?
Solved

Data Modification Through the URL Website Security Attacks

Posted on 2008-06-24
6
Medium Priority
?
422 Views
Last Modified: 2012-06-22
One of our corporate websites is being attacked as the hacker attempts to insert various website URL's into the corporate website's URL. The attack is not succeeding in changing the corporate website address but the attack is causing the server the website is on to reboot.

What are some steps that can be taken to prevent this from occurring? Also, is it possible to tell if the URL are being computer generated? Any other forensic info you can provide about the attacking URL's is appreciated.

Here are some samples of the attacking URL's:

{ URLs removed by PenguinMod, EE Moderator }
0
Comment
Question by:computerese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 21868193
> What are some steps that can be taken to prevent this from occurring?
install a WAF
but better make your code sure

> Also, is it possible to tell if the URL are being computer generated?
no (as any URL is computer generated, obviously?)
 
> Any other forensic info you can provide about the attacking URL's is appreciated.
anything you can do is to install some kind of blacklist (or better whitelist) at your WAF. a proxy may also do it.
0
 

Author Comment

by:computerese
ID: 21877767
I have begun to research ahoffman's suggestion about a WAF. There are different types and makers employing different technologies (static, dynamic, etc.). I am examining some such as Fortify Software Defender and Imperva Secure Sphere. Would be interested in hearing your thoughts on these.

When I said "computer generated" what I meant was whether these sites were part of an automated attack process, such as the automated SQL injection attack that exploited a vulnerability in Microsoft SQL Server, which in January 2008 infected tens of thousands of PCs.

I am reposting the attacking link information; these are from our log files:

URI Query
Target=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
Target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F
Target=http%3A%2F%2Fmslayouts.ws%2Ficons%2Fadministrator%2Fcomponents%2Fcom_menus%2Fetotag%2Fqeba%2F
ID=http%3A%2F%2Fwww.landisempach-emmen.ch%2Faktionen%2Fimage%2Fezu%2Fseq%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
ID=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Falameja%2F
Target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.totkom.com%2Fsklep%2Fadmin%2Fincludes%2Fclasses%2Fcohiru%2Fneyuzah%2F
ID=http%3A%2F%2Fwww.sfolly.net%2Fchat%2Fdata%2Fpublic%2Fuvudap%2Fome%2F
ID=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
Target=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
ID=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http://www.yahoo.com
Target=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
ID=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
ID=http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F
ID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
path=http://vize2007.802.11abg.net/tut.bo??
Target=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
Target=http%3A%2F%2Fwww.meijers.com%2Fimages%2Fproducts%2Fubemebe%2Facuj%2F
Target=http%3A%2F%2Fwww.polarflug.de%2Fsources%2Fsinokof%2Fcopaxan%2F
ID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
ID=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
ID=http%3A%2F%2Fwww.sibstro.ru%2Fdom%2Fdomimg%2Fpife%2Fegemo%2F
Target=http%3A%2F%2Frabotnitsa.ru%2Fjoomla__%2Fadministrator%2Fbackups%2Farim%2Fzaf%2F
Target=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
Target=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
ID=http%3A%2F%2Fwww.oriolmanya.net%2Fnautilus%2FphpBB2%2Flanguage%2Flang_english%2Fifekeri%2Fcekogah%2F
ID=http%3A%2F%2Fwww.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
ID=http%3A%2F%2Fwww.uxbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2Fyocav%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.bowlaw.com%2Fpractice_areas%2Fogi%2Fiteyu%2F
Target=http%3A%2F%2Fwww.ce-enterprise.com%2Finetonlinetk%2Fshop%2Ffiles%2Fimg%2Flogo_DarkBlueStyle%2Fgoge%2Foxag%2F
ID=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
ID=http%3A%2F%2Fwww.foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F
ID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Focaceg%2F





 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21905745
> I am examining some such as Fortify Software Defender
this is not a WAF but a source code analyzer
Keep in mind that such tools will only find "static" flaws such as code onjections, but not logical flaws like problems with session management

> .. and Imperva Secure Sphere.
this isn't a WAF either it's more like an IPS

If you want real time protection, you need a WAF (or secure code which is not vulnerable:-)

Said this, a WAF is also not a bullet proof protection, but helps to get rid of a lot of attacks.

> .. part of an automated attack process
as these request are all legal requests (according HTTP standards), you cannot qualify such an request as an attack.
However, a WAF or IPS might detect it either due to identifying an illegal value for these parameters (Target, ID, for example) or due to time analyses (a human won't fire a lot of such requests in a few seconds).
While a WAF will block each request immediately, the IPS needs to learn and hence pass a few of them 'til it blocks.

Hope this helps.

----------
@EE Moderator, I don't see any dangerous information in the posted links, hence no need to delete them again ;-)
If you decide to delete them anyway, please make a comment with these links and mark it as "deleted" later. This way the information is hidden to common users but visible for PE, admin, mods, etc..
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question