nanog mailing list archives
Re: Malicious code just found on web server
From: Nathan Ward <nanog () daork net>
Date: Wed, 22 Apr 2009 11:06:18 +1200
On 21/04/2009, at 5:23 AM, Mike Lewinski wrote:
Paul Ferguson wrote:Most likely SQL injection. At any given time, there are hundreds ofthousands of "legitimate" websites out there that are unwittingly harboringmalicious code.Most of the MS-SQL injection attacks we see write malicious javascript into the DB itself so all query results include it. However, I'm not sure how easy it is to leverage to get system access - we've seen a number of compromised customer machines and there didn't appear to be any further compromise of them beyond the obvious. In the OP's case it sounds like static HTML files were altered. My bet is that an ftp or ssh account was brute forced.
I have seen a couple of open source web apps (CMSs, etc.) that store names of php files in a database, and those files names are then opened with fopen. SQL injection could be used to write a URL in to the database, and then wait for that entry to be called, and viola, you can execute php code, or whatever.
Obviously that is relevant to the first part of your reply - it would not work with static content.
-- Nathan Ward
Current thread:
- Malicious code just found on web server Russell Berg (Apr 17)
- Re: Malicious code just found on web server Neil (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Mike Lewinski (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- RE: Malicious code just found on web server Chuck Schick (Apr 21)
- Re: Malicious code just found on web server Nathan Ward (Apr 21)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Nick Chapman (Apr 20)
- Re: Malicious code just found on web server Paul Ferguson (Apr 20)
- Re: Malicious code just found on web server Ingo Flaschberger (Apr 20)
- Re: Malicious code just found on web server Gadi Evron (Apr 20)
- Re: Malicious code just found on web server Kevin Oberman (Apr 21)
- Re: Malicious code just found on web server Neil (Apr 20)
- <Possible follow-ups>
- RE: Malicious code just found on web server Russell Berg (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Paul Ferguson (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)
- Re: Malicious code just found on web server Chris Mills (Apr 17)