Security Basics mailing list archives
Re: Part of the web page being MODIFIED !
From: Bryan Wagstaff <bryanw () xmission com>
Date: Tue, 26 Nov 2002 11:23:51 -0700
Quoting Frank Cheong <chocobofrank () hotmail com>:
I received complains regarding one of the image on my web site has been modified by a PORN picture ! While the image have resumed normal during the second visit.
You say you have had complaints, but don't state if you have seen it or not. Can YOU repeat the problem?
Therefore, the image haven't been modified. So I do want to know what is the possibilities in doing this ? (Like HTTP session hijack, proxy poisoning, someone doing man in the middle etc) any other ways to do that ?
There are many ways of that sort of thing happening, but you need to do more research to find it. If this is something you can verify and repeat, I would first check your local machine. Has the machine been compromized? If no, are you sure? If using unmodified versions of the http server, do the checksums match those of the source? (assuming you are using Apache or some other Free/Open server) When posting back to the group, please include the versions of the software you are using. Does the problem appear on another similarly configured machine?
As these activities mostly happens outside my server boundry, I assume I can't do anything with it, how about any outside parties ?
You say 'mostly happens outside my server boundary'. Please be more specific. Do those outside your network ALWAYS see the corrupted pages then the proper image? Does everyone inside your network see the corrupted pages? If only some machines inside your 'server boundary' see the corrupted pages, are those machines within a NAT device? For example, are machines within a 192.168.1.* seeing the corrupted pages while 192.168.0.* are seeing the original?
As I know going for SSL maybe one of the alternative to stop this but this will add on extra processing on my website and it will make it slow. So I don't want to go for it, any other way to secure against this ?
You need to know where the problem is beore you can fix it. Right now I would say you have some script kiddie playing with the site, but I wouldn't remove other posibilities without more research. If you have a corrupted web server, moving to SSL would not solve the problem, it would actually make it appear that you are intentionally sending the images. For the man-in-the-middle attack, you could test that out by changes to your network or Internet connections. If you are a small business, your ISP would probably help. If someone were performing a targeted man-in-the-middle attack, you need to have a trusted root CA give you a cert. (If you have a self-signed or unsigned cert, then they could easily forge one.) If you don't already have one, those can take a little work and money to get. Best of luck! bryanw () xmission com --
Current thread:
- Part of the web page being MODIFIED ! Frank Cheong (Nov 26)
- Re: Part of the web page being MODIFIED ! Lim Ghee Lam (Nov 26)
- Re: Part of the web page being MODIFIED ! frank (Nov 26)
- Re: Part of the web page being MODIFIED ! Lim Ghee Lam (Nov 26)
- Re: Part of the web page being MODIFIED ! frank (Nov 26)
- Re: Part of the web page being MODIFIED ! frank (Nov 26)
- Re: Part of the web page being MODIFIED ! Lim Ghee Lam (Nov 26)
- RE: Part of the web page being MODIFIED ! sanjay . patel (Nov 26)
- RE: Part of the web page being MODIFIED ! Mike Dresser (Nov 26)
- Re: Part of the web page being MODIFIED ! phani (Nov 26)
- Re: Part of the web page being MODIFIED ! Johannes Ullrich (Nov 27)
- Re: Part of the web page being MODIFIED ! Bryan Wagstaff (Nov 26)
- <Possible follow-ups>
- RE: Part of the web page being MODIFIED ! Chris Santerre (Nov 28)