performzencart
zencart 时间:2021-04-12 阅读:()
CopyrightIBMCorporation2013TrademarksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage1of8Loadedpages:HowyourwebsitecaninfectvisitorswithmalwareAdeveloper'sintroductiontomaliciouswebsitesJeffOrloffJanuary15,2013Googleclaimsthat9,500websitesperdayareinfectedwithmalwaremeanttoharmthesite'svisitors.
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- performzencart相关文档
- zencart今天安装zencart遇到这个问题。要登陆后台的url的时候,出现这个问题。这个怎么解决?
- zencartzencart怎么安装语言包?
- activitieszencart
- dommielzencart
- crowdsourcedzencart
- ashazencart
GigsGigsCloud($26/年)KVM-1GB/15G SSD/2TB/洛杉矶机房
GigsGigsCloud新上了洛杉矶机房国际版线路VPS,基于KVM架构,采用SSD硬盘,年付最低26美元起。这是一家成立于2015年的马来西亚主机商,提供VPS主机和独立服务器租用,数据中心包括美国洛杉矶、中国香港、新加坡、马来西亚和日本等。商家VPS主机基于KVM架构,所选均为国内直连或者优化线路,比如洛杉矶机房有CN2 GIA、AS9929或者高防线路等。下面列出这款年付VPS主机配置信息...
Hostodo商家提供两年大流量美国VPS主机 可选拉斯维加斯和迈阿密
Hostodo商家算是一个比较小众且运营比较久的服务商,而且还是率先硬盘更换成NVMe阵列的,目前有提供拉斯维加斯和迈阿密两个机房。看到商家这两年的促销套餐方案变化还是比较大的,每个月一般有这么两次的促销方案推送,可见商家也在想着提高一些客户量。毕竟即便再老的服务商,你不走出来让大家知道,迟早会落寞。目前,Hostodo有提供两款大流量的VPS主机促销,机房可选拉斯维加斯和迈阿密两个数据中心,且都...
韩国服务器租用优惠点评大全
韩国服务器怎么样?韩国云服务器租用推荐?韩国服务器距离中国近,有天然的地域优势,韩国服务器速度快而且非常稳定!有不少有亚洲市场的外贸公司选择韩国服务器开拓业务,韩国服务器因自身的优势也受到不少用户的青睐。目前的IDC市场上,韩国、香港、美国三个地方的服务器几乎占据了海外服务器的百分之九十以上。韩国服务器相比美国服务器来说速度更快,而相比香港机房来说则带宽更充足,占用市场份额非常大。那么,韩国服务器...
zencart为你推荐
-
servererrorunknow server error什么意思 怎么解决outlookexpress如何开启OUTLOOK EXPRESS功能?支付宝注册网站支付宝申请流程是怎么样的??申请支付宝账户支付宝账户怎么申请?补贴eset结点cuteftpcsamy爱买网超谁有http://www.25j58.com爱网购吧网站简介?免费代理加盟怎样免费加盟代理淘宝站点管理站点名称是什么意思