Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Data Modification Through the URL Website Security Attacks

Posted on 2008-06-24
6
Medium Priority
?
431 Views
Last Modified: 2012-06-22
One of our corporate websites is being attacked as the hacker attempts to insert various website URL's into the corporate website's URL. The attack is not succeeding in changing the corporate website address but the attack is causing the server the website is on to reboot.

What are some steps that can be taken to prevent this from occurring? Also, is it possible to tell if the URL are being computer generated? Any other forensic info you can provide about the attacking URL's is appreciated.

Here are some samples of the attacking URL's:

{ URLs removed by PenguinMod, EE Moderator }
0
Comment
Question by:computerese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 2000 total points
ID: 21868193
> What are some steps that can be taken to prevent this from occurring?
install a WAF
but better make your code sure

> Also, is it possible to tell if the URL are being computer generated?
no (as any URL is computer generated, obviously?)
 
> Any other forensic info you can provide about the attacking URL's is appreciated.
anything you can do is to install some kind of blacklist (or better whitelist) at your WAF. a proxy may also do it.
0
 

Author Comment

by:computerese
ID: 21877767
I have begun to research ahoffman's suggestion about a WAF. There are different types and makers employing different technologies (static, dynamic, etc.). I am examining some such as Fortify Software Defender and Imperva Secure Sphere. Would be interested in hearing your thoughts on these.

When I said "computer generated" what I meant was whether these sites were part of an automated attack process, such as the automated SQL injection attack that exploited a vulnerability in Microsoft SQL Server, which in January 2008 infected tens of thousands of PCs.

I am reposting the attacking link information; these are from our log files:

URI Query
Target=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
Target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F
Target=http%3A%2F%2Fmslayouts.ws%2Ficons%2Fadministrator%2Fcomponents%2Fcom_menus%2Fetotag%2Fqeba%2F
ID=http%3A%2F%2Fwww.landisempach-emmen.ch%2Faktionen%2Fimage%2Fezu%2Fseq%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
ID=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Falameja%2F
Target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.totkom.com%2Fsklep%2Fadmin%2Fincludes%2Fclasses%2Fcohiru%2Fneyuzah%2F
ID=http%3A%2F%2Fwww.sfolly.net%2Fchat%2Fdata%2Fpublic%2Fuvudap%2Fome%2F
ID=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
Target=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
ID=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http://www.yahoo.com
Target=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
ID=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
ID=http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F
ID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
path=http://vize2007.802.11abg.net/tut.bo??
Target=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
Target=http%3A%2F%2Fwww.meijers.com%2Fimages%2Fproducts%2Fubemebe%2Facuj%2F
Target=http%3A%2F%2Fwww.polarflug.de%2Fsources%2Fsinokof%2Fcopaxan%2F
ID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
ID=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
ID=http%3A%2F%2Fwww.sibstro.ru%2Fdom%2Fdomimg%2Fpife%2Fegemo%2F
Target=http%3A%2F%2Frabotnitsa.ru%2Fjoomla__%2Fadministrator%2Fbackups%2Farim%2Fzaf%2F
Target=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
Target=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
ID=http%3A%2F%2Fwww.oriolmanya.net%2Fnautilus%2FphpBB2%2Flanguage%2Flang_english%2Fifekeri%2Fcekogah%2F
ID=http%3A%2F%2Fwww.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
ID=http%3A%2F%2Fwww.uxbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2Fyocav%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.bowlaw.com%2Fpractice_areas%2Fogi%2Fiteyu%2F
Target=http%3A%2F%2Fwww.ce-enterprise.com%2Finetonlinetk%2Fshop%2Ffiles%2Fimg%2Flogo_DarkBlueStyle%2Fgoge%2Foxag%2F
ID=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
ID=http%3A%2F%2Fwww.foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F
ID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Focaceg%2F





 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21905745
> I am examining some such as Fortify Software Defender
this is not a WAF but a source code analyzer
Keep in mind that such tools will only find "static" flaws such as code onjections, but not logical flaws like problems with session management

> .. and Imperva Secure Sphere.
this isn't a WAF either it's more like an IPS

If you want real time protection, you need a WAF (or secure code which is not vulnerable:-)

Said this, a WAF is also not a bullet proof protection, but helps to get rid of a lot of attacks.

> .. part of an automated attack process
as these request are all legal requests (according HTTP standards), you cannot qualify such an request as an attack.
However, a WAF or IPS might detect it either due to identifying an illegal value for these parameters (Target, ID, for example) or due to time analyses (a human won't fire a lot of such requests in a few seconds).
While a WAF will block each request immediately, the IPS needs to learn and hence pass a few of them 'til it blocks.

Hope this helps.

----------
@EE Moderator, I don't see any dangerous information in the posted links, hence no need to delete them again ;-)
If you decide to delete them anyway, please make a comment with these links and mark it as "deleted" later. This way the information is hidden to common users but visible for PE, admin, mods, etc..
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to selectively show certain fields based on user input using rules to gather relevant information and data from your forms. The rules feature provides you with an opportunity…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question