Re: Security Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Ashley!

Thanks for helping us!

OK, first thing, check all the file access logs, i.e. FTP logs, etc, just to
make sure that it's not a case of a compromised password. There's a
well-known issue with people who use FileZilla on Windows systems that
allows passwords to be easily stolen.
*
*
*We've done this before. FTP logs are clean. We limit access to FTP only
authorized machines.
*
*
*
Next, see if you can isolate the IP address(s) that might be making these
changes, and then go back over the HTTP access logs to determine what URLs
they are visiting on the site. This should give you an idea about where the
attack is coming in from.

*I'll see if I can find a way to identify the IP of the person who changed
the file last time. As he is injecting a PHP script within our server, the
script itself is changing the file so it is assumed as the default user
apache as who made the change.*

Make sure that any pre-built systems (i.e. shopping carts, blog or forum
software) is patched and up-to-date. A lot of attacks are targeted at sites
en-mass because they are found to have the same flaw which, left unpatched,
is like an open door to your server.

*We always encourage our partners to keep their system current. They are
usually blogs (wordpress) and plugins
*
It's also not a bad idea to change the passwords used to access the server,
both for FTP and SSH. You might also need to scan the server with antivirus
software (this is mainly for Windows servers really) to make sure that a
rootkit hasn't been installed.

*All access via username and password are clean, if we identify unauthorized
access, we will certainly do that!*
*
*
*Thank you for your help! Let's try to identify the IP address of the person
who changed the file and then we try to trace your browsing history!*
*
*Regards,
Igor Escobar
Systems Analyst & Interface Designer

+ http://blog.igorescobar.com
+ http://www.igorescobar.com
+ @igorescobar (twitter)





On Mon, Jun 7, 2010 at 10:03 AM, Ashley Sheridan
<ash@xxxxxxxxxxxxxxxxxxxx>wrote:

>  On Mon, 2010-06-07 at 09:54 -0300, Igor Escobar wrote:
>
> Hi Folks!
>
> The portal for which I work is suffering constant attacks that I feel that
> is PHP Injection. Somehow the hacker is getting to change the cache files
> that our system generates. Concatenating the HTML file with another that
> have an iframe to a malicious JAR file. Do you have any suggestions to
> prevent this action? The hacker has no access to our file system, he is
> imputing the code through some security hole. The problem is that the portal
> is very big and has lots and lots partners hosted on our estructure
> structure. We are failing to identify the focus of this attacks.
>
> Any ideas?
>
>
> Regards,
> Igor Escobar
> Systems Analyst & Interface Designer
>
> + http://blog.igorescobar.com
> + http://www.igorescobar.com
> + @igorescobar (twitter)
>
>
> OK, first thing, check all the file access logs, i.e. FTP logs, etc, just
> to make sure that it's not a case of a compromised password. There's a
> well-known issue with people who use FileZilla on Windows systems that
> allows passwords to be easily stolen.
>
> Next, see if you can isolate the IP address(s) that might be making these
> changes, and then go back over the HTTP access logs to determine what URLs
> they are visiting on the site. This should give you an idea about where the
> attack is coming in from.
>
> Make sure that any pre-built systems (i.e. shopping carts, blog or forum
> software) is patched and up-to-date. A lot of attacks are targeted at sites
> en-mass because they are found to have the same flaw which, left unpatched,
> is like an open door to your server.
>
> It's also not a bad idea to change the passwords used to access the server,
> both for FTP and SSH. You might also need to scan the server with antivirus
> software (this is mainly for Windows servers really) to make sure that a
> rootkit hasn't been installed.
>
>   Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>

[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux