Identifying the Security Hole

Tuesday, 29 September 2009

For an Apache compromise, note the domain the attack was coming from and review the logs. This can be tedious if you don’t quite know what you’re looking for — a lot of the attacks have gotten quite a bit smarter, using tor and proxies to randomize IPs, and using scripts that redeploy or change names to further confuse things.

Look for hits on the script that was running in the logs; search again for IPs that hit that script. Try to find out where they came in on the site — did they hit the front page first? Did they hit any pages besides the script? Look for common threads and try to trace your way back to the earliest instances of hits on the attack scripts. See what they accessed just before.

Often times, these “first hits” are POSTs against a legit script on the site. For example, a recent ZenCart (shopping cart software) exploit starts out like this:

/admin/record_company.php/ password_forgotten.php?action=insert

This particular exploit is from:

http://www.milw0rm.com/exploits/9004

And the client ought follow the instructions from ZenCart here:

http://www.zen-cart.com/forum/showthread.php?t=130161

Keep abreast of the hacks as they come out — it’s always cat and mouse, but there’s no reason to lag too far behind!

The entry 'Identifying the Security Hole' was posted on September 29th, 2009 at 5:33 am and last modified on October 9th, 2009 at 8:13 am, and is filed under Apache. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Identifying the Security Hole

Leave a Reply

Categories

Recent Posts

Blogroll