Solved

Data Modification Through the URL Website Security Attacks

Posted on 2008-06-24
6
397 Views
Last Modified: 2012-06-22
One of our corporate websites is being attacked as the hacker attempts to insert various website URL's into the corporate website's URL. The attack is not succeeding in changing the corporate website address but the attack is causing the server the website is on to reboot.

What are some steps that can be taken to prevent this from occurring? Also, is it possible to tell if the URL are being computer generated? Any other forensic info you can provide about the attacking URL's is appreciated.

Here are some samples of the attacking URL's:

{ URLs removed by PenguinMod, EE Moderator }
0
Comment
Question by:computerese
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 21868193
> What are some steps that can be taken to prevent this from occurring?
install a WAF
but better make your code sure

> Also, is it possible to tell if the URL are being computer generated?
no (as any URL is computer generated, obviously?)
 
> Any other forensic info you can provide about the attacking URL's is appreciated.
anything you can do is to install some kind of blacklist (or better whitelist) at your WAF. a proxy may also do it.
0
 

Author Comment

by:computerese
ID: 21877767
I have begun to research ahoffman's suggestion about a WAF. There are different types and makers employing different technologies (static, dynamic, etc.). I am examining some such as Fortify Software Defender and Imperva Secure Sphere. Would be interested in hearing your thoughts on these.

When I said "computer generated" what I meant was whether these sites were part of an automated attack process, such as the automated SQL injection attack that exploited a vulnerability in Microsoft SQL Server, which in January 2008 infected tens of thousands of PCs.

I am reposting the attacking link information; these are from our log files:

URI Query
Target=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
Target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F
Target=http%3A%2F%2Fmslayouts.ws%2Ficons%2Fadministrator%2Fcomponents%2Fcom_menus%2Fetotag%2Fqeba%2F
ID=http%3A%2F%2Fwww.landisempach-emmen.ch%2Faktionen%2Fimage%2Fezu%2Fseq%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
ID=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Falameja%2F
Target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.totkom.com%2Fsklep%2Fadmin%2Fincludes%2Fclasses%2Fcohiru%2Fneyuzah%2F
ID=http%3A%2F%2Fwww.sfolly.net%2Fchat%2Fdata%2Fpublic%2Fuvudap%2Fome%2F
ID=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
Target=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
ID=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http://www.yahoo.com
Target=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
ID=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
ID=http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F
ID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
path=http://vize2007.802.11abg.net/tut.bo??
Target=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
Target=http%3A%2F%2Fwww.meijers.com%2Fimages%2Fproducts%2Fubemebe%2Facuj%2F
Target=http%3A%2F%2Fwww.polarflug.de%2Fsources%2Fsinokof%2Fcopaxan%2F
ID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
ID=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
ID=http%3A%2F%2Fwww.sibstro.ru%2Fdom%2Fdomimg%2Fpife%2Fegemo%2F
Target=http%3A%2F%2Frabotnitsa.ru%2Fjoomla__%2Fadministrator%2Fbackups%2Farim%2Fzaf%2F
Target=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
Target=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
ID=http%3A%2F%2Fwww.oriolmanya.net%2Fnautilus%2FphpBB2%2Flanguage%2Flang_english%2Fifekeri%2Fcekogah%2F
ID=http%3A%2F%2Fwww.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
ID=http%3A%2F%2Fwww.uxbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2Fyocav%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.bowlaw.com%2Fpractice_areas%2Fogi%2Fiteyu%2F
Target=http%3A%2F%2Fwww.ce-enterprise.com%2Finetonlinetk%2Fshop%2Ffiles%2Fimg%2Flogo_DarkBlueStyle%2Fgoge%2Foxag%2F
ID=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
ID=http%3A%2F%2Fwww.foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F
ID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Focaceg%2F





 
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 21905745
> I am examining some such as Fortify Software Defender
this is not a WAF but a source code analyzer
Keep in mind that such tools will only find "static" flaws such as code onjections, but not logical flaws like problems with session management

> .. and Imperva Secure Sphere.
this isn't a WAF either it's more like an IPS

If you want real time protection, you need a WAF (or secure code which is not vulnerable:-)

Said this, a WAF is also not a bullet proof protection, but helps to get rid of a lot of attacks.

> .. part of an automated attack process
as these request are all legal requests (according HTTP standards), you cannot qualify such an request as an attack.
However, a WAF or IPS might detect it either due to identifying an illegal value for these parameters (Target, ID, for example) or due to time analyses (a human won't fire a lot of such requests in a few seconds).
While a WAF will block each request immediately, the IPS needs to learn and hence pass a few of them 'til it blocks.

Hope this helps.

----------
@EE Moderator, I don't see any dangerous information in the posted links, hence no need to delete them again ;-)
If you decide to delete them anyway, please make a comment with these links and mark it as "deleted" later. This way the information is hidden to common users but visible for PE, admin, mods, etc..
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
parent control advice for app searches 4 35
Wordpress Security 29 74
Windows Security Pop-Up 7 69
How are passwords stored in Active Directory 25 139
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This video teaches users how to migrate an existing Wordpress website to a new domain.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question