Threat Level: green Handler on Duty: Russ McRee

SANS ISC: InfoSec Handlers Diary Blog - Website compromises - what's happening? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Website compromises - what's happening?

Published: 2009-08-18
Last Updated: 2009-08-18 15:20:57 UTC
by Deborah Hale (Version: 1)
6 comment(s)

Recently there seems to have been a lot of activity with websites getting hacked.  Folks are getting really frustrated and are looking for answers to what is causing the problems and what they can do to protect their sites from compromise.

Unfortunately I am not a web development expert.  We do have Handlers that are...  I just don't happen to be one of them.  My expertise with websites is hosting them and protecting the servers that we host our customers sites on.  I monitor activity on our servers and check log files daily for any unusual activity or attempts to hack our customers sites or attempts to hack into our servers.  The last few weeks we have had an increase in the attempts to access our servers (brute force).  As soon as these attempts are flagged they are added to the blocklist for our network.  It is incredible to me how many IP's I have had blacklisted (blocked) in a short amount of time.  

We had two customers domains get wacked.  In both cases the index.html file was replaced with a modified file that contained a hidden link to .ru websites.  In both cases these "alterations" were found to be the result of a Gumblar type infection on the customers PC that is used to do the upload of the website to our server.  It appears in both cases that it was a Gumblar type infection, however instead of the typical Gumblar that we saw back in the May 2009 timeframe - the domains involved were a couple of .ru domains.  Perhaps just shifting resources a little or perhaps a new strain of an old bad guy. In investigating the infection in the two domains involved, I came across a really good article explaining what Gumblar was all about. 

www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

The initial infections were both discovered over the weekend so I was unable to contact the customers immediately to let them know what was going on.  In both cases I disabled the index.html files and changed the passwords on the ftp accounts on the domains.  In both cases for several days afterwords I saw many attempts to login to the ftp accounts with incorrect passwords from multiple China IP addresses.  

This was an interesting exercise in web security for me.  My assumption was that the server itself was lacking in security.  I therefore worked very hard after taking this position to make sure that our webhosting servers were secured to the best of my ability and I aggressively monitor these servers to make sure that they continue to be secure.  Now I know, no matter how secure your hosting company tries to make your domains it may be your own internal lack of security practices that are putting your domains in jeopardy.

So my question to our readers is:

What are you doing to protect your webpages? 

We have had novice webpage developers in the past ask us what they can do to protect the security of their webpage.  Unfortunately we see that anyone now can create a webpage.  It doesn't take any special education or skills to create a webpage as we have witnessed by looking at the social networking sites. In these sites anyone (maybe even a monkey)  can create their own webpages. ( We have seen how secure that is). So what are your recommendations?

I would like to hear from you.  Please let me know if I can include your information in the diary. I will publish a list of the good tips that I get from you our readers.

 

Deb Hale Long Lines, LLC

6 comment(s)
Diary Archives