Endpoint Protection

Hi, I called the help line and they suggested I come here.  I hope this is in the right place.  I am working on a website: www.ppdandg.com

Two people have seen a message stating "mass injection site 19" and I'm wondering what that means.  The site is still in development and not yet being advertised.  I don't know what their antivirus settings are, just that it is "endpoint".  Can anyone tell me what triggers this warning and what it means?

This is triggered by the IPS component of SEP. Full details are here:

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28821

Basically it looks like the site may have been compromised and re-directing users to other malicious sites.

SEP is doing its job by blocking the potential attack.

Here's the URL it triggers on:

I would verify the site has not been compromised.

Take a look at that main.min.js file, it has hidden iFrames in it..is this intended?

Thanks for your response.  Is it possible that the site was previously hosted somewhere else and being worked on, and now it is hosted somewhere else?  I think some of the image URL's still contain the old hosting addresses. I'm not used to troubleshooting this kind of issue.  Is this a possibility?

Without knowing the history and looking at code it's tough to say. I would pass on to your developers and have them take a look.

Hi,

Symantec Endpoint Protection will not block web sites by default. I just tried to browser through www.ppdandg.com  , didn't get any error message. If faced any issue share the exact URL and we would like to look into it.

OR It might be environment specific you need to check the logs to know more about it.

You can check Traffic/Packet logs.

Hi,

My Joomla! sites started experiancing this problom. After some research found the injected script. I have posted my solution at my site here:

http://mogir.jason.rofick.com/index.php/my-contributions/9-contributions/4-web-attack-mass-injection-website-19-solved

Hi, I'm having the same problem with my website beyondcodes.com Can you please suggest me something ASAP which I can do??

Are you a Symantec customer?

yes..i've got norton 360 installed..also some of my clients are using Norton hence they are also not able to open the website. Can you please help me out??

You'll need to get a case open with Symantec.

You can report it as a false positive here:

http://www.veritas.com/community

Hi,

Part of the problem is that this problem is not one that Norton security can prevent.

Norton cannot prevent files that are open to the public from being tampered with. It is already doing its job though, by preventing the redirects to other malicious websites. So, I don't think opening a Symantec case # will help much.

I have updated my post on my website link shown above. It will help you to better understand how to take control of you administrator security responsibility.

Hope it helps you.

Here is the link again:

http://mogir.jason.rofick.com/index.php/my-contributions/9-contributions/4-web-attack-mass-injection-website-19-solved

Have a look here:

https://blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html

This is most likely what happened in your cases (apparently, "Mass Injection Website 19" IPS signature is covering such attacks, which would explain why you get these alerts triggered).

An excellent and helpful post!  Many thanks Mogir Jason Rofick!

These "Web Attack: Mass Injection Website" IPS events are rarely False Positives.  No one should ignore them, and if you are the owner of the site, examining for unexpected code (as illustrated in the blog post) is definitely the best course of action.

More IPS reading here:

Two Reasons why IPS is a "Must Have" for your Network
https://www-secure.symantec.com/connect/articles/two-reasons-why-ips-must-have-your-network
 

What Symantec’s Intrusion Prevention System did for you in 2015
https://www-secure.symantec.com/connect/blogs/what-symantec-s-intrusion-prevention-system-did-you-2015

With thanks and best regards,

Mick

Thanx Brian. I've done that but still d same problem.

Hi Mogir,

Thanx a lot for your reply. But I've got a wordpress website and I'm not a coder so musch of this is Greek to me. Can you please help me out with steps for a wordpress website. The name of my website is beyondcodes.com

Will be much appreciated. Thanks

Hi ngnorton,

To try to help (and I cannot guarantee success), I have set up my own test WordPress site.

* It is a new unmodified install set up at about 7:15 EST on 1-14-2015

* It has no write-protected files.

The test site is at: http://cybercerebrum.com/

If I am correct It will be affected in about 24 hours or so. As, this is what reoccurs on my Joomla sites (on the same host) when the files are unprotected.

If it happens I will go through it to find where the offending code is injected, update my website page, and let you know how I think you can help yourself out.

Hi Mogir,

Thanks a lot for taking so much pain. Really appreciate it. I have isolated the files which were causing the problem as while copying via filezilla, Norton prompted me the files which were causing this attack. The problim I guess lies in header.php file and in the directory "wpcf7_captcha" which is associated with Really simple captcha and contact form 7. I think a shell script was uploaded via the upload file property.

But I'm unable to isolate the problem part of the script and the specific files in the directory causing the problem.

I guess after the problem is rectified I'll also have to change the .thaccess file as well as you had mentioned in your earlier post.

Hi ngnorton,

A new unmodified WordPress install was set up (http://cybercerebrum.com/) at my host at about 7:15 EST on 1-14-2016, (I accidentally stated 2015 above). It had no write-protected files and was working great.

As suspected, at about 9:40 EST on 1-15-2016, I attempted to go to the site and it is now infected.

So, stay tuned!

Ok. I have my WordPress site back up with a write-protected header.php file (under the twentysixteen theme folder).

The other header.php files under the other unused themes were infected too.

So, the problem is definitely a simple matter of file write-protection or even file password write-protection from the public.

What I did is posted on my site here:

http://mogir.jason.rofick.com/index.php/my-contributions/9-contributions/4-web-attack-mass-injection-website-19-solved

Best of hopes for you and all!

This new Security Response post may also be of interest:

Global mass injection affects thousands of websites worldwide

https://www-secure.symantec.com/connect/blogs/global-mass-injection-affects-thousands-websites-worldwide