Site malware (trojan) keeps coming every time - trojan

Recently I discovered that a lot of websites I built were infected with malware.
The first thing I did was download all the contents of the websites to my local PC, and provided a scan with Windows Security Essentials on it. WSE discovered a trojan on the index.php of a few (4/15) websites. After repairing the indexes I uploaded all the contents to my web server, and the problem was solved.
But not for long.. A month later the problem came back. In the meantime I purchased an new laptop, with a clean Windows 7 installation. I did the same trick I did earlier (the first time I discovered the malware), and it resulted also in finding a couple of trojans. After repairing and uploading the problems were solved.
But also this time the problems keep returning, and I don't know what to do anymore.
Does anybody have experience with such problems?
A list of sites infected with the malware:
maurijnpach.nl
banket-ritmeester.nl
mtbmuseum.nl
dekipspecialist.nl
The only thing I am thinking about is that all the websites are hosted on one the same hosting provider: Webreus
Does anybody have any suggestions, or better, a solution for me?

Maybe your host is leaked or "something". You said nothing about your sites. Maybe just bad/open for malware code. Are you using some cms? Check files/folders permissions and change passwords for ftp/MySql. And tell more about your sites structure.
For me it looking like a server intrusion. Talk with your host and change password for better ones.

Related

How can I verify that Octoprint can't/won't turn my RaspberryPi into malware?

I don't mean any offense, but as I was setting up my Octoprint, a skeptical colleague of mine pointed out that it wanted to reach out to check for automatic software updates, creating broad surface area for potential attackers.
After all, the RaspberryPi is a device inside my home network, and I worry what might happen if it downloaded and ran code designed to find other vulnerable devices on my network.
I suppose I could read the open source code, but I don't know what the software delivery story is.
Planning to donate to Gina Häußge's Patreon to ask directly.
You can turn off Octoprint's auto-update feature. It is also open-source, so you can modify its code to never contact the Internet.
Quoting Gina Häußge:
As with any software that you install on your machines, there are no guarantees that it can't be abused. OctoPrint's update mechanism utilizes Github Releases via HTTPS only, and I require anyone with commit access to the repository to have two factor authentication enabled. That should make it fairly unlikely to get any rogue releases pushed via the official update mechanism. You can also just deny OctoPrint access to the internet altogether, it will run just fine. Keep in mind though that you'll need to take care of updates and plugin installs and such manually then. Speaking of plugins, you should obviously also not install anything that you find somewhere on the net. I do my best to audit plugins that get registered on the official repository, but I cannot guarantee that their authors have 2FA and such enabled for their repositories... All I can tell you is, I do my best, spend a lot of thought on security and if push comes to shove you can always read the code yourself.

Detecting end-user connection speed problems in Apache for Windows

Our company provides web-based management software (servicedesk, helpdesk, timesheet, etc) for our clients.
One of them have been causing a great headache for some months complaining about the connection speed with our servers.
In our individual tests, the connection and response speeds are always great.
Some information about this specific client :
They have about 300 PC's on their local network, all using the same bandwith/server for internet access.
They dont allow us to ping their server, so we cant establish a trace route.
They claim every other site (google, blogs, news, etc) are always responding fast. We know for a fact they have no intention to mislead us and know this to be true.
They might have up to 100 PC's simulateneously logged in our software at any given time. They have a need to increase that amount up to 300 so this is a major issue.
They are helpfull and colaborative in this issue we are trying to resolve for a long time.
Some information about our server and software :
We have been able to allocate more then 400 users at a single time without major speed losses for other clients.
We have gone extensive lengths to make good use of data caching and opcode caching in the software itself, and we did notice the improvement (from fast to faster)
There are no database, CPU or memory bottlenecks or leaks. Other clients are able to access the server just fine.
We have little to no knowledge on how to do some analyzing on specific end-user problems (Apache running under Windows server), and this is where I could use a lot of help.
Anything that might be related to Apache configuration would also be helpfull.
While all signs points to it being an internal problem in this specific client network, we are dedicating this effort to solve that too, if that is the case, but do not have capable or instructed professionals to deal with network problems (they do, however, while their main argument is that 'all other sites are fast, only yours is slow')
you might want to have a look at the tools from google "page speed family": http://code.google.com/speed/page-speed/docs/overview.html
your customer should maybe run the page speed extension for you. maybe then you can find out what is the problem: http://code.google.com/speed/page-speed/docs/extension.html

Not enough storage error on CGI app under Win64

I have a Delphi (hence 32-bit) CGI app running on a Windows 2008 64-bit server that has 24 Gb RAM with IIS7. The web service runs fine for a few days at a time (sometimes a few weeks) and then suddenly starts reporting "Not enough storage available to process this command."
Now I've seen this before in regular Windows apps and it normally means that the machine ran out of memory. In this instance, the server shows that only 10% of physical RAM is in use. On top of that, TaskManager shows only one instance of the CGI executable, with 14Mb allocated. And once it starts it keeps giving the error, regardless of actual server load. No way is this thing really running out of memory.
So I figured there is probably some maximum memory setting in IIS7 somewhere, but I couldn't find anything of the sort. Restarting the web server makes the problem go away until next time, but is probably not the best strategy.
Any ideas?
It might be an IRPStackSize issue as discussed here. And the particular cause mentioned in that article is not the only one, apparently.
The CGI does not seem to ever unload under IIS7, even though it seems to work under IIS6. This seems to be a problem with the CGI support on IIS7.

Does anyone know about issues between Citrix and Delphi 2007 applications? (And perhaps other development languages?)

The situation is simple. I've created a complex Delphi application which uses several different techniques. The main application is a WIN32 module but a few parts are developed as .NET assemblies. It also communicates with a web service or retrieves data from a specific website. It keeps most of it's user-data inside an MS Access database with some additional settings inside the Registry. In-memory, all data is converted inside an XML document, which is occasionally saved to disk as backup in case the system crashes. (Thus allowing the user to recover his data.) There's also some data in XML files for read-only purposes. The application also executes other applications and wants for those to finish. All in al, it's a pretty complex application.
We don't support Citrix with this application, although a few users do use this application on a Citrix server. (Basically, it allows those users to be more mobile.) But even though we keep telling them that we don't support Citrix, those customers are trying to push us to help them with some occasional problems that they tend to have.
The main problem seems to be an occasional random exception that seems to pop up on Citrix systems. Never at the same location and often it looks related to some memory problems. We've p[lenty of error reports already and there are just too many different errors. So I know solving all those will be complex.
So I would like to go a bit more generic and just want to know about the possible issues a Delphi (2007) can have when it's run on a Citrix system. Especially when this application is not designed to be Citrix-aware in any way. We don't want to support Citrix officially but it would be nice if we can help those customers. Not that they're going to pay us more, but still...
So does anyone know some common issues a Delphi application can have on a Citrix system?
Does anyone know about common issues with Citrix in general?
Is there some Silver Bullet or Golden Hammer solution somewhere for Citrix problems?
Btw. My knowledge about Citrix is limited to this Wikipedia entry and this website... And a bit I've Googled...
There were some issues in the past with Published Delphi Applications on Citrix having no icon in the taskbar. I think this was resolved by the MainFormOnTaskbar (available in D2007 and higher). Apart from that there's not much difference between Terminal Server and Citrix (from the Application's perspective), the most important things you need to account for are:
Users are NEVER administrator on a Terminal or Citrix Server, so they no rights in the Local Machine part of the registry, the C drive, Program Folder and so on.
It must be possible for multiple users on the same system to start your application concurrently.
Certain folders such as the Windows folder are redirected to prevent possible application issues, this is also means that API's like GetWindowsFolder do not return the real windows folder but the redirected one. Note that this behaviour can be disabled by setting a particular flag in the PE header (see delphi-and-terminal-server-aware).
Sometimes multiple servers are used in a farm which means your application can run on any of these servers, the user is redirected to the least busy server at login (load balancing). Thefore do not use any local database to store things.
If you use an external database or middleware or application server note that multiple users will connect with the same computername and ip address (certain Citrix versions can use Virtual IP addresses to address this).
Many of our customers use our Delphi applications on Citrix. Generally speaking, it works fine. We had printing problems with older versions of Delphi, but this was fixed in a more recent version of Delphi (certainly more recent than Delphi 2007). However, because you are now running under terminal services, there are certain things which will not work, with or without Citrix. For example, you cannot make a local connection to older versions of InterBase, which use a named pipe without the GLOBAL modifier. Using DoubleBuffered would also be a really bad idea. And so on. My suggestion is to look for advice concerning Win32 apps and Terminal Services, rather than looking for advice on Delphi and Citrix in particular. The one issue which is particular to Citrix that I'm aware of is that you can't count on having a C drive available. Hopefully you haven't hard-coded any drive letters into your code, but if you have you can get in trouble.
Generally speaking, your application needs to be compatible with MS Terminal Services in order to work with XenApp. My understanding is that .NET applications are Terminal Services-compatible, and so by extension should also work in a Citrix environment. Obviously, as you're suffering some problems, it's not quite that simple, however.
There's a testing and verification kit available from http://community.citrix.com/citrixready that you may find helpful. I would imagine the Test Kit and Virtual Lab tools will be of most use to you. The kit is free to use, but requires sign-up.
Security can be an issue. If sensitive folders are not "sandboxed" (See Remko's discussion about redirection), the user can break out of your app and run things that they shouldn't. You should probe your app to see what happens when they "shell out" of your app. Common attack points are CHM Help, any content that uses IE to display HTML, and File Open/Save dialogs.
ex: If you show .chm help, the user can right-click within a help topic, View Source. That typically opens Notepad. From there, they can navigate the directory structure. If they are not properly contained, they may be able to do some mischief.
ex: If they normally don't have a way to run Internet Explorer, and your app has a clickable URL in the about box or a "visit our web site" in the Help menu, voila! they have access to the web browser. If unrestrained, they can open a command shell by navigating to the windows directory.

TFS Build Server drop location error

We're using TFS Build Server to ensure that all files checked in by developers are going to compile to a working source tree, cuz there's nothing worse than a broken build!
Anyway we've having some problems with the drop location that Build Server wants to use, we keep getting this error:
TFS209011: Could not create drop location \build-server\drops\project\BuildNumber. No more connections can be mades to this remote computer at this time because there are already as many connections as the computer can accept
Since this is being used in a pilot program at the moment we only have 2 projects which are using the Build Server. I've checked the network share and the allowed number of connections is about 100 so I don't really get what the problem is.
Only occationally does the problem raise it's head, quite often we'll not have one for days, and then we'll have a bunch in a row.
I can't seem to find much info on this either.
I'm pretty good with TFS - but a dev not a network guy. I would GUESS that while the NETWORK SHARE itself allows 100 connections, is it possible the underlying server it is running on doesn't have some sort of limitation?
Have you checked event logs?
This problem seems specific enough I would encourage you to post to the official Microsoft forums.
It looks like the problem is to do with our install of Windows 2003, we have "Web Edition" installed and it is limited to just 10 connections.
I ended up with a post of the MSDN forums in which I got this answer: http://forums.microsoft.com/msdn/ShowPost.aspx?PostID=3967598&SiteID=1&mode=1

Resources