Front page malicious content warning

Let us know when something isn't working correctly, or if you find a typo. Do not post complaints or suggestions here.
Post Reply
User avatar
Pigfarmer Jr
Jump
Posts: 2293
Joined: Sat Mar 21, 2009 6:13 am
Instruments: Guitar
Recording Method: Br-900CD and Reaper to mix
Submitting as: Pigfarmer Jr, Evil Grin, Pork Producer, Gilmore Lynette Tootle, T.C. Elliott
Pronouns: he/him
Location: Columbia, Missouri
Contact:

Front page malicious content warning

Post by Pigfarmer Jr »

I get a warning going to the front page in webroot somtimes. This morning it happened a couple of times. No idea what it is or why, I can't seem to find details. It's happened a couple of times in the past week or two but today it's every time.

Anyone else have this problem?
Evil Grin bandcamp - Evil Grin spotify
T.C. Elliott bandcamp - T.C. Elliott spotify

"PigFramer: Guy and guitar OF MY NIGHTMARES." - Blue Lang
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

I haven't seen this happen, nor do I see what could be causing this. What's providing the warning, and what's the exact URL and browser you're using?
User avatar
Pigfarmer Jr
Jump
Posts: 2293
Joined: Sat Mar 21, 2009 6:13 am
Instruments: Guitar
Recording Method: Br-900CD and Reaper to mix
Submitting as: Pigfarmer Jr, Evil Grin, Pork Producer, Gilmore Lynette Tootle, T.C. Elliott
Pronouns: he/him
Location: Columbia, Missouri
Contact:

Re: Front page malicious content warning

Post by Pigfarmer Jr »

I have the front page bookmarked at: http://www.songfight.org/
I'm using Firefox 21.0 and I'm using Webroot as my security software atm, although that might change in two days when my subscription runs out... maybe.
Evil Grin bandcamp - Evil Grin spotify
T.C. Elliott bandcamp - T.C. Elliott spotify

"PigFramer: Guy and guitar OF MY NIGHTMARES." - Blue Lang
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

And what's the entire warning you're getting?

I wonder if maybe Webroot has some outdated information (since we've had malware on the site in the distant past, but it's all been cleaned up), or is keying off of the IP address and complaining because something else on the same server has malware (which happens ALL THE TIME thanks to shared hosting).
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Oops, although I DID just find a nasty backdoor lurking in the bushes. Removed. I wonder how long that's been sitting around...
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Crap, according to the logs, it's been in use as of a few days ago by someone in Russia. Time to do a more thorough check of the site.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

wow, a HUGE PORTION of the website is world-writeable. gee, I wonder how anyone would have managed to sneak anything into the hosting account.
User avatar
Lunkhead
You're No Good
Posts: 8107
Joined: Sat Sep 25, 2004 12:14 pm
Instruments: many
Recording Method: cubase/mac/tascam4x4
Submitting as: Berkeley Social Scene, Merisan, Tiny Robots
Pronouns: he/him
Location: Berkeley, CA
Contact:

Re: Front page malicious content warning

Post by Lunkhead »

facepalm :(
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

okay, I found and removed a whole bunch of insidiously-installed crap. Unfortunately the nature of shared hosting makes it pretty hard to figure out how it came about and I know from experience that Dreamhost support is really crappy about actually trying to do forensics and see about preventing these things from happening.

So far I've found the following:

A remote shell was installed in the legacy /zebra/ directory, and was set up to look like a 404 error if a particular cookie wasn't present

A few PHP scripts were installed to look like they were legit scripts (and interestingly enough they've stopped using blatant obfuscation tricks which makes them harder to find, although easier to dissect)

A .htaccess rule was set up to make it so that certain URLs would redirect to pharmacy spam sites (I only even found this because our Russian spammer friend was actually testing it and that was recent enough to show up in the access logs)

Aside from the accesses to the remote shell and the testing, I couldn't find any indication that the files were uploaded through web-based security holes. Many of the directories and files had group- and world-writeable permissions, so likely the vector was via someone else's compromised account being used as a shell. (Sadly this is a very common attack vector that's possible because of the nature of shared hosting; I've made several suggestions to Dreamhost about how they can mitigate this problem but so far they haven't implemented any of the solutions.) One of the things that facilitated this was that the account profile was set with a umask of 002 (which allows group-write permissions by default). I have, of course, changed this.

Also the site is full of old/abandoned PHP scripts and I'm not sure what should be here and what shouldn't, and we really should do a spring cleaning someday, Spud.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Now, the really funny thing is this stuff isn't stuff that should have been visible to Webroot just yet - it's very likely that it's only a coincidence, and it's just fortunate timing. Whatever damage the spammer was intending to do, he hadn't actually flipped the switch yet.
User avatar
Lunkhead
You're No Good
Posts: 8107
Joined: Sat Sep 25, 2004 12:14 pm
Instruments: many
Recording Method: cubase/mac/tascam4x4
Submitting as: Berkeley Social Scene, Merisan, Tiny Robots
Pronouns: he/him
Location: Berkeley, CA
Contact:

Re: Front page malicious content warning

Post by Lunkhead »

Would some non-shared hosting option help avoid these situations, like using a private virtual server?
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

It would help, yes, but AFAIK most VPS options would get very expensive very fast for a site with as much storage and traffic as songfight.org. I should just install my daily site integrity monitor script onto the fightmaster account and have it set to email me when new files go on the site or existing files change (it also specifically calls out things with bogus permissions).
User avatar
jast
Ice Cream Man
Posts: 1325
Joined: Tue Jul 29, 2008 7:03 pm
Instruments: Vocals, guitar
Recording Method: Cubase, Steinberg UR44
Submitting as: Jan Krueger
Pronouns: .
Location: near Aachen, Germany
Contact:

Re: Front page malicious content warning

Post by jast »

How much traffic does the site generate in an average month? I know decent offers that include a few terabytes worth of unthrottled traffic per month.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Unfortunately, I don't have access to any bandwidth statistics. The HTTP access log doesn't record bandwidth stats for some reason (and only goes back one week anyway), and only JB has Dreamhost control panel access. Maybe JB would like to share the numbers, though...
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Oh, the other big issue is storage. songfight.org has over 40GB of data and it's growing every day. LiNode provides a lot of bandwidth for cheap, but storage still costs a lot per month.

There are cheaper VPS options out there but I've been burned badly by their lack of reliability. Most cheap VPSes are fly-by-night operations that have no idea what they're doing, and the rest are fly-by-night operations that know EXACTLY what they're doing.
User avatar
fluffy
Eruption
Posts: 11029
Joined: Sat Sep 25, 2004 10:56 am
Instruments: sometimes
Recording Method: Logic Pro X
Submitting as: Sockpuppet
Pronouns: she/they
Location: Seattle-ish
Contact:

Re: Front page malicious content warning

Post by fluffy »

Heh, the Russian spammers were just trying to trigger the detonator. SORRY GUYS.

I think I just figured out what the endgame was, and how the malicious content warning happened... it looks like the spam stuff was installed in a way that it would NEVER purposefully affect the site as a whole, and the thing that served up spam content was just intended to be spidered separately. So Googlebot has been trying to index it today (and has probably been indexing it in the past as well), so it was just trying to boost other sites' pageranks without affecting the content of this site directly. That's pretty insidious, and even harder to notice than the last time something like this happened.

Fucking arms race, man.
User avatar
JonPorobil
Beat It
Posts: 5682
Joined: Sat Sep 25, 2004 11:45 am
Instruments: Piano, Guitar, Harmonica, Mandolin, Accordion, Bass, lots of VSTs
Recording Method: Cubase 10.5
Submitting as: Jon Eric, Jon Porobil, others
Pronouns: He/Him
Location: Pittsburgh, PA
Contact:

Re: Front page malicious content warning

Post by JonPorobil »

There hasn't been a lot of conversation on this thread (I know I personally don't have much to add), but I wanted to take some time to thank you, fluffy, for helping to keep the site safe and clean. That's no small task, and I'm sure we all appreciate it.
"Warren Zevon would be proud." -Reve Mosquito

Stages, an album of about dealing with loss, anxiety, and grieving a difficult year, now available on Bandcamp and all streaming platforms! https://jonporobil.bandcamp.com/album/stages
HeuristicsInc
Beat It
Posts: 5297
Joined: Sat Sep 25, 2004 6:14 pm
Instruments: Synths
Recording Method: Windows computer, Acid, Synths etc.
Submitting as: Heuristics Inc. (duh) + collabs
Pronouns: he/him
Location: Maryland USA
Contact:

Re: Front page malicious content warning

Post by HeuristicsInc »

awesome work, fluffy.
-bill
152612141617123326211316121416172329292119162316331829382412351416132117152332252921
http://heuristicsinc.com
Liner Notes
SF Lyric Ideas
Post Reply