[tlug] Possible malware attack on my site?

["Stephen J. Turnbull" <stephen@example.com>]

Dave M G writes:

 > Apparently when a user clicks on the Facebook ad, the browser is
 > first directed to the malware site, and then it forwards to
 > tokyocomedy.com, so that they may not ever notice the intrusion.

Let me count the ways....

1. The browser may have been subverted.

2. The OS may have been subverted, so that HTTP is proxied through the
   malware site.

3. Facebook's ad may have been subverted.

4. A nameserver cache between that user and tokyocomedy's
   authoritative server may have been poisoned.

5. A nameserver may have been subverted.

6. tokyocomedy's webserver may have been subverted to redirect to the
   malware site and then back to tokyocomedy.

 > If anyone has any suggestions for how I might assure myself that the
 > site is secure, then I would be very interested.

The only way to assure yourself it is secure is to shut it off!

Obviously that's not an acceptable solution.  So accept that the site
is not secure, and pay attention to it so you can ward off intrusions
and recover from successful ones as quickly as possible.

With respect to this incident, first try browsing Facebook yourself to
see what happens (preferably with IE, but many browsers will allow you
to claim that they are IE).  That doesn't prove anything if the
results come up negative but if they're positive you have a trail to
follow.  Check your logs for access by the malware site and see what's
happening there.  If the malware site is proxying your site, you can
try firewalling it out so that it can't reach you (easily) to get your
content to fake.  Make sure you log those attempts so you can
correlate if somebody says they can't see your ads.

HTH