AirTran Virtual Website Being Locked Again

[Al Lua]

Dear x10,

Once again, airtranvirtual.net has been suspended.

From my own knowledge, the website has absolutely no malicious files, and these suspensions are honestly confusing me. Possibly a x10 service glitch that is causing these errors to pop up?

I have just sent a file appeal, but I have a very positive feeling that no response will be given.

Learning from last time, I wish for our pilots not to even know this has happened, since this has become a very frustrating issue creeping up upon us.

Once this issue has been solved, may I ask that someone who "works" for x10 let us know exactly what file is causing these reports?

Thanks for your time,

Al Lua

 

[Livewire]

This one was a separate compromise for a chase.com phishing page that ended up on the account, probably from the same compromise that had caused the last suspension but wasn't closed. I'm able to lift the suspension once more, however all the files on the account would end up being moved to public_html_compromised; you can move them back once you've secured the account, however if it gets compromised again we won't be able to lift it a third time.

For the record, in this case, they were uploaded to lib/images/inair/www.chase .com (without the space) - I've no idea how it got there, but it triggered a phishing report which was verified before the suspension was applied. Whatever compromise existed before hasn't been closed, which is allowing the hackers/compromisers to put whatever content they want onto the account - in this case, that ended up being a phishing page for Chase usernames/passwords.

Check with the site owner (whom I know you're tied in with per the prior discussions we've had on the forums) prior to answering the below question knowing that we can only do this once; do you agree to secure the site (including updating all passwords and investigating any php files present to ensure they are secure against exploits) once I lift the suspension?

 

[Al Lua]

Looks like some hacker did this? I'll see about it after the suspension.

So Google Webmaster Tools has proved something actually right when I thought it seemed false.

I'll contact the site owner, but he doesn't seem available right now. Once he knows about this, I will report to this thread that the knowledge of this is known to him.

Thanks for all your help!

 

[Livewire]

No problem, let us know when you're ready for the unsuspension.

 

[descalzo]

It doesn't have to be a "hacker".

If you allow members to upload "stuff" to your site, you have the potential for a huge security hole.

If you have that feature on your site, make very sure that people cannot upload arbitrary files. If that is the source of the compromise, then merely removing the current bad file will just delay the day when your account is permanently suspended.

You have to find the way the file was uploaded and fix it.

 

[Al Lua]

I've contacted the site owner, he has read the information.

We don't have an upload to website option anywhere.

We'll keep searching for that phishing file. Can you possibly also have the next it wants to suspend us to have it pass through human validation?

Thanks for everyone's help!

Al Lua`

 

[Livewire]

If you mean that it needs to be reviewed by a human prior to suspension, it was; I'm going to have to erase the file when I lift the suspension to prevent the page from going live at all, but if it were to come back we won't be able to lift it a third time. Are you ready for me to lift the suspension?

 

[Al Lua]

We'll have to take the risk.

If you have time, possibly you can help us locate that file?

Thanks for all your time!!!

 

[Livewire]

Unfortunately I'm not sure exactly which file is the one that is being exploited; the logs aren't indicating anything specific, and I'm not much of an expert on PHP at all.

I'm working on lifting the suspension now; the files will be moved to public_html_compromised to help minimize the risk of an immediate re-compromise, but I'd recommend changing passwords on the account as soon as it's up again (within the next 5 minutes or so).


Edit: Mini-correction, the files in public_html are going to public_html_compromised, while the ones in the airtranvirtual.net folder are being moved to airtranvirtual.net_compromised to make it easier to identify where the files should go back to once you've checked them over.

 

[descalzo]

I seriously suggest that you immediately make backups of your entire site and download them.

If your site is compromised again, you will not have access to your files.

 

[Al Lua]

Roger that.

 

[Livewire]

Quick note to add on to what descalzo said as well, I did find about 7 malicious files beyond the phishing page; all of them were in the airtranvirtual.net/public_html folder, and all of them would have allowed file uploading. These were NOT present the last time the site was suspended, which is a definite indication of a massive compromise.

The site itself is built on something called the Codon Framework; unless I missed my Google search, this hasn't been updated in several years, and likely is no longer secure as a result. I'm not 100% sure of this being the cause, but if it hasn't been updated in that long, it's probably the culprit and should be replaced.

 

[Al Lua]

Okay, I'll check on that.

 

[descalzo]

If it is phpVMS , they have a security patch as of Sept 30.

 

[Al Lua]

Yes, we do use phpVMS.

Link to the patch?

 

[Al Lua]

Never mind, found it.

Sorry if it seems I'm spamming.

 

[Al Lua]

Apparently it seems that I cannot remove that redirect causing the domain to head to suspended.

Anyway you can remove that?

 

[Livewire]

That was my bad, forgot to change the owner on the suspended .htaccess to you so you'd be able to overwrite it. I've removed the suspended redirect and restored the original pre-suspension .htaccess's in both public_html and the airtranvirtual.net folder.

 

[Al Lua]

Thank you very much for all your help!

 

[Al Lua]

Has x10 started becoming biased against AirTran Virtual Airways? Or is a staff member heavily biased against the real airline?? I do understand AirTran Airlines sometimes is hated by others (we've had hate comments that were accidently directed to us instead of the real airline).

Once again, we have been suspended for so called "proxies." This happened while uploading one 100% safe .wav file that I got from my own resources and allowed to use. It is a musical composition to share with some of our pilots to see if it was a good theme song for the airline. I put the file on Mediafire for you to check it out: http://www.mediafire.com/?jnyd16x4k4uy9f6

Here is the originality of the file: It is a MuseScore composition. I will attach the composition file (requires MuseScore, a free notation software), and it can be found here: http://www.mediafire.com/?10qdvi9ijbm62wp. Since I did borrow it from someone else, here is the very original source: https://www.musescore.com/user/18133/scores/53178. It seems that these songs are able for use, when you include who made it. I have also asked for permission of use of the piece.

However, I do understand this is the 3rd time we have been suspended. However, since these so called "proxies" on our website seem to be non-existent.

Now for why I was doing this uploading of file to share with pilots.

I wanted to send an email out asking if this theme song would sound good for us. Since I wanted to put it on our own website (kind of more professional) and then share it, I uploaded file. I wasn't sure where to put it yet, so I put it in /home/airtran. Then, since I can't get to the file (I tried airtranvirtual.net/home/airtran/palladio.wav), I tried to put it into the /lib place (wherever it went). During that process, I suddenly couldn't do anything, and then a message pops up saying something like account timed out or login session expired.

Now, everything is on the website (I did back it up once, so most files are still safe in my "Drive" and computer), but it is the plugins and databases I'm concerned about (no idea how to backup those things).

If it is extremely impossible to unsuspend our account, I'll try to understand, and hopefully the owner won't go all ballistic on me. This is one lesson to be learned.

Please do consider above, and I did send an appeal, but of course, I've already noticed they just get sent to a non-existent place in the "Cloud" where nobody reads them.