Block Ukrainian Malware Server on Eurohost
Yesterday, April 30, 2009, when investigating a problem with an associate's websites, I traced a cross site scripting iframe exploit, pointing to a malware middleman website at tojandglow.com, which redirects victims to a hostile server hosted in the Ukraine by Eurohost LLC. This Ukrainian server is currently dispensing malicious software that includes 9 Trojans, 7 scripting exploits and 1 virus.
The hostile iframe code was injected into the home pages of two related websites by exploiting vulnerabilities in a PHP script used by the webmaster of those websites. The server dispensing the exploits is located at 91.212.65.138, which coincides with the Eurohost home page. The CIDR assigned to Eurohost is 91.212.65.0/24 and you should block access to it in your firewall IP blocking rules, or in your Windows HOSTS file. Examples of how to do both are found below.
Any website that is running php or cgi scripts is in danger of becoming an inadvertent carrier of the redirection iframe that leads your innocent visitors to servers that are rigged to exploit a variety of exploitable vulnerabilities in their browsers, or browser add-ons, plug-ins, or helper objects. Some of the most frequently exploited applications are Internet Explorer (any version prior to 8.0), Adobe Flash, Adobe Reader and Apple Quicktime. Other exploited programs include Apple Safari, Google Chrome and occasionally, Mozilla Firefox. On rare occasions the Opera browser and the Java plug-in are vulnerable to targeted attacks. Firefox and Opera browsers are usually updated very quickly after a vulnerability is reported to their maintainers. Plug-ins usually take longer to update because they have to interact with so many other items and applications.
Webmasters and server administrators, you are responsible for keeping up to date with patches released by software authors, for any applications or scripts that you choose to run on your websites. Information to help you protect your websites and servers from getting exploited by hostile injection probes is in my extended comments.
Individuals browsing the Internet are the real targets of all of these injection attacks. This includes everybody reading this article. You and I have to constantly remain vigilant about threats to our computers' security. New exploits are found every month and are often released in the wild before software authors can respond with patched versions. Those are called zero day exploits. There are several ways to protect your computers from these exploits, including, but not limited to keeping up to date with all Windows, Mac or Linux updates and patches, and patches for commonly exploited third party browser add-ons, like Flash players, PDF Readers, Quicktime and Java plug-ins. Your next line of defense is a combination of security programs encompassing a 2-way firewall, anti-virus and anti-spyware and web threat protection that blocks hostile web pages. Or, you can install one top-notch security suite, like Trend Micro Internet Security and have all these protections and more in just one regularly updated package. There are links to reputable security products in the right sidebar on all of my blog pages.
Windows users have an additional means of protecting their PCs from visiting hostile websites. There is a special file, normally found in (C):\Windows\System32\Etc\, with the unusual file name: HOSTS . Although it has no file extension it can be opened and edited using the built-in Windows Notepad. The HOSTS file takes input in the form of IP addresses and website URLs, separated by a tab or multiple spaces. To protect your computer from being redirected to the hostile tojandglow website, or the Ukrainian server it tries to redirect you to, open your HOSTS file and edit it using these steps.
- Using Start > (My) Compute, double-click on the C drive icon, then navigate to your Windows\System32\etc\ folder.
- Inside the "etc" folder you should see a file named "Hosts" You may have to unhide system files before this file can be seen. See my extended comments for details on how to do this.
- Right-click on the file named HOSTS and choose (left click) Properties
- Find the attributes section starting with "READ-ONLY" and uncheck it if it was checked
- Click Apply and OK to close the Properties window.
- Right-click on HOSTS while holding down the Shift key and select "Open With"
- Scroll through the programs list until you find "Notepad" and double-click on it
- If Notepad isn't listed you will have to use the browse button to navigate to the Windows folder, where Notepad.exe is located.
- With HOSTS open for editing go to the last line in the file and hit ENTER
- Add these lines, with a tab after each 127.0.0.1:
- 127.0.0.1 tojandglow.com
- 127.0.0.1 91.212.65.138
- 127.0.0.1 91.212.65.0/24
- Click File > Save and in the File Type selection, choose All FIles and save it as HOSTS, without an extension.
- Windows may decide to add a .txt extension anyway. If it does, allow this, then right-click on the saved file and delete the .txt extension. Answer the challenge about changing file extensions.
Reboot your computer to make this protection take effect. From that point on any script that tries to redirect you to any of the web addresses listed in the HOSTS file will instead be looped right back to your own computer, commonly referred to as 127.0.0.1, or Local Machine. The injected iframe would display a "page cannot be found" error if it was visible (it isn't; it's only 1x1 pixel!). Do the same anytime a new hostile website or ip address is published.
BTW: If you see any 127.0.0.1 entries referring to microsoft.com in your HOSTS file, remove them! Malware put them there to prevent you from getting Windows Updates or Microsoft security downloads. Ditto for any recognizable security vendors' websites.
Webmaster information to protect against hostile IP traffic
Most shared hosting websites are offered a large selection of free scripts that enhance the usability and functionality of their websites. These include photo galleries, guestbooks, contact forms, administration interfaces, control panels, web email applications, voting scripts, blogs and CMS scripts. Many of these scripts are written in the PHP scripting language and have been thoroughly gone over by hackers looking for any line of insecure code that could be exploited. An unbelievable number of open source and commercial php scripts contain unvalidated input fields and variables which hackers can exploit. To be safe you need to locate the author's websites and see if more recent versions of these scripts are available, then upgrade any that have been updated. The new versions will probably contain fixes for scripting oversights the original programs contained and which hackers are looking to exploit.
CGI and Perl scripts are also targeted by hackers and spammers who search for out-dated, exploitable versions of such popular applications as FormMail. A few years ago hackers began probing my websites for a program known as Matt's FormMail. Fortunately, I was already aware of the vulnerabilities in it and that hackers were probing websites for that program. The proactive steps I took and which new webmasters may also wish to take include first replacing Matt's FormMail with the more secure NMS FormMail (read my web page about FormMail Security). Next, you should rename the FormMail script to something not containing either the words Form or Mail. Don't forget to change the name of the script on your contact form pages to match the renamed file. This is all detailed on my FormMail Security web page. See my extended comments for an even better solution to hiding form scripts from hacker probes.
Webmasters, if you are in doubt about how to proceed, call or email your hosting company, ask for technical support and inquire about which scripts have been updated and which need to be, to remain secure from hackers. If your website is hosted on an Apache web server and you understand how to use .htaccess file directives, and your host allows clients to apply custom .htaccess commands, you can download and install my .htaccess blocklists to prevent persons or automated probes coming from hostile countries, or exploited servers, from accessing any part of your website. Webmasters and server administrators who possess root access can apply my iptables blocklists to deny access to all server modules, including the mail and ftp servers.
Specifically, as relates to this article, you should block access to any traffic coming from the Ukrainian CIDR 91.212.65.0/24. To do this in your .htaccess file, add thesee lines of code to it:
<Files *>
order deny,allow
deny from 91.212.65.0/24
</Files>
If you are a Linux server system administrator, add the CIDR 91.212.65.0/24 to your iptables deny firewall rules. See my iptables blocklists landing page for instructions and tips.
Unhiding hidden Windows files and folders and extensions
By default, most versions of Windows from 2000 onward have the default folder view set to hide what are called system files and known extensions. This makes it difficult to edit your Hosts file, which is located in the normally hidden Windows\System32\Etc folder. It also hides files in your personal logged in identiy's Application Data folders, or to see the extensions of known file types. Malware executables frequently fool Windows users by appending a normally harmless extension to an executable file, knowing that many of those users never change their default view to unhide known file type extensions. Thus, a file named "filename.mp3" may actually be named "filename.mp3.exe" and may be a malicious Trojan. If you haven't changed the default view options you would never see the .exe on the end and could launch the installation of a Trojan, if you double-clicked on what you thought was an image, or audio, or video file.
Here is how to unhide the files that Windows thinks you don't need to be bothered with (sigh).
- In Windows 2000, XP, Server 2000, or Server 2003, open My Computer, either from a desktop icon, or from Start > (My) Computer
- Click on the menu item TOOLS, then FOLDER OPTIONS.
- Skip to line #6
- In Windows Vista, Windows 7, or Windows Server 2008, click on (My) Computer, from the Start button link
- Click on the "Organize" button, then choose "Folder and Search Options."
- In all platforms, click on "View" tab of Folder Options
- In the Folder Options > View window, there are four (4) settings you may need to change:
- Display the contents of System Folders (check this)
- Do not show Hidden files and folders (uncheck this)
- Hide extensions for known file types (uncheck this)
- Hide protected operating system files (uncheck this)
- Click Apply
- Click OK until you have exited the options windows, leaving just the (My) Computer window open.
Now you can navigate to the system folder where your "hosts" (or other hidden) file lives and actually see it.
If you like this article please share it.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.