Site defaced - what next?

bscott at ntisys.com bscott at ntisys.com
Mon Aug 16 19:29:00 EDT 2004 

On Sun, 8 Aug 2004, at 12:10pm, greg at freephile.com wrote:
> *The cast of attackers*
> Saudi Arabia - the cracker who defaced my site was
> from Saudi Arabia (e.g. cache3-2.jed.isu.net.sa).  As soon as he put up a
> new homepage for me, he obviously told a friend (cache7-4.ruh.isu.net.sa),
> who visited the site moments later.

  Correction: The connection(s) which carried the attacks originated from
those servers.  That is all you can say for sure.

  From the name, we can suppose they are caching proxy servers.  A huge
problem on the Internet today is that attackers relay their attacks through
third-party proxy servers.  It is entirely possible that the attacker is 
somewhere else entirely, and was using those servers for cover.  Indeed, 
that "friend" might have just been an alternate route for the same attacker.

  Of course, it is equally possible that the attacker was a "legitimate
user" (I use the phrase loosely) of those proxy servers.  We have no way of
knowing for sure without getting in touch with the operator(s) of those
servers.  (And maybe not even then.)

  This is why I don't get excited about random probes (of the type mentioned
in another recent thread here).  They're practically at the level of
continuous background noise at this point, and they are generally nearly
impossible to trace.  Keep your system secure, and someone checking the
handle to see if you locked the door won't matter.

  Of course, that doesn't help when your system is found to be not secure,
as you have discovered, Greg.  :-/ You have my sympathy.  It can happen even
if you do everything you should, and most of us (myself included) don't even
do everything we know we should.

> Google -helps script kiddies find my exploitable file phpexplorer.  I 
> didn't put this script on my server, and I don't know how Google found 
> it.  All I can tell you from my server logs is that people are searching 
> for this script and my site comes at the top of the list.

  It is possible that the details of your compromised server were disclosed
by the attacker(s), and that information was then picked up by Google.

  Another possibility is web logs.  Are you web logs available to anyone who
happens to know the right URL?  If so, it is amazing how easy it is for that
information to get caught by a spider.  From there, the situation becomes a
positive feedback loop.

  Don't forget that your system may have been compromised long before your
web site was defaced.  (Cheery thought, I know.)

> Of course some people think I should just be quiet about it because the
> fact that my site was compromised could make me look bad.

  Not that I think you're serious in that statement, but worth pointing out
anyway: As you have discovered, information, once disclosed, tends to be
very hard to control.
 
-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |

More information about the gnhlug-discuss mailing list