[BNM] Infected Site

Oliver Marshall Oliver.Marshall at g2support.com
Tue Jun 2 09:23:35 BST 2009 

We've seen this on a number of client servers due to a number of reasons, and it can be hard to prevent.

The most common cause (that we have seen) is down to a simple sql injection attack whereby the contents of text boxes etc aren't parsed for SQL. The contents, including the SQL entered by the miscreant, is taken literally by the database and ultimately errant code is added. 

We've also seen this happen due to un-updated minor components within larger web apps. For example we once had a very similar thing happen with a clients web server that was using a php open source app. Part of that app was using TinyMCE, and it appears that the TinyMCE component hadn't been updated and there was a security flaw in a function that allowed for uploads to the webserver. A clear out of the infected files (roll back to a backup) and updating the whole php app (and i think they also disabled the TinyMCE editor in that case) solved the issue. 

A lot of these attacks are the web version of drive-by shootings where the attacker just runs a script which checks for any one of thousands of known security flaws and when it finds one it then performs automated attacks against that flaw until the attacker has access, and then another automated function uploads the data etc. That way, one attacker can target a whole IP range, go to bed, and wake up in the morning to see what he now owns. 

First, make sure your OS is up to date. Second, make sure any apps running on your OS are up to date. Third, make sure there are no issues with your firewall rules or that any non-port-80/443 access is restricted to either VPN or specific IPs. Lastly you could look at using one of the number of open source application-firewalls to inspect the traffic coming to the web server, though again, update the rules they use.

Of course, we do backups so that you have an offline copy of your data :)

Olly

--
G2 Support
Network Support : Online Backups : Server Management

Web: www.g2support.com
Twitter: g2support



-----Original Message-----
From: bnmlist-bounces at brightonnewmedia.org [mailto:bnmlist-bounces at brightonnewmedia.org] On Behalf Of Martyn Fagg
Sent: 01 June 2009 20:24
To: Brighton New Media
Subject: Re: [BNM] Infected Site

On Mon, Jun 1, 2009 at 7:23 PM, Alan Braddish wrote:

> Any advice on why this might of happened?  The site is hosted by...wait for
> it... Farcehosts.
>

If you have a few hours to kill, take a look at www.owasp.org
http://www.owasp.org/index.php/Top_10_2007
http://www.owasp.org/index.php/Guide_Table_of_Contents

Martyn
-- 

BNM Subscribe/Unsubscribe:
http://www.brightonnewmedia.org/options/bnmlist

BNM powered by Wessex Networks:
http://www.wessexnetworks.com

More information about the BNMlist mailing list. Powered by Wessex Networks