Compromising of the UpLoad feature
Posted: 25 Mar 2010, 18:51
My upload has been compromised, and used to load a trojan onto my web site.
The information sent to me by my hosting company was:-
Site scripting was disabled today after it was noticed that the site was launching
processes used for malicious purposes. The attack appeared to be distributed and
controlled from a remote location. In the site directory structure we discovered
"backdoor" scripts, and scripts written to probe the server and remote sites. These
appear to have been installed on the site through the use of vulnerabilities in the
site scripting.
Generally this is usually achieved in one of several ways.
a) Site allows arbitrary uploads - easy way to get scripts onto a site.
b) Site allows the "inclusion", via PHP, of remote text.
c) Site allows the running of code from a remote location.
d) Site has directories with permissions that allow anyone to create files there.
Unfortunately the above site seems to allow most, if not all, of these. Also,once the
infected files have been used by an attacker the site is then known to be vulnerable
and this information is often distributed, or sold, to other criminals. This means
that another attack is very likely unless the vulnerabilities are removed.
I am having to download the site and reset it. Any comments would be most helpful.
I hope by posting this others can benefit and not suffer the same as I have.
The information sent to me by my hosting company was:-
Site scripting was disabled today after it was noticed that the site was launching
processes used for malicious purposes. The attack appeared to be distributed and
controlled from a remote location. In the site directory structure we discovered
"backdoor" scripts, and scripts written to probe the server and remote sites. These
appear to have been installed on the site through the use of vulnerabilities in the
site scripting.
Generally this is usually achieved in one of several ways.
a) Site allows arbitrary uploads - easy way to get scripts onto a site.
b) Site allows the "inclusion", via PHP, of remote text.
c) Site allows the running of code from a remote location.
d) Site has directories with permissions that allow anyone to create files there.
Unfortunately the above site seems to allow most, if not all, of these. Also,once the
infected files have been used by an attacker the site is then known to be vulnerable
and this information is often distributed, or sold, to other criminals. This means
that another attack is very likely unless the vulnerabilities are removed.
I am having to download the site and reset it. Any comments would be most helpful.
I hope by posting this others can benefit and not suffer the same as I have.