On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote: > Hi Folks! > > The portal for which I work is suffering constant attacks that I feel that > is PHP Injection. Somehow the hacker is getting to change the cache files > that our system generates. Concatenating the HTML file with another that > have an iframe to a malicious JAR file. Do you have any suggestions to > prevent this action? The hacker has no access to our file system, he is > imputing the code through some security hole. The problem is that the portal > is very big and has lots and lots partners hosted on our estructure > structure. We are failing to identify the focus of this attacks. > > Any ideas? > > > Regards, > Igor Escobar > Systems Analyst & Interface Designer > > + http://blog.igorescobar.com > + http://www.igorescobar.com > + @igorescobar (twitter) OK, first thing, check all the file access logs, i.e. FTP logs, etc, just to make sure that it's not a case of a compromised password. There's a well-known issue with people who use FileZilla on Windows systems that allows passwords to be easily stolen. Next, see if you can isolate the IP address(s) that might be making these changes, and then go back over the HTTP access logs to determine what URLs they are visiting on the site. This should give you an idea about where the attack is coming in from. Make sure that any pre-built systems (i.e. shopping carts, blog or forum software) is patched and up-to-date. A lot of attacks are targeted at sites en-mass because they are found to have the same flaw which, left unpatched, is like an open door to your server. It's also not a bad idea to change the passwords used to access the server, both for FTP and SSH. You might also need to scan the server with antivirus software (this is mainly for Windows servers really) to make sure that a rootkit hasn't been installed. Thanks, Ash http://www.ashleysheridan.co.uk
