security scare

A3M0N · 12-25-2004, 07:28 PM

hi all,

i'm a newbie with linux, so please be gentle.

i have a debian 3.0 box running apache 1.3, and PHP4. i noticed some javascripts on a few of my pages that i didnt put there. is there anyway for me to know who did this? what can i do to make sure it doesnt happen again? i'm behind a Smoothwall firewall, but again, i'm a newbie to network security so i dont really know how to read the SNORT logs or anything. are there any good security tutorials to read out there, that are newbie friendly?

thanks very much!

later

Capt_Caveman · 12-25-2004, 09:01 PM

Checkout unSpawns security references thread for basic security and hardening guides.

Regarding the Java scripts, any idea who put them there (owner, file creation/modification times, etc)? What they do (are they malicious in nature)? Any log entries that coincide with the creation of the javascripts (especially application errors or panics)? Are your Apache and PHP version up to date?

A3M0N · 12-25-2004, 11:27 PM

thanks for the link.

i'm at my wife's grandma's house right now, so i can't look into the logs or anything right now. but i have looked at the scripts, and have downloaded the page, nothing seem malicious, but then again i'm only rifling through it. dont wanna be rude spending the entire visit infront of my grandma's computer.

thanks again!

later

edit: these are the scripts. maybe ya'll can make somthing of them:

in the <head> tag:

Code:

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

after the </body> tag:

Code:

<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

Capt_Caveman · 12-26-2004, 03:06 AM

The script itself looks like a popup blocker, but do you happen to have Norton Internet Security installed on the client you are viewing the page with? Every google search turns up that exact script associated with Norton Internet Security injecting javescript client-side into the html page in order to block popups. Try wgeting from a linux system or manually look at the html pages in order to rule out client-side scripting.

PS: it wouldn't be christmas without spending time in front of the relatives computer!!! I already spent several hours removing viruses and spyware from the in-laws WinXP and showing them how to download pics from the new digital camera. Plus it beats the hell out of chopping 2 cords of wood at the old mans house.

A3M0N · 12-26-2004, 09:23 AM

yes, actually. my grandma had internet security on her machine, but the subscription had run out. i just uninstalled it and installed spybot/spywareblaster/adaware/avg. but not before i viewed my site.

hmm thanks for that. i didnt even think of googling the scripts. i'll check that code out as soon as i get home today (8 hour drive).

thanks again dude!

later

A3M0N · 12-30-2004, 12:19 PM

sorry its taken so long to respond.

you were exactly right. was the norton thing. i freaked out for no reason. now to learn how to secure my system.

thanks again!

later

Capt_Caveman · 12-30-2004, 01:26 PM

No problem. Glad it was just a scare and not an actual compromise.

gdnrose · 01-08-2005, 01:22 PM

Hi...I am having the exact problem. I also have Norton. I also use Mozilla to edit my web pages.

If I don't continually delete it, the script repeats over and over and over again.

I am unclear as to what to do? Do I do something with Norton?

Also, what does this script do to my website? Does it cause ranking problems?

Thanks for your help!!!!!!!!!!!

Capt_Caveman · 01-08-2005, 03:02 PM

The script is usually inserted on the client-side, not on the server itself. So if I viewed the site from my computer without Norton Internet Security, I wouldn't see that script in the page. The point of it is to insert pop-up blocking code into each page that you visit, even though the script isn't actually in the web page being transferred from the remote site. You can test this easily by turning off or disabling Norton and then refresh the page. As far as how to permanently disable the feature, you would have to consult the Norton documentation, as I'm not familiar with it.

gdnrose · 01-08-2005, 04:10 PM

Quote:

Originally posted by Capt_Caveman
The point of it is to insert pop-up blocking code into each page that you visit, even though the script isn't actually in the web page being transferred from the remote site.

Are you saying that I need to insert pop-up blocking code into each page

Quote:

Originally posted by Capt_Caveman
You can test this easily by turning off or disabling Norton and then refresh the page.

What am I looking for in this test??

Quote:

Originally posted by Capt_Caveman
As far as how to permanently disable the feature, you would have to consult the Norton documentation, as I'm not familiar with it.

What am I disabling? Am I disabling pop-up blocking?

Thanks so much for your help and time!!!!

Capt_Caveman · 01-08-2005, 04:58 PM

Are you saying that I need to insert pop-up blocking code into each page
No, the Norton Internet Security is already inserting it into the page. The javascript in the original post IS a popup blocker. The way this is done is:
1)you request a page from a remote webserver.
2)remote webserver transfers page to you. Lets say page looks like this:

Code:

<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>

3)Your system recieves the page. It looks exactly like version sent by webserver:

Code:

<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>

4)Norton Internet Security inserts javascript into the page in order to block any pop-ups that may already be in the page. So now page looks like this:

Code:

<HTML>
<HEAD>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>
</HEAD>
<BODY>
foo.
</BODY>
<script language="JavaScript">
<!--
var SymRealOnLoad;
var SymRealOnUnload;

function SymOnUnload()
{
  window.open = SymWinOpen;
  if(SymRealOnUnload != null)
     SymRealOnUnload();
}

function SymOnLoad()
{
  if(SymRealOnLoad != null)
     SymRealOnLoad();
  window.open = SymRealWinOpen;
  SymRealOnUnload = window.onunload;
  window.onunload = SymOnUnload;
}

SymRealOnLoad = window.onload;
window.onload = SymOnLoad;

//-->
</script>

</HTML>

5) Your web browser then renders the above page. Any popups that might have been in the page no longer work, keeping you from getting popups.
Now if I look at the page (I don't have Norton Internet Security), then the page looks like this:

Code:

<HTML>
<HEAD>
</HEAD>
<BODY>
foo.
</BODY>
</HTML>

So the javascript is injected CLIENT-SIDE only. It is inserted by software (Norton Internet security) running on the client viewing the page. It is not present on the page on the webserver.

What am I looking for in this test?? What am I disabling? Am I disabling pop-up blocking?
Look at web page source. Turn off Norton Internet security on your system. Look at webpage again (make sure to refresh so that you aren't viewing a cached version. When you disable Norton, it shouldn't be able to insert the javascrpt popup blocker, so the page will not contain the above javascript.

gdnrose · 01-08-2005, 08:40 PM

Thanks so much for your time on this!!!

One more question.....why wouldn't this script show up on all my web pages? It is only on my index.html page.

Capt_Caveman · 01-09-2005, 11:03 AM

Don't know. You'd need to look at the Norton Internet Security docs or send an email to their support service.

gdnrose · 01-09-2005, 01:16 PM

Thanks very much.

For others who may have this problem...this is what I did to keep the script from reappearing:

Before editing my index.html, I disable my Norton. When I am finished saving and publishing, I enable my Norton again.