Re: Malicious code just found on web server

[Nathan Ward <nanog () daork net>]

On 21/04/2009, at 5:23 AM, Mike Lewinski wrote:

> Paul Ferguson wrote:
>
> > Most likely SQL injection. At any given time, there are hundreds of
> > thousands of "legitimate" websites out there that are unwittingly  
> > harboring
> > malicious code.
>
> Most of the MS-SQL injection attacks we see write malicious  
> javascript into the DB itself so all query results include it.  
> However, I'm not sure how easy it is to leverage to get system  
> access - we've seen a number of compromised customer machines and  
> there didn't appear to be any further compromise of them beyond the  
> obvious. In the OP's case it sounds like static HTML files were  
> altered. My bet is that an ftp or ssh account was brute forced.


I have seen a couple of open source web apps (CMSs, etc.) that store  
names of php files in a database, and those files names are then  
opened with fopen. SQL injection could be used to write a URL in to  
the database, and then wait for that entry to be called, and viola,  
you can execute php code, or whatever.

Obviously that is relevant to the first part of your reply - it would  
not work with static content.

--
Nathan Ward