Home Accessibility Courses Diary The Mouth Facebook Resources Site Map About Us Contact
How was my web site compromised?

Road accident It looks to me as if this car has left the road and come to a sudden halt against the building, with the result that both have been somewhat damaged. But why did it happen? Was there a mechanical failure such as brakes or tyres? Did the driver fall asleep at the wheel or something distract him? Was he drunk? Or did he swerve to avoid a child on a cycle? Perhaps there's a more unlikely reason - perhaps there was no driver in the car, but it was left stopped on a slope and ran away, or it fell off the back of a lorry.

When presented with a web site that's been compromised - with new files created, databases and their records changed, or data injected into existing files, it can be rather hard to work out what has happened - rather like trying to find what caused a motor accident. And one photograph is going to give clues, but no more - the picture above is from a page of public domain images, and I know no more than that. So "educated guess" is my best hope.

If I'm going to be looking at a system that's been compromised, I'm going to look not only at the content of the file(s) and database(s) that are infected, but also for certain other tell-tale files that might have been added to the system - especially at around the same time. And I'm also going to take a very careful look at who is allowed to do what to which resources. In other words, file permissions, and user and group ownerships.

Here's an answer, just written, concerning infected files...

If you have infected files, have a look at the write permissions on the infected files .... who can write to them? If they're writeable by the web server user, then is that just yourself, or is this a shared hosting machine? If the scripts are PHP and it's a shared server, then the start of the hole may not be in your area, but the write permissions being wrong in your area have let the sh*t land on you.

What causes such scripts to allow files to be written? Typically scripts written with the best intent, but in which the file name can be taken from the user / seeded by a form. John can create a file called "John.html", perhaps. And Harry a file called Harry.html ... all perfectly good names in a directory called "users". Then along comes someone called ../index.html ... and he overrides the home page at the top of the site. Be aware, too, off the cross-site scripting possibilities of Mr "http://www.sheepbingo.co.uk/" who might find one of your scripts that he can pull his code into and have it run on your system. And these concerns apply not only to the scripts you have written yourself, but also those which you have sourced from elsewhere.

With Perl, the script may be run as the user (via setuid) or as the web server, and you should take a look at which of the two your setup uses in order to help you with the analysis.

(written 2009-02-24)

 
Associated topics are indexed as below, or enter http://melksh.am/nnnn for individual articles
A163 - Web Application Deployment - Network Configuration and Security
  [4134] Setting up your MacBook Air as a mobile broadband router - (2013-07-07)
  [3448] Checking all the systems on a subnet, using Expect and Tk - (2011-09-18)
  [2489] Parallel Pinging, using Python Threads or Expect spawn lists - (2009-11-02)
  [1904] Ruby, Perl, Linux, MySQL - some training notes - (2008-11-23)
  [1712] As different as night and tyres - (2008-07-18)
  [1666] Slow boot and terminal start on Linux boxes - (2008-06-05)
  [1408] Wireless hotel tips - FTP and Skype connections failing - (2007-10-26)
  [1073] Heartbeat script in Perl - (2007-02-09)
  [511] Domain Forwarding - 2 ways of doing it - (2005-11-29)
  [506] What are DHCP and DNS? - (2005-11-27)
  [332] Looking up IP addresses - (2005-06-01)
  [267] Searching security holes - (2005-04-04)
  [37] Security and Safety - (2004-09-03)
  [11] A bolt of lightning on Multicasting - (2004-08-11)

G997 - Well House Consultants - Newsletter Lead Articles
  [3202] Telling you something about us in just one line - (2011-03-15)
  [2743] Public Open Source Training Courses running this summer and autumn in Melksham - (2010-04-27)
  [2538] Open Source Training Centre and Courses for 2010 - (2009-12-16)
  [2425] Weekend and Christmas Promotion - Well House Manor Hotel, Melksham - (2009-09-26)
  [2370] C++, Python, and other training - do we use an IDE - (2009-08-21)
  [2253] Walks in and around Melksham, Wiltshire - (2009-06-21)
  [2119] Make your business a DESTINATION business - (2009-04-05)
  [1912] Book now for 2009 - (2008-11-29)
  [1819] Calling base class constructors - (2008-10-03)
  [1754] Upgrade from PHP 4 to PHP 5 - the TRY issue - (2008-08-15)
  [1663] Python in an afternoon - a lecture for experienced programmers - (2008-06-01)
  [1600] Cambidge - Tcl, Expect and Perl courses - (2008-04-04)
  [1545] Letting new visitors know we provide training courses - (2008-02-19)
  [1488] New trainee laptop fleet for our Open Source courses - (2007-12-30)
  [1386] New software product for warmblooded programmers - (2007-10-10)
  [1318] Well House Manor - feature comparison against the old place! - (2007-08-24)
  [1224] Object Relation Mapping (ORM) - (2007-06-09)
  [1136] Buffering output - why it is done and issues raised in Tcl, Perl, Python and PHP - (2007-04-06)
  [1065] Graham Ellis - an Introduction - (2007-02-05)
  [1000] One Thousand Posts and still going strong - (2006-12-18)


Back to
A Presentation about our company - web and PHP
Previous and next
or
Horse's mouth home
Forward to
What a difference a MySQL Index made
Some other Articles
Web Site Loading - experiences and some solutions shared
Effect on server when memory runs out and swapping starts
Tuning httpd / the supermarket checkout comparison
What a difference a MySQL Index made
How was my web site compromised?
A Presentation about our company - web and PHP
Why the Pony Tail?
Why Choose Well House Consultants for your course?
Learning to program in PHP, Python, Java or Lua ...
Small Web Server in Perl
4279 posts, page by page
Link to page ... 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86 at 50 posts per page


This is a page archived from The Horse's Mouth at http://www.wellho.net/horse/ - the diary and writings of Graham Ellis. Every attempt was made to provide current information at the time the page was written, but things do move forward in our business - new software releases, price changes, new techniques. Please check back via our main site for current courses, prices, versions, etc - any mention of a price in "The Horse's Mouth" cannot be taken as an offer to supply at that price.

Link to Ezine home page (for reading).
Link to Blogging home page (to add comments).

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2014: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 899360 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/mouth/2052_How ... ised-.html • PAGE BUILT: Sun Mar 30 15:20:58 2014 • BUILD SYSTEM: WomanWithCat