LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-25-2004, 06:28 PM   #1
A3M0N
LQ Newbie
 
Registered: Dec 2004
Location: Charleston, SC
Distribution: Ubuntu
Posts: 6

Rep: Reputation: 0
security scare - debian 3.0/apache...


hi all,

i'm a newbie with linux, so please be gentle.

i have a debian 3.0 box running apache 1.3, and PHP4. i noticed some javascripts on a few of my pages that i didnt put there. is there anyway for me to know who did this? what can i do to make sure it doesnt happen again? i'm behind a Smoothwall firewall, but again, i'm a newbie to network security so i dont really know how to read the SNORT logs or anything. are there any good security tutorials to read out there, that are newbie friendly?

thanks very much!

later
 
Old 12-25-2004, 08:01 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Checkout unSpawns security references thread for basic security and hardening guides.

Regarding the Java scripts, any idea who put them there (owner, file creation/modification times, etc)? What they do (are they malicious in nature)? Any log entries that coincide with the creation of the javascripts (especially application errors or panics)? Are your Apache and PHP version up to date?
 
Old 12-25-2004, 10:27 PM   #3
A3M0N
LQ Newbie
 
Registered: Dec 2004
Location: Charleston, SC
Distribution: Ubuntu
Posts: 6

Original Poster
Rep: Reputation: 0
thanks for the link.

i'm at my wife's grandma's house right now, so i can't look into the logs or anything right now. but i have looked at the scripts, and have downloaded the page, nothing seem malicious, but then again i'm only rifling through it. dont wanna be rude spending the entire visit infront of my grandma's computer.

thanks again!

later

edit: these are the scripts. maybe ya'll can make somthing of them:

in the <head> tag:
Code:
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>
after the </body> tag:
Code:
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Last edited by A3M0N; 12-25-2004 at 10:34 PM.
 
Old 12-26-2004, 02:06 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The script itself looks like a popup blocker, but do you happen to have Norton Internet Security installed on the client you are viewing the page with? Every google search turns up that exact script associated with Norton Internet Security injecting javescript client-side into the html page in order to block popups. Try wgeting from a linux system or manually look at the html pages in order to rule out client-side scripting.

PS: it wouldn't be christmas without spending time in front of the relatives computer!!! I already spent several hours removing viruses and spyware from the in-laws WinXP and showing them how to download pics from the new digital camera. Plus it beats the hell out of chopping 2 cords of wood at the old mans house.
 
Old 12-26-2004, 08:23 AM   #5
A3M0N
LQ Newbie
 
Registered: Dec 2004
Location: Charleston, SC
Distribution: Ubuntu
Posts: 6

Original Poster
Rep: Reputation: 0
yes, actually. my grandma had internet security on her machine, but the subscription had run out. i just uninstalled it and installed spybot/spywareblaster/adaware/avg. but not before i viewed my site.

hmm thanks for that. i didnt even think of googling the scripts. i'll check that code out as soon as i get home today (8 hour drive).

thanks again dude!

later
 
Old 12-30-2004, 11:19 AM   #6
A3M0N
LQ Newbie
 
Registered: Dec 2004
Location: Charleston, SC
Distribution: Ubuntu
Posts: 6

Original Poster
Rep: Reputation: 0
sorry its taken so long to respond.

you were exactly right. was the norton thing. i freaked out for no reason. now to learn how to secure my system.

thanks again!

later
 
Old 12-30-2004, 12:26 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No problem. Glad it was just a scare and not an actual compromise.
 
Old 01-08-2005, 12:22 PM   #8
gdnrose
LQ Newbie
 
Registered: Jan 2005
Location: San Diego
Posts: 4

Rep: Reputation: 0


Hi...I am having the exact problem. I also have Norton. I also use Mozilla to edit my web pages.

If I don't continually delete it, the script repeats over and over and over again.

I am unclear as to what to do? Do I do something with Norton?

Also, what does this script do to my website? Does it cause ranking problems?

Thanks for your help!!!!!!!!!!!

Last edited by gdnrose; 01-08-2005 at 12:23 PM.
 
Old 01-08-2005, 02:02 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The script is usually inserted on the client-side, not on the server itself. So if I viewed the site from my computer without Norton Internet Security, I wouldn't see that script in the page. The point of it is to insert pop-up blocking code into each page that you visit, even though the script isn't actually in the web page being transferred from the remote site. You can test this easily by turning off or disabling Norton and then refresh the page. As far as how to permanently disable the feature, you would have to consult the Norton documentation, as I'm not familiar with it.
 
Old 01-08-2005, 03:10 PM   #10
gdnrose
LQ Newbie
 
Registered: Jan 2005
Location: San Diego
Posts: 4

Rep: Reputation: 0
Quote:
Originally posted by Capt_Caveman
The point of it is to insert pop-up blocking code into each page that you visit, even though the script isn't actually in the web page being transferred from the remote site.
Are you saying that I need to insert pop-up blocking code into each page

Quote:
Originally posted by Capt_Caveman
You can test this easily by turning off or disabling Norton and then refresh the page.
What am I looking for in this test??

Quote:
Originally posted by Capt_Caveman
As far as how to permanently disable the feature, you would have to consult the Norton documentation, as I'm not familiar with it.
What am I disabling? Am I disabling pop-up blocking?

Thanks so much for your help and time!!!!
 
Old 01-08-2005, 03:58 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Are you saying that I need to insert pop-up blocking code into each page
No, the Norton Internet Security is already inserting it into the page. The javascript in the original post IS a popup blocker. The way this is done is:
1)you request a page from a remote webserver.
2)remote webserver transfers page to you. Lets say page looks like this:
Code:
<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>
3)Your system recieves the page. It looks exactly like version sent by webserver:
Code:
<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>
4)Norton Internet Security inserts javascript into the page in order to block any pop-ups that may already be in the page. So now page looks like this:
Code:
<HTML>
<HEAD>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>
</HEAD>
<BODY>
foo.
</BODY>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

</HTML>
5) Your web browser then renders the above page. Any popups that might have been in the page no longer work, keeping you from getting popups.
Now if I look at the page (I don't have Norton Internet Security), then the page looks like this:
Code:
<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>
So the javascript is injected CLIENT-SIDE only. It is inserted by software (Norton Internet security) running on the client viewing the page. It is not present on the page on the webserver.

What am I looking for in this test?? What am I disabling? Am I disabling pop-up blocking?
Look at web page source. Turn off Norton Internet security on your system. Look at webpage again (make sure to refresh so that you aren't viewing a cached version. When you disable Norton, it shouldn't be able to insert the javascrpt popup blocker, so the page will not contain the above javascript.
 
Old 01-08-2005, 07:40 PM   #12
gdnrose
LQ Newbie
 
Registered: Jan 2005
Location: San Diego
Posts: 4

Rep: Reputation: 0
Thanks so much for your time on this!!!

One more question.....why wouldn't this script show up on all my web pages? It is only on my index.html page.
 
Old 01-09-2005, 10:03 AM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Don't know. You'd need to look at the Norton Internet Security docs or send an email to their support service.
 
Old 01-09-2005, 12:16 PM   #14
gdnrose
LQ Newbie
 
Registered: Jan 2005
Location: San Diego
Posts: 4

Rep: Reputation: 0
Thanks very much.

For others who may have this problem...this is what I did to keep the script from reappearing:

Before editing my index.html, I disable my Norton. When I am finished saving and publishing, I enable my Norton again.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache 1.3.33 (debian built) and Apache SSL does not respond to the proper ports lqorg_user Linux - Networking 0 11-06-2005 04:11 PM
Apache security oldator1940 Linux - Security 5 10-20-2005 09:28 PM
apache security tyler0123 Linux - Security 7 03-26-2005 02:04 PM
Scare your boss with smbclient sewer_monkey Linux - Networking 1 03-12-2005 12:09 AM
scare of slack!!!! yenonn General 23 09-29-2003 02:30 AM


All times are GMT -5. The time now is 08:42 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration