Advertisment

Browsing this Thread: 1 Anonymous Users
Setsuka Setsuka
  • Just popping in
  • Just popping in
  • Joined: 2006/5/25 12:14
  • Group: Registered Users
  • Posts: 13
  • Offline
  • Posted on: 2013/10/4 23:10
ocaholic.ch blocked by chrome #1
bei mir wird z.Z. die Webseite von Chrome geblockt mit der Begründung, dass sich darauf malware befindet, möglicherweise einer der Werbebanner?

The Website Ahead Contains Malware!
Google Chrome has blocked access to www.ocaholic.ch for now.
Even if you have visited this website safely in the past, visiting it now is very likely to infect your computer with malware.
Malware is malicious software that causes things like identity theft, financial loss, and permanent file deletion. Learn more

http://safebrowsing.clients.google.co ... ent=googlechrome&hl=en-US

PS dies gilt bei mir nun sogar bei firefox
rewarder rewarder
  • Webmaster
  • Webmaster
  • Joined: 2004/7/5 12:54
  • From Zürich CH
  • Group: Registered Users Webmasters
  • Posts: 3196
  • Offline
  • Posted on: 2013/10/4 23:52
Re: ocaholic.ch blocked by chrome #2
Ich bekomm die Kriese ... finde den scheiss einfach nicht
rewarder rewarder
  • Webmaster
  • Webmaster
  • Joined: 2004/7/5 12:54
  • From Zürich CH
  • Group: Registered Users Webmasters
  • Posts: 3196
  • Offline
  • Posted on: 2013/10/5 1:22
Re: ocaholic.ch blocked by chrome #3
Meanwhile I found that there where some iframes, associated with our adsystem pointing to weird URL's. So far I don't understand how it was possible to inject this code
rewarder rewarder
  • Webmaster
  • Webmaster
  • Joined: 2004/7/5 12:54
  • From Zürich CH
  • Group: Registered Users Webmasters
  • Posts: 3196
  • Offline
  • Posted on: 2013/10/5 10:28
Re: ocaholic.ch blocked by chrome #4
After spending the night searching for the needle in the haystack ocaholic got unlisted by google and I actually find the code that got injected, in whatever way into our adsystem.

In any case, I can say now that the site got unlisted and it's perfectly safe to browse.
Setsuka Setsuka
  • Just popping in
  • Just popping in
  • Joined: 2006/5/25 12:14
  • Group: Registered Users
  • Posts: 13
  • Offline
  • Posted on: 2013/10/5 16:33
Re: ocaholic.ch blocked by chrome #5
yeah thought so ... ads are a very handy way to distribute malware since you don't distribute it yourself, you can do it on many sites at the same time and even chose to only sometimes as well as mutate it every time to keep a low profile.

Have now a good day of sleep :p Sic vis pacem para bellum
rewarder rewarder
  • Webmaster
  • Webmaster
  • Joined: 2004/7/5 12:54
  • From Zürich CH
  • Group: Registered Users Webmasters
  • Posts: 3196
  • Offline
  • Posted on: 2013/10/5 19:32
Re: ocaholic.ch blocked by chrome #6
Quote:

Setsuka wrote:
yeah thought so ... ads are a very handy way to distribute malware since you don't distribute it yourself, you can do it on many sites at the same time and even chose to only sometimes as well as mutate it every time to keep a low profile.

Have now a good day of sleep :p


Actually, I don't really understand the logic behind. Does somebody have to have access to our adsystem to do this or would it basically be enough, when there is a folder with 777 rights, where the actual ads are stored?
Setsuka Setsuka
  • Just popping in
  • Just popping in
  • Joined: 2006/5/25 12:14
  • Group: Registered Users
  • Posts: 13
  • Offline
  • Posted on: 2013/10/11 10:11
Re: ocaholic.ch blocked by chrome #7
Edit: ui the post ended up longer than intended and sounds like a consultant. Feel free to edit away useless and inappropriate parts

Okay to be honest I don't know how your ad system looks like.

Disclaimer
I'm not a specialist regarding web security. What I'm suggesting could be entirely wrong or outdated. It's simply based on the things I believe to know and read about.
Disclaimer end

As far as i know many of the hosted websites offer site space to an ad company (Google, etc.). The ad data is hosted at the ad provider and simply loaded as part of the website. So if an attacker is able to compromise the ad provider, he can compromise all the websites displaying the ads.

In case you host all the ad data yourself then the situation looks a bit different and would likely mean a lot more work for you

Finding it can be rather difficult especially if it is in the end in a js that loads data from another host, which again would mean that it wouldn't be your website that has to be compromised. Also good luck finding an exploit hidden in a picture or flash animation.

Finding out how it got there can also very tricky (even if you still have the logs :p ). Again it also could be that the legitimate ad data was already compromised before you got it from your legitimate source, or you got it of a seemingly legitimate source, etc., etc. It could be also a misconfiguration (as you pointed out), as well as "weak" authentication of an admin account, usually weak, guessable, brute-forceable, easy resetable (especially when the reset email account is hacked) passwords. Generally users use 3-5 passwords for all the accounts, I currently track something like 50+ accounts for myself. The attacker could also use a 0-day exploit to gain access, good luck detecting that

Conclusions
The analysis of an incident can be very time consuming.
You don't necessary have to be to blame since it could be sideloaded.
All you can do is trying to apply best practices with the resources you have to provide appropriate security for the service you provide.
rewarder rewarder
  • Webmaster
  • Webmaster
  • Joined: 2004/7/5 12:54
  • From Zürich CH
  • Group: Registered Users Webmasters
  • Posts: 3196
  • Offline
  • Posted on: 2013/10/11 13:50
Re: ocaholic.ch blocked by chrome #8
Well we do run ads on our own adserver. There is nothing going via Google. Actually I don't know if Google offers a service where you can upload your own ads to then be displayed. I only know Google Adsense which doesn't work like that.

And well yes, the issue we finally had, was that somebody, somehow injected code into a prepend field of the banners. It looks like this is a common issue with OpenX sinc, I was able to find some hints while googling for openx security vulnerabilities. It was a bit painful to search through each and every ad we run, especially since there are quite a few geotargeted banners. In the end it made me click through the adsystem for about 5 hours.

I do concurr with your conclusion. At this stage we can't afford another employee which is not taking care of actual content creation work, so there is only the possibility to stick to best practices. The whole security situation actually kind of sucks. If you run a growing website, you become a target of attacks automatically it seems ...
ocaholic.ch blocked by chrome [Website] - ocaholic