privacy – free), and as a surprise for sensitive email I now use and recommend Gmail with HTTPS, less connections! All this STOPS any MITM from being able to read your emails.

Web Surfing: Only access online shops or other personal ID sensitive areas where there is HTTPS (SLL), look at the web address, use secure and change your passwords regularly. If you really want to be in control use Firefox with added extras e.g. No-Script (STOPS any script, unless you say OK), Key Scrambler (encrypts any login or password entry STOPS keyloggers), set your privacy options to accept any cookie (STOPS unwanted and bad cookies from being stored on your PC), even consider using PHproxy (this STOPS a web site from even gaining your real IP address).

Webmasters: Only use FTPS to transfer files between your web site and the PC (this STOPS any MITM from intercepting data), use Chmod to restrict access to files, encrypt file directories where you can, apply different passwords to access cPanel, phpMyAdmin, use CAPTCHA for user logins and apply SSL for user data areas (these actions STOP any MTIM from gaining access to your files.

Blocking: Probably the best offensive action you can take, think of it like this “your PC is your home your website is your shop, club, bar, you have the total right to bar entrance to hooligans or thieves”. It is much easier to refuse entrance than to try and throw the unwanted visitor out. For example use OpenDNS on your router it is free, automatically STOPS phishing sites and many other blocking options. Use banning lists on cPanel, ban spammers on your forum, or ask your host for help.

Finally refuse to be a victim and hide in the bunker, STOP the MTIM you actually have all the tools at hand. But…. what if a MITM is already hiding inside before you go on the offensive? Check and clean your PC of any BadWare; for the webmaster does your webhost also host any bad guys? Easy to determine, check the latest block lists on the web.

Cost of Cyber crime = $105 billion?

2007-10-01T07:49:00.000-07:00

A great deal of press concerning the CEO of McAfee statement, DeWalt said, "...... that cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide." In a follow up comment in McAfee's blog Lies, Damn Lies and Statistics trying to stress the input came from Reuters and here for CNN, based upon the Government Accountability Office recognized this in its June 2007 report.

However, DeWalt was right from the perspective ".....clearly, placing a value on the size of the cybercrime economy is a real challenge."

As an example the recent VeriSign / iDefense analysis on the Russian Business Network (RBN) showed - see: The Economist article - just for one venture, Rock Phish, they netted $150 million in one year. As an example the RBN’s network, its affiliates, “free-hosting” sites, and associated businesses, the overall dollar value is much more substantial.

However, the RBN is one of the most obvious for quantification. If one was to include malware, spyware, spam, and general BadWare, which most end users who have been victims would definitely call - cyber-crime -. Therefore the $105 billion quoted is an underestimate?

Injection hack detection method - PHP Code

2007-09-26T15:54:00.000-07:00

A good working Injection hack detection method provided by Ez via StopBadWare Forum

The script is brutally simple because we needed a quick fix. If the hacks recur I will make it smarter. Its only purpose is to tell me if a critical file (such as index.php) has changed size. I assume that injection hacks change the file size, as they did on our site.

A smarter script would compare file mod times with a database record. This would require a more complex script because it would have to store legitimate mod timestamps and depend on a human (unless more complex still, including the IP or http login etc.).

Operating scenario --

1.) Hacker injects code, increasing the file size.

2.) Next request to serve the home page (or other page of your choice) triggers the detector, which compares current file size with that for archived original.

3.) Detector sends email with file mod timestamp to webmaster.

4.) Script replaces hacked file with copy of an archived original, exits.

The webmaster needs to keep track of the most recent authorized file modifications (presumably by the webmaster). The email includes the timestamp of the over-size file's mod time. The system admin (or tech
support) uses this timestamp to trace the hack through the server log and identify the mode of entry.

To get fancier, you could scan all files in a directory for the mod time (example, using the PHP filemtime() function), comparing with a database record of legitimate mod timestamps.

Anyhow, here's the index file size script. I keep utility functions in a separate file named "func.inc" so it needs to load first. But this isn't necessary. Then the function compares the size of the file that usually gets hacked (such as index.php) and compares it with a reference copy (x_index.php) in a secure directory ("refz"). Of course, you can also loop through a list of filenames that are popular hack targets. The function can return the file write result, but I don't use it.

/* top of index.php, after DOCTYPE declaration */

function hackDet () {
$tst = "";
$gzt = "index.php";
$stat = stat($gzt);
$gzt2 = "refz/x_" . $gzt;
$rstat = stat($gzt2);
$ref = $rstat[size];
$rtim = $_SERVER['REQUEST_TIME'];
$rtim2 = date("F d Y H:i:s.", $rtim) . " Eastern";
$mtim = filemtime($gzt);
$mtim2 = date("F d Y H:i:s.", $mtim) . " Eastern";

if ($stat[size] <> $ref)
{
$fw = "index.php";
$hak = file_get_contents($fw);

$msg = "$gzt has $stat[size] bytes and not $ref as it should.\n\n";
$msg .= "FILE MOD TIME $mtim: $mtim2\n";
$msg .= "REQUEST_TIME $rtim: $rtim2\n\n";
$msg .= "=================\n\n";
$msg .= $hak;

$msg = wordwrap($msg, 70);
mail('yourn...@yourdomain.com', 'HACK ALERT', $msg);

$fr = "refz/x_index.php";
$str = file_get_contents($fr);
$tst = file_put_contents($fw, $str);
}
return $tst;

}

$tst = hackDet(); // calls the hack detection function
?>

China as an Internet Threat - The facts!

2007-09-23T19:17:00.000-07:00

I really do find some of the current wave of rhetoric about the threat to the internet from China really worrying, if not downright dangerous for international relations. I suppose it a good topic for poor technical journalism, to gain publication in US & European journals / web. Old adage; "Why let the facts spoil a good story"?

Ref: China leads Asia in malicious online activity - CNet News

Let me make my position clear, I am not Chinese and I do not live in China, however I do know a thing or two about internet security threats. Here are some facts for the readers who possibly might read the above article and take it as factual:

(a) As of Sept 20 07 the US is the clear leader in known Spam issues, by 5:1 over China (ref Spamhaus.org).

(b) The internet is global and any quantitative analysis must base itself on comparative users. Reasonable estimates now show about 2:1 of Chinese internet user access over US users and anywhere from 5 to 20:1 over other Asian countries. Based on this on any Spam or malware distributor estimation this would place China about tenth on any list on countries, and well down the list in Asia.

(c) In China there are severe legal penalties for such acts, recently Yahoo could distribute malware to 15 million of its users and hardly gets a technical press mention, and no legal sanction.

(d) Why you may ask am I so concerned? On a recent exploit tracking exercise, despite apparent Chinese language sites being the cause. These sites were actually based and funded out of Toronto with bullet proof servers out of San Francisco!

Remember it is just as easy to get a free mail.cn / low cost Chinese based hosting, or mail.ru for that matter, being based in the US. As it is to get a Hotmail or Yahoo hosting account.

iFrame Injection Source?

2007-09-19T05:58:00.000-07:00

Sources for iFrame injection?

Try this one as a site and a "major" source, which is so blatant it is mind boggling, and truly worth "outing". Those webmasters who have been flagged and have battled against iFrame injection, here is one of the major sources, try blaming these guys as opposed to Google / StopBadWare. Luckily a few of us have just recently been able to get McAfee's Site Advisor to blacklist them (Red X).

iFrameDollars (dot) com - http://www.siteadvisor.com/sites/iframedollars.com - Just so you knwo they pay webmasters / smaller hosts to inject iFrame exploits on other websites!!!!

To cover this here is a email sent to their US based host - still unanswered! - Please help by contacting them.

To "Layered Technologies" Abuse Team - you can contact them on Phone: 1-866-584-6784, General Information: info@layeredtech.com, Sales Information: sales@layeredtech.com

-------------------------------------------------------
Hi,

Checking your acceptable use policy, how come you allow iFramedollars com to have dedicated serving or any hosting at all?

Do you have any idea what they actually do? Check out their web site or even better check out their business model as they still call it iFrame Cash as their earlier form iFrameDollars biz; try:

ISC Sans = iframeDOLLARS; Cyber Extortion,

Spamhaus = http://www.spamhaus.org/rokso/evidence.lasso?rokso_id=ROK7615

http://sunbeltblog.blogspot.com/2006/06/those-nice-dear-boys-at-iframecash.html

and many many more......

Please note the registrant info etc., exactly the same on 72.36.199.58 as within the Rokso lasso, even more obvious is the web site still states iFrame Cash & iFrame biz, and the same iFrame exploit "affiliate" model.

As someone who helps out on website clean ups, they currently claim 300 webmasters who essentially are injecting and spreading iFrame exploits for cash.

I am certain StopBadWare, Spamhaus, ISC Sans, FBI, etc., etc. will only be too surprised to now learn the RBN's (Russian Business Network) so called "bullet-proof hosting" is actually based within the US at layeredtech (dot) com.

I look forward to your reply.
-----------------------------------------------------

As mentioned, no reply to 5 emails, maybe we all should enquire of layeredtech.com we could make the difference?

Here are a few questions and points:

(1) Can StopBadWare / Google do anything about this flagrant abuse of the webmaster community?

(2) Here is the clearest example of the need for a public blacklist list of "professional" Badware distributors (thanks to Site Advisor, but how about here)?

(3) We sometimes rightly debate about Twinky, Zango, etc., how about deliberately distributing iFrame exploits for $$$ as an affiliate, any one prepared to defend this?

(4) Who would also like to know who the 300+ host / webmaster affiliates (BadWare distributors) are of "iframe Cash"?

(5) Just so you know, after you have been flagged by Google, lost business, and spent sleepless nights trying to fix your web site, and keep it clean; the FrameCash affiliates get about $1.50 for your site , as long as they produce a minimum of 50 sites per month!!!

I told you mind boggling!

Searching for Evil - InfoSec

2007-09-04T21:35:00.000-07:00

I have to say this was one of the best presentations I have seen related to the wider issues of InfoSec.

ABSTRACT

Computer security has recently imported a lot of ideas from economics, psychology and ... all » sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed. Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.

Rebecca the Webmaster - A StopBadWare Case Study: Practical Guide for Webmasters (1 of 3)

2007-08-27T05:15:00.000-07:00

Don't panic!!!" - Rebecca the Webmaster - A StopBadWare Case Study: Practical Guide for Webmasters– descriptions of tools we used. (Part 1 of 3) - In-depth analysis of problems and issues (Part 2 of 3), - Avoiding problems in > the future (Part 3 of 3)

This is the requested follow up from “Rebecca the Webmaster - this is my story, no tears, no glory.” Here we describe the problem solving methodology, analysis, tools used, web code issues, and steps taken to avoid problems in the future. The “we” are Rebecca a newbie webmaster with the guidance of El Jart, also we made sure that although Jart started with his “geek” tools (which I could not even understand the names of), we made sure anything we used was available to all and “free” – no commercials. Remember if I can learn to do this anyone can.

Introduction
First of all let us stress the obvious; regular checks of the tools available to virtually all webmasters are the way to avoid being flagged by Google in the first place, see how to avoid problems below. However, remember even the best web sites get hacked or compromised, for example AOL or MSN, so the most important advice from The Hitchhiker’s Guide to the Galaxy “Don’t Panic!!!”

The Tools
Just a word of caution, the tools below worked for us, however do get the help of your web host and only do this work if you have a PC with a really good anti-virus, anti-spyware etc. The stuff you are trying to clean up can bite; also make sure your PC is clean in the first place!

1. Server access – I know it sounds obvious but to start with as the site webmaster I realized I did not have full access or know what tools were available. So check this first, if you use CPanel or similar many of the tools to clean up and check are there e.g. http://www.cpanel.net/docs/cpanel/

2. Firefox and add ons – As the webmaster you have to be able to look at the site and check what is called. What we mean by this is the “scripts”, for example you may use a simple Ad or banner, what is actually called by your web site, e.g. the “inline scripts”, “cookies” etc. Just a note for end users if you surf with Firefox and these add ons https://addons.mozilla.org/en-US/firefox/browse/type:1 your surfing is a lot safer, it is then up to you if you want to accept scripts, cookies or other downloads.

a. Firefox – ensure latest version (set for no-popups and cookies to manually accept)
b. Google toolbar (add on) – this helps to search the web for any terms or third party web addresses, but for me if you search “define:sql injection” you can get any description to help you or use “site:anywebsite.com” “inurl:anywebsite.com” “cache:anywebsite.com” you see a lot more about any web site, including your own.
c. McAfee Site Advisor (add on)– Just to check out any web address you come across, especially on any spam or script.
d. No-Script (add on) – this is great because when used you can look at a web sites but any script on the web site is disabled.
e. PhProxy (add on) – Using this you can go to any website without using your real IP address, however this is for the first safe look, you have to switch this off when you look at “inline scripts”
f. Edit Cookies (add on) – Now you can see any cookies, before you accept them
g. DOM Inspector (add on) – Lets you inspect a web window and its contents.
h. Safe cache (add on) – Prevents any cache based privacy attacks.
i. Key scrambler (add on) – This encrypts any passwords you type on your PC for websites; just in case there are keyloggers in action.
j. Web developer (add on) – This lets you check the actual scripts called, in other words not what you think is on your website, but what the user actually gets.

3. Notepad ++ - This is an Open Source text editor, using this you can capture or download text, HTML, scripts, server log files, SQL, and save for later examination.

4. SmartFTP – There are several around this is the one we used, simply because you can use it in a secure mode and set / reset file permissions, so you help being attacked again.

5. Windiff – A free utility so you can compare directories that you FTP as a backup from your website to your PC and even individual files.

6. On the server (assumes PHP & MySQL);

a. Server Log files – just use your secure FTP to download and check in your text editor
b. PHPmyAdmin – now this is daunting at first but a bit of reading http://www.phpmyadmin.net/home_page/docs.php soon help to master this, in our case this was vital to down load and backup the website databases. This is where we found most of the problems that could have re-infected / re-hijacked us.
c. PhpBB – forum tools http://www.phpbb.com/community/ lots of help here.

7. Common sense – Maybe the most important webmaster tool as Jart kept on stressing, what should be within the website; its scripts, files, on the forums, within the SQL databases, etc. If you see a call to some website you do not recognize check it out. If some script is calling to download a special multi-media application, is it the real one? If some website / bot is coming to your site (on the server log files) every 10 seconds, why is it coming? What is its purpose or even more important what is calling it? Simple really.

1 of 3

Rebeca La Webmaster - herramientas empleadas (Parte 1 de 3)

2007-08-27T05:08:00.000-07:00

"¡¡¡MANTÉN LA CALMA!!!" - Rebeca La Webmaster – Un Caso de estudio de StopBadware, Guía práctica para el Webmaster, - Descripción de las herramientas empleadas (Parte 1 de 3) – Análisis exhaustivo de problemas y cuestiones (Parte 2 de 3) – Evitando problemas en el futuro (Parte 3 de 3)

Esta es la continuación de "Rebeca La Webmaster, esta es mi historia sin lágrimas ni gloria" Donde describimos el los métodos de resolución del problema, el análisis, herramientas utilizadas y los pasos tomados para evitar problemas futuros. El "nosotros" somos Rebeca (una webmaster principiante) con la ayuda de El Jart, nos hemos asegurado de que El Jart empezó también con estas herramientas "tontas" (de las que a veces ni podía entender los nombres) y de que todo lo que utilizáramos estuviese disponible para todos de manera gratuita – nada comercial. Recordad que si yo puedo aprender esto, cualquiera puede.

Introducción
Primero dejadnos empezar por las obviedades, con chequeos regulares de las herramientas disponibles virtualmente es posible evitar que nos marquen en google, podréis encontrar mas abajo la manera de evitarlo. Pero recordad que hasta las páginas más importantes acaban siendo hackeadas o puestas en peligro, por ejemplo AOL o MSN, así que el consejo más importante del la Guía del Autostopista por la Galaxia es "MANTEN LA CALMA".

Las Herramientas

Una llamada a la precaución, estas herramientas funcionaron para nosotros, de todas maneras debes buscar la ayuda del host de tu web y sólo hacer este trabajo si tienes un buen antivirus, anti-spyware etc. Lo que estás tratando de eliminar ¡muerde! Así que asegúrate primero de que tu pc está limpio.

1. Acceso al servidor: sé que suena obvio, pero cuando empecé como webmaster no tenía acceso absoluto ni sabía de que herramientas disponía, así que compruébalo primero, si usas Cpanel o similar muchas de las herramientas de limpieza y comprobación están ahí. Ejemplo: http://www.cpanel.net/docs/cpanel/

2. Firefox y extras– Cómo webmaster tienes que poder ver la web y cómo se llama. Lo que quiero decir es que debes conocer los "scripts", por ejemplo, puede que uses algún anuncio o banner, al que se llama desde tu site, por ejemplo "cookies" etc. Sólo un aviso a usuarios de firefox y estos extras https://addons.mozilla.org/en-US/firefox/browse/type:1 vuestra navegación es mucho más segura, de ti depende si quieres aceptar scripts, cookies y otras descargas.

a. Firefox – asegúrate de que tienes la ultima versión (preparada para que no ver pop-ups y aceptar las cookies manualmente)

b. Google toolbar (extra) – ayuda a buscar en la red la dirección de cualquier tercero, pero para mi si buscas "define:sql injection" puedes encontrar la descripción para que te ayude o usar "site:anywebsite.com" "inurl: anywebsite.com" "cache:anywebsite.com" para ver mucha más información sobre cualquier web, incluyendo la tuya.

c. McAfee Site Advisor (extra) – para comprobar cualquier web en la que entres especialmente en busca de cualquier tipo de spam o script.

d. No-Script (extra) – esta es genial porque puedes navegar por cualquier web con todos los scripts que utilice deshabilitados.

e. PhProxy (extra) – usando este puedes entrar en cualquier web usando una ip que no es la tuya, de todos modos esto es solo para echar un primer vistazo de forma segura, lo tienes que apagar para ver los "inline scripts"

f. Edit Cookies (extra) – con el puedes ver todos los cookies antes de aceptarlos.

g. DOM Inspector (extra) – te deja inspeccionar una ventana web y sus contenidos.

h. Safe cache (extra) – te previene de ataques a la privacidad que utilicen el caché.

i. Key scrambler (extra) – encripta cualquier password que teclees en tu pc para las webs, para el momento en el que los keyloggers se pongan en acción.

j. Web developer (extra) – te deja comprobar los scripts reales, en otras palabras, no lo que crees que hay en tu web, si no lo que ve el usuario realmente.

3. Notepad ++ (block de notas) – utilizando esta simple herramienta puedes descargar texto, html, scripts, archivos log del servidor, SQL y grabarlos para un examen posterior.

4. SmartFTP – hay varios, pero este es el que utilizamos, simplemente porque puedes usarlo en modo seguro y dar o quitar permisos a los archivos, con lo que evitas ser atacado de nuevo.

5. Windiff – una utilidad gratuita que comparar los directorios que tienes en el FTP y hacer un backup y/o archivos individuales de tu site en tu pc.

6. En el servidor (asumiendo que usas PHP & MySQL);

a. Server Log files – usa tu secure FTP para descargarlos y compruébalos con el editor de texto.

b. PHPmyAdmin – de un poco desalentador al principio pero con un poco de lectura http://www.phpmyadmin.net/home_page/docs.php pronto te harás un experto, en nuestro caso fue vital para descargar y hacer un backup de las bases de datos de la web. Es donde encontramos la mayoría de los problemas que nos podían haber re-infectado.

c. PhpBB – herramientas para los foros http://www.phpbb.com/community/ hay mucha ayuda aquí.

7. Sentido común - quizá la herramienta mas importante mientras Jart me presionaba con lo que "debería haber en una web": scripts, archivos, en los foros, en las bases de datos SQL, etc. Si veis una llamada a una web que no reconocéis comprobadlo, si algún script llama a la descarga de alguna aplicación multimedia ¿es la auténtica? Si alguna web o bot entra en tu web ó en tus archivos log cada 10 segundos, ¿por qué lo hace? Y lo más importante ¿qué lo está llamando? Es realmente simple.

OK fin de la parte 1 de 3 – para el momento en el que hayais instalado todas las aplicaciones sugeridas estaremos de vuelta con la siguiente entrega, trabajad sobre esta guía. ¿alguna pregunta?

Rebeca & El Jart

Alexa to be blacklisted?

2007-08-22T06:03:00.000-07:00

So who can you trust on the Internet nowadays? Perhaps the answer lies with the cyberspace citizen democracy. Alexa, the Web Information Service owned by Amazon, appears to be on the brink of being blacklisted by McAfee’s Site Advisor .

Site Advisor uses the basis of its own scanning to judge whether users should be warned of a website dishing out exploits, spam etc. At the moment is shows a green tick, however it also relies upon independent reviewers to judge website experience. At the moment 75% of reviewers are giving Alexa the thumbs down, for consistent; ad-ware, viruses, and spyware. On the anti-virus tests Alexa’s toolbar comes up with;

AhnLab-V3:Dropper/Alexabar.494672
AntiVir:DR/AlexaBar.J
Avast:Win32:Adware-gen.
BitDefender:Adware.Alexabar.L
Ewido:Adware.AlexaBar
FileAdvisor: threat detected
Fortinet:Adware/AlexaBar
F-Prot:W32/AdwareX.CKD
Ikarus:Win32.SuspectCrc
Kaspersky:not-a-virus:AdWare.Win32.AlexaBar.j
McAfee:potentially unwanted program Generic PUP
NOD32v2:Win32/Adware.Alexa
One-Care (MS): Privacy concerns
Panda:Adware/Alexa-Toolbar
Sunbelt:Alexa Toolbar
Symantec:Trackware.Alexa
VBA32:Application.Win32.Adware.Alexa
Webwasher-Gateway:Trojan.AlexaBar.J

So on Site advisor it now shows on the brink of getting the red “X” along with other exploiters, http://www.siteadvisor.com/analysis/reviewercentral/?page=onthebrink&showMore=true ,

So most users know Alexa’s Spybar is primarily BadWare, (ad-ware / spyware) and a real nuisance to uninstall. So here is the question, will McAfee and others take the step to give it the red “X”?

The possible reason they won’t is because it is one of the big boys on the Internet? – Wonder if the community could tip the scales by also adding their negative views of Alexa’s Spybar as a reviewer try it out http://www.siteadvisor.com/sites/alexa.com#reviewercommentssummary .

Wow, just imagine if we could get Amazon and others to come clean and maybe set a good example for others, by changing their spybar. No wonder many webmasters go to StopBadWare (Google’s blacklist forum) to complain about why their website has been flagged, when Alexa just rolls on regardless.

Rebecca the Webmaster - BadWare Case Study

2007-08-19T10:50:00.000-07:00

Rebecca the Webmaster - this is my story, no tears, no glory...- A
StopBadWare Case Study (English version)

Introduction;
This is a success story for Rebecca and StopBadWare, - no tears, no
glory! This is written by me and 'El Jart' to assist other webmasters
and written in a case study format as a step by step guide from a
website getting flagged by Google, not only to the lifting of the
warning, but added measures to hopefully reduce the chances of ever
getting flagged again, with hidden traps for any unwary exploiter in
the future.

(Note: No staff of StopBadWare or Google was involved, and the review
process was as for any website.)

This case study is in 3 parts; English language version (this post),
Spanish version, Tech version and descriptions of tools and in-depth
analysis of code and script issues we used. This is to demonstrate how
a newbie webmaster with help from the community, can get it done,
hopefully any webmaster can follow "Rebecca's Guide"

Backgound;
The specific web domain itself is not relevant for this study; however
the site is a popular Spanish language community fanzine; news,
sharing stories, pictures, multimedia and an active forum. Based in a
small town in Northern Spain, Rebecca started off 2 years ago as a
forum moderator; "without even an internet connection at home but when
she got one her dial-up she was ready to get into de administration,
so “I personally decided to change the website looks, and start
spanking the others to do their job properly. The web site really
started to take off, not just the news section the designing and all
the info was starting to be what it was meant to be, then the problems
started."

Being Flagged by Google;
The Google warning story... one of the members of the site team was
testing our rank in Google when he found out we were flagged, so
that's when the story begins... May 3rd 07. We asked Google, who told
us to remove certain code and told us to ask for review in
StopBadWare. After some time trying to clean it myself... I decided to
ask for help at the StopBadWare forum July 28th 07... Lucky me! I
found help from the community!! How I have found out that we did get a
Google mail warning us, but I did not have access to that accounts
till I asked another team member for the passwords and all that stuff,
he doesn't even know how to enter that accounts I'm not blaming
him for that, so I'm not sure for how long we were flagged 'till May
3rd." Having requested a review the Google flag was clear August 2nd
07... Happy team, site, and users.

How we fixed it;
The first strange stuff, after reading the StopBadWare guidelines I
could see was a reference in the HTML index page was to iframe ....., relating to some .swf and 'RuneScape' and as we do not have such files on the site! I just deleted, but I was not sure if
that was it?

Found out it is used by hackers to trick users into downloading
malware from a fake Adobe Shockwave Player download site. Prospective
users who stray onto a game site are presented with broken icons in an
attempt to convince them that their copy of Shockwave (if already
installed) isn't working properly.

Then we found another iFrame src "quickcnt” hidden iFrame in the
Administracion directory there is a file called "index.php" so we got
rid of that too, with two other .swf fake player downloads. Ok I
thought this was all done until 'Jart' told me to search all the
server log files for strange activity on the site, after he found them
for me, he was right! Lots of funny IP addresses (web bots) coming to
call, linked to the stuff I had got rid of but also for the forum.

So I went to work on the PhpBB forum, cleaned off any spam, and banned
all the IP and domains linked to the spam and the logs. We then also
added a 'robots.txt' especially for the forum and patched various php
files for the forum.

Finished I thought, then 'El Jart' asked me about the SQL database
files, did not even know where they were. So Jart pushed me again (El
Jart can be more Bad than the BadWare!) what did we find? A forum that
I did not even know existed. This had SQL injections, with only spam
addressed to bad websites. Also administrators with passwords for the
whole site, who had nothing to do with the site, and spam that,
attached its self to any proper post on the real forum. This is how we
got hacked in the first place and if we had not dug down deep enough,
we could have easily been infected again.

Conclusions and a happy ending;
When we first found out we were flagged by Google I was first
frustrated and after getting rid of the first bad iFrame, I was
annoyed we had to wait. Thanks for the StopBadWare forum and really
finding out what was wrong and really fixing it, I can only tell any
other webmaster it was worth the wait.

So check your website if you get flagged or even better check your
website before you get flagged - check;

1. For any iFrame code especially where it has the name of a website
you do not know, and says "hidden".

2. In any PHP or other files for this, as well as any calls for
downloads of multimedia players, PDF, or other files you do not
recognize.

3. Look at your server log files, for all contact with your web site
is within them, might take a bit of learning but worth it.

4. Check these database files (SQL) for anything unusual.

5. Go to the StopBadWare forum and ask, I did and it helped me. For a
little more practice, El Jart is going to take me on some of his next
"help visits" then I will assist other webmasters!

So in all "a few tears but a lot of glory", one further happy ending
is, Jart showed me how to add a few further "patches" which he made me
promise not to tell anyone, but apparently they are "BadWare Hacker"
traps, which if someone tries to hack our site again, their "bot" goes
back to its dark place with a bad headache ;-)
Hope this helps others.

Rebecca AKA "The BadWare Avenger" & with an El Jart assist.

Rebeca la Webmaster – esta es mi historia, ni lágrimas ni gloria

2007-08-19T10:39:00.000-07:00

Rebeca la Webmaster – esta es mi historia, ni lágrimas ni gloria… un
caso de estudio de Stopbadware. (Version Española)

Introducción;
Esta es una historia de éxito de Rebeca y StopBadware – sin lágrimas
ni gloria, escrita por mi y “El Jart” para ayudar a otros webmasters y
escrito paso a paso desde una web con aviso de Google “este sitio
puede dañar su equipo” y no solo conseguir deshacernos de el si no
añadir medidas para reducir las oportunidades de volver a tener un
aviso con trampas ocultas para cualquier ataque indeseable en el
futuro.

(Nota: Ningún miembro del personal de StopBadware o google fue
involucrado y el proceso de revisión fue el mismo que para cualquier
website).

Este caso de estudio consta de tres partes, versión inglesa, versión
española (este post) versión técnica y descripción de las herramientas
y análisis detallado del código y el script que utilizamos.
Es para demostrar que un webmaster nuevo con un poco de ayuda de la
comunidad puede conseguirlo, y cualquiera puede seguir la “Guía de
Rebeca” .

Historia;
El dominio de la web no es importante para este estudio, de todos
modos hay que decir que es un Fanzine, una comunidad llena de
noticias, fotos, multimedia e historias varias, así como un foro
activo. Empecé hace dos años como moderadora del foro, no tenía
conexión a internet en casa por lo que no podía aspirar a mucho más,
cuando la conseguí comencé mi pequeña revolución, instando a los demás
a completar un trabajo que estaba a medias. Cuando todo empezaba a
tener “cara” empezaron los problemas.”

El aviso de Google;
La historia del Google Warning... uno de los miembres del equipo
estaba testeando nuestro webranking en google cuando se dio cuenta de
que teníamos ese indeseable aviso “este sitio puede dañar su equipo”
ahí es donde la historia empieza, 3 de Mayor de 2007, preguntamos en
google y nos dijeron que borrásemos cierto código y que pidiésemos
review en badware, después de un mail en el que nos decían que
estábamos limpios y que el aviso sería borrado pronto empezaron los
verdaderos quebraderos de cabeza, ya que día a día el aviso seguía
allí… después de bastante tiempo intentando limpiar los códigos yo
misma decidí pedir ayuda en el foro de StopBadWare el 28 de Julio,
afortunadamente encontré ayuda de la comunidad enseguida!

Podría haberme dado cuenta del aviso de google antes, nos habían
mandando un correo al mail de la web, pero hasta hace relativamente
poco yo no tenía acceso a esas cuentas, hasta que no le pedí las
claves a otro miembro del equipo, él tampoco tenía muy claro cómo se
accedía a esas cuentas, con lo cual no le culpo por ello, por lo que
no sé exactamente desde cuando teníamos el aviso. Finalmente nos
deshicimos del google warning el 2 de Agosto y nos quedamos
“tranquilos”.

Cómo lo solucionamos:
La primera cosa extraña, después de leer las guías de StopBadware vi
que había referencias en mi html principal (index) a un iframe .....,
Relacionado con un .swf y 'RuneScape' cómo no teníamos esos archivos
en nuestra web simplemente lo borramos, pero no estaba segura de si
era eso o no.

Averiguamos que es algo que los hackers usan para engañar a los
usuarios y que descarguen un Adobe Shockwave Player falso, los
usuarios normalmente acaban en una páguna de juegos con iconos rotos,
haciéndoles creer que su copia de Shockwave, si es que la tienen
instalada, no funciona correctamente.

Después encontramos otro iFrame src "quickcnt" escondido en el index
del directorio de administración, con otras dos llamadas a la descarga
de .swf falsos. Pensé que eso era todo cuando “Jart” me dijo que
ojeara los archivos log buscando actividad extraña, después de que él
buscase, me di cuenta de que era cierto, muchas IPS raras (web bots)
haciendo llamadas, linkeando a cosas que ya había eliminado y también
al foro.

Así pues, me dirigí al foro PHPbb, limpié todo el spam y baneé las IPS
y los dominios linkeados a spam y los logs, añadimos un robots.txt
especialmente para el foro y parcheamos varios archivos php del foro.

Pensé que habíamos acabado, pero otra vez 'El Jart' me preguntó sobre
la base de datos SQL, no sabía donde estaban. Así que me instó de
nuevo (A veces El Jart es peor que el propio badware) ¿qué
encontramos? Un foro que no sabía que existía que tenía inyecciones
SQL, con sólo spam y links a sites de dudosa reputación. También
administradores con passwords para todo el site que ya no tenían que
ver con él, y spam que se adjuntaba a algún post del foro real. Esa es
la manera en la que nos hachearon la primera vez, y si no hubiéramos
investigado a fondo hubiéramos podido ser infectados fácilmente otra
vez.

Conlusiones y final feliz;
Cuando nos dimos cuenta de que teníamos el aviso de google estaba un
poco frustrada y después de borrar el primer iFrame me molestaba la
espera. Gracias al foro de StopBadWare he averiguado cual era el
problema real y se ha solucionado de verdad, solo puedo decir que la
espera ha merecido la pena.
Así que, si tenéis un aviso de google ó mejor, mirad vuestras webs
periódicamente antes de que lo tengáis, en busca de:

1. Cualquier iFrame, especialmente si va acompañado de el nombre de un
site que no conocéis y que diga "hidden".

2. en cualquier PHP ú otros archivos por la misma razón, así como
cualquier llamada para descargar reproductores multimedia, PDF ó
cualquier archivo que no reconozcáis.

3. echad un vistazo a los archivos log, buscando cualquier contacto
extraño con vuestro site que se encuentre en ellos, os llevará un poco
saber descifrarlo pero merece la pena.

4. Echad un vistazo a los archivos de la base de datos (SQL) buscando
cualquier cosa fuera de lo normal.

5. Id al foro de StopBadWare y preguntad, a mi me ha ayudado mucho.
Para que adquiera un poco más de práctica, el Jart me llevará en sus
“próximas visitas de ayuda” después yo misma ayudaré a otros
webmasters!

Así pues, después de todo "algunas lágrimas pero mucha gloria”, un
nuevo final feliz, Jart me ha enseñado cómo añadir algunos parches más
pero me ha hecho prometer que no se lo diré a nadie, aparentemente son
trampas para "BadWare Hacker", por lo que si alguien intenta hackear
nuestro site otra vez, su “bot” vuelve a casa con su con un mal dolor
de cabeza. ;-)

Espero que esto os ayude.

Rebeca AKA "The BadWare Avenger" con la ayuda de El Jart.

Google Blacklisting and Ad-Networks – Ethical Choice for a Webmaster

2007-08-18T11:54:00.000-07:00

Having you website “flagged” by Google is very frustrating, but is it Google who is punishing you?

For many webmasters the problem is caused by "Ad-Networks" they subscribe, here is an illustration; “You buy a gun, the gun is picked up, fired and hurts someone, whose responsibility is it, yours or the gun manufacturer?" - Answer = 100% your responsibility

Did you need the gun in the first place? Were there better methods available? Did you check out the manufacturer / ad-network in this case by checking the experience of other users, particularly those end users who have had their PC’s screwed up and complained to Google?

There are many complaints on forums all over the Internet. Most end users, me included, are thankful Google is at least providing some warning. Why should the user put up with this annoying and nearly impossible to remove adware - from your site?

So take action against the real people who caused you the problem; as examples have you gone back to Casale Media or ValueClick or many others and asked them, (a) why does their code get you into these problems, and (b) what are they going to do about it?

We all have moral or ethical choices; your web site is delivering to the end user so 100% your responsibility. If you and others decide not to use Casale Media and ValueClick, then they would be out of business or might change their bad methods.

Webmaster, "as you did buy the gun"; Are the Ad-Network’s methods good for end users? When did you know they caused issues (adware / spyware / spam) for end users, only because Google flagged you? How much did the $$$ factor made you decide to use them?

BadWare Hunter's Tools

2007-08-18T10:34:00.000-07:00

Tools for the BadWare Hunter

Top 100 security tools

Top 10 Web vulnerability scanners

Info on author Fyodor of sectools.

Joomla! Administrators, advice & tools

Joomla! Administrator's Security Checklist

How to find exploits using the *NIX shell

Help! My site's been compromised. Now what?

BadWare Activist

2007-08-18T10:17:00.000-07:00

Malware or badware or whatever you want to call it, so another Blog?

I and millions of others (yes millions!) have been "burgled", yes that is the right word, and these burglars have either:

Come onto my property without permission and attempted to steal or maybe have stolen for all I know.
Thought it is OK to sell me a product or service and then also steal or attempt to steal.
Initially as an invited guest, but without my permission or even the courtesy to ask, plant a bug which is designed to spy and then ultimately steal from me.

This has wasted my valuable time and cost me a lot of money over the years. So I am going to stop being an ongoing victim, get the real answers many of us Internet an PC users are looking for. For example who can you even report this crime to or will take action? I want to really find the answers, whistle blow on the burglars and badly behaved guests. Do something about it and encourage others that will.

This Blog, is not associated with any vested commercial interest:

It "is" a place which will not be pretty or diplomatic, it is in layman’s terms going to question, point fingers, get and provide answers, and seek justice.
It "is" a record and resource of firstly how to find out if you have been burgled, see some of the burglars tools, and what to do about Malware - Badware or whatever is the current flavor of the month key word, you discover lurking there.
It "is" a place where the question is asked, with hopefully some answers, not only about how to remove or fix malware / badware. It is about how to proactively prevent it, or even more importantly find out and get back at whoever sent it you.
It "is" a place where there will be a debate on the industry ethics and philosophy on the cause to this disease.
It "is not" a place for selling or reselling; but if you know of the latest gadget / tool as a solution that "really works" then provide advice.

Well, not just as a good sound bite "the more I know the less I understand" about malware, badware, hacks, viruses, spyware, or the myriad of other terms. As someone who is supposed to have reasonable expertise on all of this, the more in depth I have researched the who and why, the more I have realized we are all missing the point. Of the more recent discoveries, ongoing research, forensic analysis, and information passed to me, has already revealed some surprising if not disturbing answers, that is another reason to use this blog, to avoid some of the vested interest.

You a victim as well? Got some answers? Then add a comment, add your frustration, try and tell us there is no problem, provide advice, let us whistle blow on the; who and why.