Solved

Data Modification Through the URL Website Security Attacks

Posted on 2008-06-24
6
374 Views
Last Modified: 2012-06-22
One of our corporate websites is being attacked as the hacker attempts to insert various website URL's into the corporate website's URL. The attack is not succeeding in changing the corporate website address but the attack is causing the server the website is on to reboot.

What are some steps that can be taken to prevent this from occurring? Also, is it possible to tell if the URL are being computer generated? Any other forensic info you can provide about the attacking URL's is appreciated.

Here are some samples of the attacking URL's:

{ URLs removed by PenguinMod, EE Moderator }
0
Comment
Question by:computerese
  • 2
6 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
Comment Utility
> What are some steps that can be taken to prevent this from occurring?
install a WAF
but better make your code sure

> Also, is it possible to tell if the URL are being computer generated?
no (as any URL is computer generated, obviously?)
 
> Any other forensic info you can provide about the attacking URL's is appreciated.
anything you can do is to install some kind of blacklist (or better whitelist) at your WAF. a proxy may also do it.
0
 

Author Comment

by:computerese
Comment Utility
I have begun to research ahoffman's suggestion about a WAF. There are different types and makers employing different technologies (static, dynamic, etc.). I am examining some such as Fortify Software Defender and Imperva Secure Sphere. Would be interested in hearing your thoughts on these.

When I said "computer generated" what I meant was whether these sites were part of an automated attack process, such as the automated SQL injection attack that exploited a vulnerability in Microsoft SQL Server, which in January 2008 infected tens of thousands of PCs.

I am reposting the attacking link information; these are from our log files:

URI Query
Target=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
Target=http%3A%2F%2Fstoneproperties.co.uk%2Falbum%2Fincludes%2Fnohul%2Fzojaz%2F
Target=http%3A%2F%2Fmslayouts.ws%2Ficons%2Fadministrator%2Fcomponents%2Fcom_menus%2Fetotag%2Fqeba%2F
ID=http%3A%2F%2Fwww.landisempach-emmen.ch%2Faktionen%2Fimage%2Fezu%2Fseq%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
ID=http%3A%2F%2Fwww.qubestunes.com%2Ftreytest%2F1%2Fadoyuru%2Falameja%2F
Target=http%3A%2F%2Fwww.pattibus.it%2Fphplib-7.2b%2Fpages%2Fgodot%2Folule%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.totkom.com%2Fsklep%2Fadmin%2Fincludes%2Fclasses%2Fcohiru%2Fneyuzah%2F
ID=http%3A%2F%2Fwww.sfolly.net%2Fchat%2Fdata%2Fpublic%2Fuvudap%2Fome%2F
ID=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
ID=http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Ftimuji%2Fjaborat%2F
Target=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
Target=http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Frivoz%2Fifewaf%2F
Target=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
ID=http%3A%2F%2Fwww.qualitas1988.com%2Fimages%2Feditor%2F.thumbs%2Fsowem%2Fmudi%2F
ID=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http://www.yahoo.com
Target=http%3A%2F%2Fwww.tureksfuar.com.tr%2Fyeni%2Faxiyeba%2Ftebe%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Frix%2Fjas%2F
ID=http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fpivafof%2Fmibi%2F
ID=http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F
ID=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
path=http://vize2007.802.11abg.net/tut.bo??
Target=http%3A%2F%2Fwww.blankner.ocps.net%2Fmedia%2Fyeloc%2Frepaw%2F
Target=http%3A%2F%2Fwww.meijers.com%2Fimages%2Fproducts%2Fubemebe%2Facuj%2F
Target=http%3A%2F%2Fwww.polarflug.de%2Fsources%2Fsinokof%2Fcopaxan%2F
ID=http%3A%2F%2Ftargi.pc-tuning.pl%2Fimages%2Fnews%2Faqa%2Fcib%2F
ID=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
ID=http%3A%2F%2Fwww.sibstro.ru%2Fdom%2Fdomimg%2Fpife%2Fegemo%2F
Target=http%3A%2F%2Frabotnitsa.ru%2Fjoomla__%2Fadministrator%2Fbackups%2Farim%2Fzaf%2F
Target=http%3A%2F%2Fwww.channelnewsperu.com%2Fimagenes%2Fpublicaciones%2Ffotos%2Femesuki%2Flewu%2F
Target=http%3A%2F%2Fchyngachanga.ru%2Fcontent%2Fwuge%2Fokup%2F
ID=http%3A%2F%2Fwww.oriolmanya.net%2Fnautilus%2FphpBB2%2Flanguage%2Flang_english%2Fifekeri%2Fcekogah%2F
ID=http%3A%2F%2Fwww.polisgrandhotel.gr%2F_cm_admin%2Fmaillist%2Feditor%2Fplugins%2Fcore%2Fdialogs%2Fqunik%2Favacu%2F
ID=http%3A%2F%2Fwww.uxbridgerotary.org%2Fsurvey%2Ftmp%2Fisefa%2Fnowu%2Fyocav%2F
Target=http%3A%2F%2Fwww.jyvaskylankirjastot.fi%2Fyhteistyo%2Fwd%2Fmuji%2Frenula%2Fxejado%2F
Target=http%3A%2F%2Fwww.bowlaw.com%2Fpractice_areas%2Fogi%2Fiteyu%2F
Target=http%3A%2F%2Fwww.ce-enterprise.com%2Finetonlinetk%2Fshop%2Ffiles%2Fimg%2Flogo_DarkBlueStyle%2Fgoge%2Foxag%2F
ID=http%3A%2F%2Fmojazubarka.sk%2Ftest%2Fadmin%2Fsicaqe%2Fjufoxir%2F
ID=http%3A%2F%2Fwww.foicr.org%2Fwork%2Fmulito%2Fyiqosu%2F
ID=http%3A%2F%2Fwww.vlopezalvarez.com%2FPersonal%2FFotos%2FViajes%2Fxaj%2Focaceg%2F





 
0
 
LVL 51

Expert Comment

by:ahoffmann
Comment Utility
> I am examining some such as Fortify Software Defender
this is not a WAF but a source code analyzer
Keep in mind that such tools will only find "static" flaws such as code onjections, but not logical flaws like problems with session management

> .. and Imperva Secure Sphere.
this isn't a WAF either it's more like an IPS

If you want real time protection, you need a WAF (or secure code which is not vulnerable:-)

Said this, a WAF is also not a bullet proof protection, but helps to get rid of a lot of attacks.

> .. part of an automated attack process
as these request are all legal requests (according HTTP standards), you cannot qualify such an request as an attack.
However, a WAF or IPS might detect it either due to identifying an illegal value for these parameters (Target, ID, for example) or due to time analyses (a human won't fire a lot of such requests in a few seconds).
While a WAF will block each request immediately, the IPS needs to learn and hence pass a few of them 'til it blocks.

Hope this helps.

----------
@EE Moderator, I don't see any dangerous information in the posted links, hence no need to delete them again ;-)
If you decide to delete them anyway, please make a comment with these links and mark it as "deleted" later. This way the information is hidden to common users but visible for PE, admin, mods, etc..
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Real-time is more about the business, not the technology. In day-to-day life, to make real-time decisions like buying or investing, business needs the latest information(e.g. Gold Rate/Stock Rate). Unlike traditional days, you need not wait for a fe…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Learn how to set-up PayPal payment integration in your Wufoo form. Allow your users to remit payment through PayPal upon completion of your online form. This is helpful for collecting membership payments, customer payments, donations, and more.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now