Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Data Modification Through the URL Website Security Attacks

Posted on 2008-06-24
6
392 Views
Last Modified: 2012-06-22
One of our corporate websites is being attacked as the hacker attempts to insert various website URL's into the corporate website's URL. The attack is not succeeding in changing the corporate website address but the attack is causing the server the website is on to reboot.

What are some steps that can be taken to prevent this from occurring? Also, is it possible to tell if the URL are being computer generated? Any other forensic info you can provide about the attacking URL's is appreciated.

Here are some samples of the attacking URL's:

{ URLs removed by PenguinMod, EE Moderator }
0
Comment
Question by:computerese
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 21868193
> What are some steps that can be taken to prevent this from occurring?
install a WAF
but better make your code sure

> Also, is it possible to tell if the URL are being computer generated?
no (as any URL is computer generated, obviously?)
 
> Any other forensic info you can provide about the attacking URL's is appreciated.
anything you can do is to install some kind of blacklist (or better whitelist) at your WAF. a proxy may also do it.
0
 

Author Comment

by:computerese
ID: 21877767
I have begun to research ahoffman's suggestion about a WAF. There are different types and makers employing different technologies (static, dynamic, etc.). I am examining some such as Fortify Software Defender and Imperva Secure Sphere. Would be interested in hearing your thoughts on these.

When I said "computer generated" what I meant was whether these sites were part of an automated attack process, such as the automated SQL injection attack that exploited a vulnerability in Microsoft SQL Server, which in January 2008 infected tens of thousands of PCs.

I am reposting the attacking link information; these are from our log files:

URI Query
Target=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
Target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F
Target=http%3A%2F%2Fmslayouts.ws%2Ficons%2Fadministrator%2Fcomponents%2Fcom_menus%2Fetotag%2Fqeba%2F
ID=http%3A%2F%2Fwww.landisempach-emmen.ch%2Faktionen%2Fimage%2Fezu%2Fseq%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
ID=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Falameja%2F
Target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.totkom.com%2Fsklep%2Fadmin%2Fincludes%2Fclasses%2Fcohiru%2Fneyuzah%2F
ID=http%3A%2F%2Fwww.sfolly.net%2Fchat%2Fdata%2Fpublic%2Fuvudap%2Fome%2F
ID=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
Target=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
ID=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http://www.yahoo.com
Target=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
ID=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
ID=http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F
ID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
path=http://vize2007.802.11abg.net/tut.bo??
Target=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
Target=http%3A%2F%2Fwww.meijers.com%2Fimages%2Fproducts%2Fubemebe%2Facuj%2F
Target=http%3A%2F%2Fwww.polarflug.de%2Fsources%2Fsinokof%2Fcopaxan%2F
ID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
ID=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
ID=http%3A%2F%2Fwww.sibstro.ru%2Fdom%2Fdomimg%2Fpife%2Fegemo%2F
Target=http%3A%2F%2Frabotnitsa.ru%2Fjoomla__%2Fadministrator%2Fbackups%2Farim%2Fzaf%2F
Target=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
Target=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
ID=http%3A%2F%2Fwww.oriolmanya.net%2Fnautilus%2FphpBB2%2Flanguage%2Flang_english%2Fifekeri%2Fcekogah%2F
ID=http%3A%2F%2Fwww.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
ID=http%3A%2F%2Fwww.uxbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2Fyocav%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.bowlaw.com%2Fpractice_areas%2Fogi%2Fiteyu%2F
Target=http%3A%2F%2Fwww.ce-enterprise.com%2Finetonlinetk%2Fshop%2Ffiles%2Fimg%2Flogo_DarkBlueStyle%2Fgoge%2Foxag%2F
ID=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
ID=http%3A%2F%2Fwww.foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F
ID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Focaceg%2F





 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21905745
> I am examining some such as Fortify Software Defender
this is not a WAF but a source code analyzer
Keep in mind that such tools will only find "static" flaws such as code onjections, but not logical flaws like problems with session management

> .. and Imperva Secure Sphere.
this isn't a WAF either it's more like an IPS

If you want real time protection, you need a WAF (or secure code which is not vulnerable:-)

Said this, a WAF is also not a bullet proof protection, but helps to get rid of a lot of attacks.

> .. part of an automated attack process
as these request are all legal requests (according HTTP standards), you cannot qualify such an request as an attack.
However, a WAF or IPS might detect it either due to identifying an illegal value for these parameters (Target, ID, for example) or due to time analyses (a human won't fire a lot of such requests in a few seconds).
While a WAF will block each request immediately, the IPS needs to learn and hence pass a few of them 'til it blocks.

Hope this helps.

----------
@EE Moderator, I don't see any dangerous information in the posted links, hence no need to delete them again ;-)
If you decide to delete them anyway, please make a comment with these links and mark it as "deleted" later. This way the information is hidden to common users but visible for PE, admin, mods, etc..
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Wufoo.com provides powerful tools for surveying targeted groups, and utilizing data from completed surveys to find trends, discover areas of demand or customer expectation, and make business decisions on products or services.

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question