Coś takiego zdarzyło mi się po raz pierwszy po wielu latach administrowania paroma stronami internetowymi. Otóż na jednej z tych stron od 2 lat jest sobie aplikacja windowsowa (napisana przeze mnie) - oczywiście bez żadnych wirusów etc.
No i dzisiaj dostałem od mojego usługodawcy hostingowego, który dostał maila od cert@telekomunikacja.pl która dostała maila od alert@tehtri-security.com w sprawie wirusa w owym pliku. I mam się "ustosunkować" do tego co zresztą uczyniłem.
Aktualnie ta moja strona nie działa (chyba została wyłączona właśnie z tego powodu ale na razie moja firma hostingowa nie odpowiada).
Mail od tehtri-security.com wyglądał tak (wykropkowałem nazwę domeny i aplikacji):
Cytat
>
> Dear Sir or Madam,
>
> We have detected a security problem on one of your web sites
> (***.com), as
> we are computer security experts who monitor Internet Security. Our goal
> is to
> help keep the Internet safe and secure, against most cyber-threats.
>
> It seems that some of your web servers were successfully attacked and
> compromised by evil intruders. The problem is that your computer is
> currently
> potentially used as a resource for attackers worldwide. Be careful with
> the
> unsafe URL links proposed further (virus, backdoors...).
>
> Let's start with the technical information about your compromised web
> servers
> and about what has been detected on your services:
>
> Date of Alert: Wed, 16 Sep 2009
> Infected URL : http://***.com/download/***.exe
> Malware/Virus: unknown_html
> Domain Name : ***.com
> IPv4 Address : ***
>
>
> So, now, here are the possible steps to follow, in order to improve your
> situation, and to get rid of the attackers:
>
> 1- Backup your sensitive data in a safe place
> 2- Send us the files added by the attackers, so that we can begin an
> analysis
> 3- Find and delete the unwanted files added by the attackers (Virus...)
> 4- Send us the needed logs (web servers...) so that we can find what
> happened
> *5* Audit your web security and find the holes used by the attackers !
> *6* Harden your servers+delete the vulnerabilities to avoid future
> incidents !
>
> If you have technical problems to recover from this attack, or if you need
> assistance, do not hesitate to contact us, so that we can help you at
> fighting
> against those attackers.
>
> Now it's your time to work, delete the presence of attackers from your
> computers and protect everything before new evil intruders come back to
> you
> one more time.
>
> Keep in touch and email us,
>
> Yours faithfully,
>
> TEHTRI-Security, Company specialized in Audits and Incidents Handling
> http://www.tehtri-security.com
> alert@tehtri-security.com
>
>
> Dear Sir or Madam,
>
> We have detected a security problem on one of your web sites
> (***.com), as
> we are computer security experts who monitor Internet Security. Our goal
> is to
> help keep the Internet safe and secure, against most cyber-threats.
>
> It seems that some of your web servers were successfully attacked and
> compromised by evil intruders. The problem is that your computer is
> currently
> potentially used as a resource for attackers worldwide. Be careful with
> the
> unsafe URL links proposed further (virus, backdoors...).
>
> Let's start with the technical information about your compromised web
> servers
> and about what has been detected on your services:
>
> Date of Alert: Wed, 16 Sep 2009
> Infected URL : http://***.com/download/***.exe
> Malware/Virus: unknown_html
> Domain Name : ***.com
> IPv4 Address : ***
>
>
> So, now, here are the possible steps to follow, in order to improve your
> situation, and to get rid of the attackers:
>
> 1- Backup your sensitive data in a safe place
> 2- Send us the files added by the attackers, so that we can begin an
> analysis
> 3- Find and delete the unwanted files added by the attackers (Virus...)
> 4- Send us the needed logs (web servers...) so that we can find what
> happened
> *5* Audit your web security and find the holes used by the attackers !
> *6* Harden your servers+delete the vulnerabilities to avoid future
> incidents !
>
> If you have technical problems to recover from this attack, or if you need
> assistance, do not hesitate to contact us, so that we can help you at
> fighting
> against those attackers.
>
> Now it's your time to work, delete the presence of attackers from your
> computers and protect everything before new evil intruders come back to
> you
> one more time.
>
> Keep in touch and email us,
>
> Yours faithfully,
>
> TEHTRI-Security, Company specialized in Audits and Incidents Handling
> http://www.tehtri-security.com
> alert@tehtri-security.com
>
>
No i w tym momencie mam parę pytań:
W raporcie powyżej stoi: "Malware/Virus: unknown_html" - no przecież to nie jest html tylko aplikacja, więc o co chodzi?
Od kiedy to cert w telekomunikacji zajmuje się jakimiś wirusami w aplikacjach desktopowych?
Czym jest tehtri-security.com że pod ich wpływem reaguje telekomunikacja a następnie mój usługodawca hostingowy? Czy to jest normalne zachowanie (mam na myśli i telekomunę i moją firmę hostingową)?
edit: to wszystko wygląda jak jakiś żart, wyszukanie w googlu frazy "tehtri-security.com" daje... 31 wyników (słownie: trzydzieści jeden), nosz kurde ...
edit2: ok, okazało się, że wyłączenie serwisu nie miało nic wspólnego z tym raportem, po prostu dziwaczny zbieg okoliczności
