Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

How is malware added to web sites

  • 02-08-2012 9:00am
    #1
    daymobrew
    Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭


    I recently started helping update web site that uses a C# based CMS.

    I updated a few of the .aspx files and the next day there is malware on the site (could be a coincidence). The site's db had the malware (a 'script' tag) added to every row in almost all the db tables.
    I have to use FTP to connect as the host does not support sftp/scp.

    I scanned my system (SpyBot, Ad-Aware, AVG) and it comes up clean.

    How are the hackers likely getting into the site?
    The db user/pass are in a web.config file but this is not readable from the web.


Comments

  • #2
    AnCatDubh
    Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭AnCatDubh


    daymobrew wrote: »
    The site's db had the malware (a 'script' tag) added to every row in almost all the db tables.

    Possibility of SQL Injection vulnerabilities in the code of the site would be a starting point (perhaps the obvious one). You could verify this using penetration test scanner(s) (either open source or commercial or get a security professional involved <- highly recommended and i'm not one;)). If pen testing, make sure you have the rights to do so. If you are with a third party hosting company they may not like you doing so on a live system (pen test a local copy of the system instead).

    Have you access to your web logfiles?

    Have a gander through those for references to the script tags which have been placed in the database which may give you pointer if the exploit came in over your webserver and what code was hit in the exploit. grep (or wingrep) may make your life a heck of a lot easier here, but i'd still examine them to see if anything looks unusual (non normal urls etc.).

    The above is assuming that it was a web borne sql injection which is a terrible thing to assume :D as you may have multiple vulnerabilities present and may find nothing from a search as outlined.

    I'm sure others here will have way more stuff to try.


  • #3
    infodox
    Registered Users, Registered Users 2 Posts: 126 ✭✭infodox


    Probably another mass SQL injection attack, where they INSERT some iFrames or javascript into the database. Perhaps you need your CMS's security audited?


  • #4
    JimmyCrackCorn
    Registered Users, Registered Users 2 Posts: 1,691 ✭✭✭JimmyCrackCorn


    infodox wrote: »
    Probably another mass SQL injection attack, where they INSERT some iFrames or javascript into the database. Perhaps you need your CMS's security audited?

    That is the most common method.

    There is a known vunerbaility in your CMS software. (as the tool hammered most of your DB would lead me back to no#1)


    The second possibility that pops into my head is you could have a mysql db with authentication bypass bug publicly facing. (less likely)

    I would try
    http://www.mavitunasecurity.com/communityedition/
    http://www.webresourcesdepot.com/10-free-web-application-security-testing-tools/


    If you want to PM me I could take a quick look at your site but you would be better off with a professional who has time to walk you through fixing all the issues.


Advertisement