Re: Malicious code just found on web server

[Gadi Evron <ge () linuxbox org>]

Mike Lewinski wrote:
> Paul Ferguson wrote:
>
> > Most likely SQL injection. At any given time, there are hundreds of
> > thousands of "legitimate" websites out there that are unwittingly 
> > harboring
> > malicious code.
>
> Most of the MS-SQL injection attacks we see write malicious javascript 
> into the DB itself so all query results include it. However, I'm not 
> sure how easy it is to leverage to get system access - we've seen a 
> number of compromised customer machines and there didn't appear to be 
> any further compromise of them beyond the obvious. In the OP's case it 
> sounds like static HTML files were altered. My bet is that an ftp or ssh 
> account was brute forced.

Many web hosting farm are just huge botnets all on their own. Web server 
botnets made of IIS and Apache servers.

While that malicious code could have been uploaded using an SQL 
injection or a server software vulnerability, one of the attacks seen 
most often is PHP file inclusion.

This is a really big problem for web hosting service providers, but even 
While at first this thread was about helping a fellow operator, I see 
how this has become off-topic for NANOG as it deals with web server 
database and software security rather than operationally how to handle 
such infestations.

For those interested, I wrote an article on these types of attacks back 
when I worked for a software vendor:

http://tinyurl.com/6kol8f [PDF]
Web Server Botnets and Server Farms as Attack Platforms
(all rights reserved to Virus Bulletin)

        Gadi.