performzencart
zencart 时间:2021-04-12 阅读:()
CopyrightIBMCorporation2013TrademarksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage1of8Loadedpages:HowyourwebsitecaninfectvisitorswithmalwareAdeveloper'sintroductiontomaliciouswebsitesJeffOrloffJanuary15,2013Googleclaimsthat9,500websitesperdayareinfectedwithmalwaremeanttoharmthesite'svisitors.
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- performzencart相关文档
- zencart今天安装zencart遇到这个问题。要登陆后台的url的时候,出现这个问题。这个怎么解决?
- zencartzencart怎么安装语言包?
- activitieszencart
- dommielzencart
- crowdsourcedzencart
- ashazencart
HostYun 新增可选洛杉矶/日本机房 全场9折月付19.8元起
关于HostYun主机商在之前也有几次分享,这个前身是我们可能熟悉的小众的HostShare商家,主要就是提供廉价主机,那时候官方还声称选择这个品牌的机器不要用于正式生产项目,如今这个品牌重新转变成Hostyun。目前提供的VPS主机包括KVM和XEN架构,数据中心可选日本、韩国、香港和美国的多个地区机房,电信双程CN2 GIA线路,香港和日本机房,均为国内直连线路,访问质量不错。今天和大家分享下...
天上云月付572元,起香港三网CN2直连,独立服务器88折优惠,香港沙田机房
天上云怎么样?天上云隶属于成都天上云网络科技有限公司,是一家提供云服务器及物理服务器的国人商家,目前商家针对香港物理机在做优惠促销,香港沙田机房采用三网直连,其中电信走CN2,带宽为50Mbps,不限制流量,商家提供IPMI,可以自行管理,随意安装系统,目前E3-1225/16G的套餐低至572元每月,有做大规模业务的朋友可以看看。点击进入:天上云官方网站天上云香港物理机服务器套餐:香港沙田数据中...
月神科技 国内上新成都高防 全场八折促销续费同价!
月神科技是由江西月神科技有限公司运营的一家自营云产品的IDC服务商,提供香港安畅、香港沙田、美国CERA、成都电信等机房资源,月神科技有自己的用户群和拥有创宇认证,并且也有电商企业将业务架设在月神科技的平台上。本次带来的是全场八折促销,续费同价。并且上新了国内成都高防服务器,单机100G集群1.2T真实防御,上层屏蔽UDP,可定制CC策略。非常适合网站用户。官方网站:https://www.ysi...
zencart为你推荐
-
0.21网易yeahgooglepr谷歌 PR值是什么意思cisco2960配置思科2960G交换机如何将配置百兆改为千兆配置汉字cuteftp传奇域名谁有霸气一点的传奇名字。给个35互联在中国哪家服务商提供的企业邮箱好呢?社区动力如何建立一个论坛?就是社区动力discuz论坛 这个discuz!是不是一个软件?关于建立论坛给个系统的的教discuz7 2discuz X2.5帖子中图片位置 discuz X2.5论坛中发布帖子,上传图片,图片的位置全部都在文章下面邮件管理系统邮箱管理软件哪种好用站长统计如何给网站添加CNZZ站长统计