AVG Virus Warning

[Rock]

The issues with the virus warnings over the websites have been sorted out. It was indeed a network issue & was related to the ARP spoofed attack. One of our dedicated servers used the Gateway IP of the same subnet as your IP's & was using it to inject javascript code in our network. We have terminated that infected server as of now & have setup statical ARP on the gateway on each box. We have also raised this issue with our router manufactures for immediate protections against such things happening again in future..

More on ARP spoofing:

The Address Resolution Protocol (ARP) is the method for finding a host's link layer [MAC] address when only its Internet Layer (IP) or some other Network Layer address is known.

ARP spoofing, also known as ARP poisoning or ARP Poison Routing (APR), is a technique used to attack an Ethernet wired or wireless network which may allow an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether (known as a denial of service attack). The attack can obviously only happen on networks that indeed make use of ARP & not another method.

The principle of ARP spoofing is to send fake, or "spoofed", ARP messages to an Ethernet LAN. Generally, the aim is to associate the attacker's MAC address with the IP address of another node (such as the default gateway). Any traffic meant for that IP address would be mistakenly sent to the attacker instead. The attacker could then choose to forward the traffic to the actual default gateway (passive sniffing) or modify the data before forwarding it (man-in-the-middle attack). The attacker could also launch a denial-of-service attack against a victim by associating a nonexistent MAC address to the IP address of the victim's default gateway..

ARP spoofing attacks can be run from a compromised host, or a hacker's machine that is connected directly onto the target Ethernet segment.

We do sincerely apologise for the entire incident & care has been taken that this doesn't happen again in the future..

More REF : http://www.oxid.it/downloads/apr-intro.swf

[alanhay]

Ok. Thanks for your prompt investigation.

So, there is longer a requirement for me to have a new VPS the is this correct? And I can swicth IIS back on?

Thanks.



Alan

[eUKShane]

Hello,

We have already suspended the dedicated server which was using the gateway IP of the same subnet, and this issue has been resolved now. So, no need to recreate your VPS and you can switch to IIS again.

[ajbird]

grrr

i had a similar thing on my server. some muppet managed to get into one of my mysql databases and inserted iframe calls. grrr what do they hope to gain!

[eUK-Martin]

grrr

i had a similar thing on my server. some muppet managed to get into one of my mysql databases and inserted iframe calls. grrr what do they hope to gain!

This is not related to the issue that Rock has explained. You have been a victim of SQL injection. There are several reasons for this to happen.

-- It can be your code it self, check your web logs and you will have a clue of it is your code.
-- It can be the case where your mysql database username and password has been compromised.
-- Or the server you have your account on is vulnerable.