Sunday | 12 October, 2008
LinuxWorld.com.au
Major Sites Fall Victim to Web Hijack
How to run a Google search to check if your site has been infected.
Erik Larkin (PC World) 17/07/2008 09:29:23

Additional Resources

Newsletter Subscription

Sign up for our LinuxWorld newsletters!
The latest Linux and related information technology news from Australia and the World.
A round up of the latest in Linux technology comprising of product reviews, HOW-TOs and editorial.
RSS Feeds

Security company Finjan Wednesday reported it has found more than 1,000 sites infected by an attack toolkit called "Asprox," which exploits discovered flaws in a vulnerable site's programming to add hidden attack code. The attack code in turn searches for flaws on a browser's PC, and if any such holes are found it will download malware onto the computer.

I wasn't struck by the number - these days, 1,000 sites unfortunately isn't that many - so much as by the list of sites that Finjan says were hacked. My own city's site, which I've visited many times to pay parking tickets and the like, was nailed (though it's now clean). Snapple took a hit, as did the National Health Service in the UK and a wide range of other sites.

As with a previous SQL injection round, you can check to see if your site has been infected by running a Google search. Before you do, let me repeat a warning I wrote then:

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

This time around, you'll need to run these three different searches, as the attack is inserting different code into different sites. In each case, substitute your site's domain (ie. Pcworld.com) for "domain."

  • site:yourdomain "b.js"

  • site:yourdomain "ngg.js"

  • site:yourdomain "fgg.js"

    When I ran those searches just now I turned up plenty of still-infected sites, so again, be extremely careful about visiting any of them. If your site turns up in search results, contact your IT department or hosting provider immediately.

    Whether or not your site turns up, it's also a good idea to run the free Scrawlr tool from HP, which can check your site for the kind of vulnerabilities exploited by a SQL injection attack. It's quick and easy to download and run.

    Also, for your own computer's safety, it's critical to keep all your software - not just the browsers and the OS - up-to-date with patches. Finjan writes that this attack kit goes after flaws in QuickTime and the AOL SuperBuddy as well as Windows.

    For more on the assault, see Finjan's blog posting.

    More about Hewlett-Packard, Google, Finjan, HP, AOL

    • LinuxWorld Member Login

     
    Get a job Careerone
    Sponsored Links