Hi Mathias,

I tried to access your site to see if I could spot the malware but first I got a warning that it was compromised, I clicked to ignore that since I was using the Firefox noscript plugin to protect me but it then shows a 403 access denied. My goal was to view the source of the page and look for malicious scripts.

Most likely some malicious javascript is being served by pages in  your site. This could only happen if someone managed to upload, edit or replace files in your site or if they were able to login with edit permissions to ad content directly.

I would inspect the layout.master file of your skin and default.aspx in the root and other files to see if they contain any javascript that you did not put there yourself. For the infection to be on every page it is most likely in one of these files (rather than something added to the content by editing) since they are used for most pages.

You didn't mention what version of mojoPortal, do you know what version you are running?.

To protect your site, it is very very important to use a custom machine key and it is best to lock down as much of the file system as possible as indicated in our post installation checklist.

Without forensic analysis there is no way for me to know at this point how your site was compromised. It would be good to download your IIS web logs as it is possible that clues can be found there as to how the site was compromised. I'd be interested in reviewing those logs myself if you could zip them and send them to me.

Best,

Joe

Hi Mathias,

After inspecting your home page using the Firefox NoScript plugin which protects me by blocking all javascript from executing, I was ablke to determine that the following javascript files included on your home page have been infected with malicious javascript added to the end of the files:

/ClientScript/greybox/gbcombined.js
/ClientScript/jqmojo/jquery.cluetip.js
/ClientScript/oomph/oomph.min.js

possibly other files were also infected.

The best solution to fix the immediate problem would be to delete the entire /ClientScript folder and then upload it again from the mojoPortal package corresponding to your current version of mojoPortal.

But after that the concern remains about how those files got infected. I did not see any evidence of malicious activity in the IIS logs you sent but it is possible that older log files would have something.

However it is also possible that you were infected due to bad hosting configuration, ie if some other web site is using the same application pool or the same identity user as your application pool then that user has file system permissions beyond just your own site and the attack could have been launched on another site but from there it went through all folders that it had write permissions looking for js files to infect. I would ask your host if any other sites on that server have been infected.

Before deleting those files it would be good to note the last modified time to determine exactly when they were infected, this would help determine which log files to look in and may correspond to other site infection on this server that your host may already know about.

Hope that helps,

Joe

Hi Mathias,

I saw no evidence of infection coming from database content. SQL injection would be a completely different type of attack and I'm very confident that there is no vulnerability for sql injection in mojoPortal code.

Your site was infected by a file system attack that modified files in your web site. Since the infection date is within range of the log files that you sent and since those log files contain no evidence of file uploads I would conclude that the files were infected by an attack on a different web site and that file system permissions allowed that attack to modify files in your web site. This means your host is using the same user on your application pool as on other sites or using the same application pool for other sites. Unless that is corrected the problem could come back. The only other explanation is if a real person with direct server access purposely infected your site, ie an employee at the host, but the first scenario of bad security configuration seems more likely. I don't want to accuse your host of poor configuration but this is what the evidence leads me to believe.

It would be best if your host can provide a unique user and a unique application pool for your site and remove all file system permission from your site folders and files for any other users except those needed to run and manage your site and not use the same app pool or user for other sites.

I agree that other files besides js files could have been infected though I did not see any evidence of it. It would be best to upgrade but I would want to make sure the permissions are fixed first so that you can be sure the problem won't happen again. The host may not want to admit to any problem with their configuration and if they deny any possibility of the configuration being insecure I would be very skeptical.

You could also look around the file system for any other files with the same modification date and that would make me suspect that other files have also been compromised.

The only other attack vector for files would be ftp but that seems very unlikely because the files were appended to rather than replaced and they still contain the original javascript that is supposed to be there but has bad javascript added to the bottom of each file. It seems much more likely to be some automated attack that went looking around the file system for any js files it could add code to. 

Actually that modified date 2012-07-09 is today which makes me think the infecting code is still active on the server and may still be infecting files and may re-infect them if you fix them. If I were your host I would be looking into that and looking for files (especially js files) in all customer sites that have recent updates to js files. So again before uploading new files I would want to be sure the underlying problem is fixed, something on that server has been compromised and is infecting sites on the server, it does not appear that your site was specifically attacked or that there is any mojoPortal vulnerability, but something on the server is infecting all the js files it has permission to infect. I think it is very very likely that other sites on the server are infected and one of those sites was the initial site that was compromised but poor file system security has allowed it to spread.

Hope your host can resolve the problem. Let me know if I can be of further help.

Best,

Joe