performzencart
zencart 时间:2021-04-12 阅读:()
CopyrightIBMCorporation2013TrademarksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage1of8Loadedpages:HowyourwebsitecaninfectvisitorswithmalwareAdeveloper'sintroductiontomaliciouswebsitesJeffOrloffJanuary15,2013Googleclaimsthat9,500websitesperdayareinfectedwithmalwaremeanttoharmthesite'svisitors.
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
Understandinghowmalwareinfectsawebsiteandwhatcanbedonetostopitcanhelpkeepyourvisitors'computersfreeofmalware.
Overtheyears,thetermmalwarehasbeenusedtodescribeanytypeofmalicioussoftware,includingviruses,Trojanhorses,worms,spyware,scareware,andadware.
Intheearlydaysofcomputers,malwarewasconsideredmoreaprankusedtoannoypeoplethroughdestructivebehaviorortoshowoffprogrammingskills.
Basically,themorepeopleyourmaliciousprogramcouldinfect,thegreateryourstatusincertaincircles.
Themaliciousprogramswereoftendeliveredtotheirintendedvictimsasemailattachments,sharedthroughremovablestoragemediaorthroughfile-sharingservices.
Althoughmalwareofthissortcausedawealthofproblemsforitsvictims,thedrivingforcebehinditdidnotmotivateasmanypeopletogetinvolvedbecausethepayoffwasn'taslucrativetoawidebase.
Today,thedrivingforcebehindmalwarehasshiftedtomoney.
Becausetheseattacksaredrivenbyfinancialrewards,thereismoremalwareinthewildthaneverbefore.
Notonlyaremorepeopleinvolvedinthecreationanddistributionofmalware,buttheattackshavegrownmoresophisticated.
Cyber-criminalshavelearnedhowtousemalwaretoturnlargeprofitsby:DisplayingandclickingadsStealingconfidentialdataHijackingusersessionsCompromisinguserlogincredentialsStealingfinancialinformationMakingfraudulentpurchasesCreatingspamLaunchingdenial-of-serviceattacksTodelivertheirmalicioussoftwaretoasmanyvictimsaspossible,cyber-criminalshaveturnedtowebsitesasoneoftheirprimarysourcesofdistribution.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage2of8WhywebsitesPeoplehavelearnednottodownloadfilesattachedtoemails,andtheyhavestayedawayfrompopularfile-sharingservicesbecausesomanyfilesareinfectedwithmalware.
Onethingthatpeoplehavenotstoppeddoing,though,issurfingtheWeb.
AccordingtoInternetWorldStats(seeRelatedtopicsforalink),in2011therewere2,279,709,629activeInternetusers,andthatnumbercontinuestogrow.
Withanattacklandscapethislargeandwithsomanyusersnotbeingsuspicious,it'snowonderthatwebsiteshavebecomethefavoritemediausedtoinfectuserswithmalware.
Infact,maliciouswebsiteshavebecomesoprevalentthatGoogleblacklistsroughly6,000websiteseverydaybecausetheycarrysomesortofmalicioussoftwarethatisdangeroustovisitors.
HowmalwarespreadsthroughwebsitesThoseresponsibleforinfectingwebsiteswithmalwaredosoinoneofthreeways:Theycreateamaliciouswebsiteoftheirown.
Theyexploitavulnerabilityonthewebserverorinitsconfiguration.
Theyexploitavulnerabilityintheapplicationsthewebsiterelieson.
Becausethisarticlefocusesonwhatyoucandotopreventyourwebsitesfromfallingvictimtotheseattacks,Iaddressonlythelattertwomethods.
Afteranattackerhasfoundavulnerabilitythatheorshecansuccessfullyexploit,theattackerneedstodeterminehowheorshewilldelivermalwaretothewebsite'svisitors.
Table1listssomeofthecommonmethods.
Table1.
CommonwayswebsitesdistributemalwareMethodDescriptionDownloadsTheuseristrickedintodownloadingthemaliciouscode.
Acommontacticusedistotellthevisitorthatheorsheneedstoupdatemultimediasoftwaretoviewavideo,oravictimistrickedintodownloadingaPDForothertypeoffilethatactuallycontainsmalware.
BanneradsUsersaretrickedintodownloadingmaliciousfileswhentheyclickinfectedadsthatappearonthewebsite.
Drive-bydownloadsWhenthismethodisused,thevisitordoesnotneedtoperformanyactiononawebsiteotherthansimplyvisit.
Malwarecanbehiddeninsideinvisibleelementsonthesite,suchasiframesorunobfuscatedJavaScriptcode;itcanevenbeembeddedinmultimediafiles,suchasimages,videos,orAdobeFlashanimations.
Whenthepageloads,themalwareinfectsthevisitor'scomputerusingvulnerabilitiesinthebrowserorplug-ins.
InfectingwebsitesthroughservervulnerabilitiesInaddressingserver-basedvulnerabilities,Ilookattwoofthemorepopularwebserverapplicationsonthemarket:ApacheandMicrosoftInternetInformationServices(IIS).
Thesetwoserverspower78.
65percentofallwebsites.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage3of8BothApacheandIIS—oranyotherwebserver—havevulnerabilitiesthatmaliciousattackerscanexploit.
Whenattackersareabletocompromisetheserversoftwareortheserveritself,theyareabletouploadmaliciouscodeorevenentirewebpagesthatdelivermalwaretothesite'svisitors.
Examplesofvulnerabilitiesthatallowthistypeofattacktotakeplacecomefromtwoprimarysources.
VulnerabilitiesfoundinthedefaultinstallationWhenwebserversoftwareisinstalled,thedefaultconfigurationisusuallysetuptomakepublishingawebsiteeasy,notsecure.
Unnecessarymodulesandservicesmayalsobepartofawebserver'sdefaultinstallation.
Theseextrasmaygiveanattackerunrestrictedaccesstoyourwebsite'sfiles.
Eachoperatingsystem,webserversoftware,andversionhasuniquevulnerabilitiesthatcanbefoundwithasimplewebsearch.
Beforeawebsitegoeslive,anyknownvulnerabilitiesshouldbeaddressed.
BrokenauthenticationandsessionmanagementThissourceencompassesallaspectsofuserauthenticationandthemanagementofactivesessions.
AccordingtotheOpenWebApplicationSecurityProject(OWASP),"Awidearrayofaccountandsessionmanagementflawscanresultinthecompromiseofuserorsystemadministrationaccounts.
Developmentteamsfrequentlyunderestimatethecomplexityofdesigninganauthenticationandsessionmanagementschemethatadequatelyprotectscredentialsinallaspectsofthesite.
"Tomitigateagainstthistypeofvulnerability,thoseresponsiblefortheadministrationofthewebserverandsiteneedtoadheretopasswordpoliciesthatdeterminethestrength,storage,andchangecontrolsofallpasswords.
Furthermore,remotemanagementcapabilitiesforthewebservershouldbesecuredoreventurnedoffsothatusercredentialsarenotcompromisedthroughtransit.
UploadingmalwarethroughvulnerabilitiesinthewebsiteIfwebsiteswerestillstatictextandimages,itwouldbemuchmoredifficultforthebadguystousealegitimatewebsitetoserveupmalicioussoftware.
However,today'swebsitesarepoweredbydatabases,complexcode,andthird-partyapplicationsthatmaketheuserexperiencemuchricherwhileopeningthesitetoanynumberofvulnerabilities.
TakeWordPress,forexample.
Thisbloggingapplicationhaschangedhowwebsitesarecreatedbymakingiteasyforanyonewithabitoftechnicalknowledgetocreateamultimedia-rich,interactivewebsite.
Itissopopularthatitpowersmorethan50millionwebsites.
WordPress'seaseofuse,however,wasalsothecauseofarecentoutbreak,inwhichbetween30,000and100,000sitesrunningtheapplicationredirectedvictimstomalicioussites.
Sitesthatinstalledaparticularplug-infoundtheirpagesinfectedwithcodethatredirectedvisitorstoanothersite.
Thissitewouldtheninfectthevictim'scomputerwithmalwarebasedonthedeveloperWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage4of8operatingsystemandapplicationsthatthecomputerwasrunning.
TheFlashbackTrojanthatinfectedmorethan500,000Macswasoneofthemaliciousprogramsthatspreadthroughthisexploit.
ExampleslikethisarenotlimitedtoWordPress,however.
ApplicationslikeJoomla!
,Drupal,MediaWiki,Magento,ZenCart,andmanyothershaveallhadvulnerabilitiesinthemthatallowmalicioushackerstouploadmalwaretothesesitestobedistributedtovisitors.
PreventingattacksagainstwebapplicationsForattackerstoexploitawebapplication,theymustfindsometypeofvulnerability.
Unfortunatelyfortheownersofwebsites,therearesomanydifferenttypesofknownvulnerabilitiesthattheycan'tallbelistedhere.
Someyoumaybefamiliarwith,however:Cross-sitescripting(XSS)StructuredQueryLanguageinjectionsCross-siterequestforgeryinjectionsURLredirectsCodeexecutionCookiemanipulationAndthelistgoeson.
MitigatingwebapplicationthreatsFortunately,therearewaystofindoutifyoursiteisvulnerabletoanyoftheknownexploitsbyusingwebapplication-penetrationtechniques.
Bythoroughlytestingawebsiteforknownvulnerabilities,youcanaddressthesethreatsbeforeanattackisabletomanipulatethemtodistributemalwaretoyourvisitors.
Youcandosousingavarietyofopensourceorcommercialtools,oryoucanoutsourcetheservicetocompaniesthatspecializeinthis.
Althoughpenetrationtestingwillhelpidentifyproblemsthatneedtobefixedinyourwebsite'scode,webapplicationfirewallscanhelpstopthreatsbeforetheyreachyoursite.
Byidentifyingknownattackpatterns,youcanthwarttheeffortsofmalicioushackersbeforetheyareabletocausedamagetoyoursite.
Moreadvancedwebapplicationfirewallscanevenprovideprotectionagainstunknown,zero-daythreatsbyidentifyingillicittraffic.
LimitingvulnerabilitiesinApacheWheneveraserverisconfigured,itisabestpracticetoinstallonlythemodulesandapplicationsthatarenecessary.
Bynow,thisisnotonlyabestpracticebutacommonpractice.
ThereareotherbasicstepsthatyoushouldtaketolimitthevulnerabilitiesthatexistinApache'swebserver.
Throughoutthecourseofthisarticle,IusethecommandsrelevanttotheUbuntudistributionofLinux.
ForApacherunningonotheroperatingsystemsordistributions,simplysearchforthestepsrequiredtoperformeachtask.
ibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage5of8DisablethebannerBydefault,Apacheshowsitsnameandversionnumberuponawebrequest,announcingtoanypotentialattackerswhatexactlythewebsiteisrunning.
Disablingthatbannermakesitmoredifficulttopinpointanyothervulnerabilities.
Youcandosobynavigatingto/etc/apache2/apache2.
confanddisablingtheServerSignatureandServerTokensentries.
DisabledirectoryindexingAnotherdefaultistheabilitytoprintalistoffilesfoundinthewebsitedirectories.
Thisfeatureletsanattackermapyourserverandidentifypotentiallyvulnerablefiles.
Tomitigateagainstthisissue,youneedtodisabletheautoindexmodule.
Simplyopentheterminalandusethefollowingcommands:rm-f/etc/apache2/mods-enabled/autoindex.
loadrm-f/etc/apache2/mods-enabled/autoindex.
confDisableWebDAVWeb-basedDistributedAuthoringandVersioning(WebDAV)isthefile-accessprotocolofHTTPthatallowsfortheuploading,downloading,andchangingoffilecontentsonawebsite.
Inanyproductionwebsite,WebDAVshouldbedisabledsothatanattackercannotchangeyourfilestouploadmaliciouscode.
Usingtheterminal,youdisablethedav,dav_fs,anddav_lockfilesbyremovingthemwiththefollowing:rm-f/etc/apache2/mods-enabled/dav.
loadrm-f/etc/apache2/mods-enabled/dav_fs.
confrm-f/etc/apache2/mods-enabled/dav_fs.
loadrm-f/etc/apache2/mods-enabled/dav_lock.
loadTurnofftheTRACEHTTPrequestTheHTTPTRACErequestcanbetrickedintoprintingsessioncookiesandthisinformationusedtohijackausersessiontolaunchanXSSattack.
Youcandisablethistracebynavigatingtothe/etc/apache2/apache2.
conffileandmakingsurethatTraceEnablereadsTraceEnableoff.
LimitingvulnerabilitiesinIISOnethingthatmakesWindowsServerproductssoattractivetotheconsumermarketistheireaseofinstallation.
UsingIIS,acompanycangetawebserverupandrunningwithafewclicks.
Whentheserversoftwareisinstalledoutofthebox,thereislittleneedforconfiguration:It'sdoneforyou.
Toaddresssecurityissuesinitswebserverproduct,MicrosofthasmadesignificantchangestohowIISisconfiguredandwhatisinstalledbydefault.
Thereare,however,somestepsthatyoucantaketobetterprotectagainstthreats.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage6of8InstallantimalwaresoftwareCodeRedandNimdawerebothwormsthatattackedtheWindowsServeroperatingsystem,andbothdidagreatdealofdamage.
Withoutadequateantimalwareprotectiononthehostoperatingsystemitself,awebsitequicklybecomesvulnerabletoattack.
Usingkeystrokeloggers,Trojans,andothermalware,attackerscannotonlyeasilycompromisethewebadministrator'slogincredentials,buttheyalsohavetheabilitytoinsertmaliciouscodeintothefilesthatareserveduptopeoplevisitingthesite.
Afterantimalwaresoftwareisinstalled,itshouldbeimmediatelyupdatedandthenrunbeforeanywebsitefilesareuploaded.
Ifanythingisfound,allpasswordsshouldimmediatelybechanged.
UpdateeverythingelseBeforeawebserverrunningIISgoeslive,besuretoupdatetheoperatingsystemsoftwareandwebserversoftwarewiththelatestupdatesfromMicrosoft.
TheseupdatesusuallycontainpatchesthataddressvulnerabilitiesspecifictoMicrosoftproducts.
CleaningupafteranattackWhenawebsiteisguiltyofcausingharmtoitsvisitors,youmusttakestepsimmediately.
Tobeginwith,takedownandquarantineyoursite.
Ifyouneedtohaveyoursiteupandrunningsoastoavoidinterruptingyourbusiness,relyonabackupthatisverifiedmalwarefree.
Whenyourwebpresenceistakencareof,it'stimetocleantheinfectedfiles.
Someinfectionsrequireonlytheremovalofafewlinesofcode,whilemoresophisticatedattacksmightrequirethatyourewritetheentirefile.
Whateverstepsarenecessarytoremovemalwarefromasiteneedtobetakenatthispoint.
RepairyourreputationWhenGoogleandtheothersearchenginesfindasitethatisservingmalware,theycanpullitfromtheirresults.
Thiscanhavedevastatingeffectsonabusiness.
Afterallmalwarehasbeenremovedandanyvulnerabilitiespatched,submitthesitetothesearchenginesforreview.
Iftheydeterminethatitisnolongerathreattoanyvisitors,thewebsitecanbere-listedandtrafficfromthesearchenginecanberestored.
Ifthemalwareinfectionhascompromiseduseraccountinformation,allusersshouldbenotifiedimmediatelysothattheycandealwithanyramifications.
Inaddition,anorganizationwillneedtoseewhetheranylawsorregulationshavebeenviolatedasaresultofthebreachandtakeappropriatemeasurestomitigateanynegativeeffectsandkeepthemincompliance.
ConclusionInareportbyDasient,approximately1.
1millionwebsiteswerefoundtohavesometypeofmalwareinthefourthquarterof2010.
Otherstudiesshowthat85percentofallmalwarecomesibm.
com/developerWorks/developerWorksLoadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage7of8fromtheWeb.
Now,itwouldbeeasytowritethisoffifthesitesthatwerecausingalltheproblemshadamaliciousintentfromthebeginning.
Unfortunately,itisthesmallbusinesswebsite,thechurchwebsite,oreventhewell-respectednewswebsitethatisresponsibleforinfectingsomanycomputers.
Theresponsibilityforprotectingwebsitesagainstattackisfallingontheshouldersofthewebdeveloper.
Thedaysofsittingbackandwritingawesomecodeareover.
Now,thedeveloperneedstomakesurethathisorhercodeisfunctionalandsecure.
Thetechniqueslistedinthisarticlewillcertainlyhelpthedeveloperwhodoesn'tunderstandwebsitesecuritybuildafoundationforhisorherknowledge,butitshouldn'tstophere.
Thethreatlandscapechangesdaily.
Aszero-dayexploitsemergeandcyber-criminalsadapttocountermeasures,webdeveloperstooneedtoadaptandbeonthelookoutforhowtheycanbettersecuretheirsites.
developerWorksibm.
com/developerWorks/Loadedpages:HowyourwebsitecaninfectvisitorswithmalwarePage8of8RelatedtopicsInternetWorldStats:FindmoreInternetstatistics.
Googleblacklists:ReadmoreaboutwhyGoogleblacklistsroughly6,000websiteseveryday.
PrevalenceofApacheandIIS:AccordingtoNetcraft,ApacheandIISpower78.
65percentofallwebsites.
WordPress:ReadmoreabouttheprevalenceofWordPress.
"HardeningtheLinuxserver:"LearnhowtohardenyourLinuxserver(developerWorks,December2008).
OWASPTopTenWebApplicationSecurityThreats:LearnmoreaboutOWASPanditswork.
CopyrightIBMCorporation2013(www.
ibm.
com/legal/copytrade.
shtml)Trademarks(www.
ibm.
com/developerworks/ibm/trademarks/)
- performzencart相关文档
- zencart今天安装zencart遇到这个问题。要登陆后台的url的时候,出现这个问题。这个怎么解决?
- zencartzencart怎么安装语言包?
- activitieszencart
- dommielzencart
- crowdsourcedzencart
- ashazencart
A400互联(49元/月)洛杉矶CN2 GIA+BGP、1Gbps带宽,全场独服永久5折优惠
a400互联是一家成立于2020年商家,主营美国机房的产品,包括BGP线路、CN2 GIA线路的云服务器、独立服务器、高防服务器,接入线路优质,延迟低,稳定性高,额外也还有香港云服务器业务。当前,全场服务器5折,香港VPS7折,洛杉矶VPS5折,限时促销!A400互联官网:https://a400.net/优惠活动全场独服永久5折优惠(续费同价):0722香港VPS七折优惠:0711洛杉矶VPS五...
hostio荷兰10Gbps带宽,10Gbps带宽,€5/月,最低配2G内存+2核+5T流量
成立于2006年的荷兰Access2.IT Group B.V.(可查:VAT: NL853006404B01,CoC: 58365400) 一直运作着主机周边的业务,当前正在对荷兰的高性能AMD平台的VPS进行5折优惠,所有VPS直接砍一半。自有AS208258,vps母鸡配置为Supermicro 1024US-TRT 1U,2*AMD Epyc 7452(64核128线程),16条32G D...
piayun(pia云)240元/季起云服务器,香港限时季付活动,cn2线路,4核4G15M
pia云怎么样?pia云是一家2018的开办的国人商家,原名叫哔哔云,目前整合到了魔方云平台上,商家主要销售VPS服务,采用KVM虚拟架构 ,机房有美国洛杉矶、中国香港和深圳地区,洛杉矶为crea机房,三网回程CN2 GIA,带20G防御。目前,Pia云优惠促销,年付全场8折起,香港超极速CN2季付活动,4核4G15M云服务器仅240元/季起,香港CN2、美国三网CN2深圳BGP优质云服务器超高性...
zencart为你推荐
-
去哪儿网称不会转型做在线代理苹果appstore宕机apple id登陆不了app store怎么办新iphone也将禁售苹果手机现在在中国是不是不能卖了重庆电信断网重庆电信的最近是怎么回事啊!老断网sqlserver数据库SQL Server 数据库 (+) 这个是什么意思申请支付宝账户怎样申请支付宝账户?要填写什么信息?生药http12306.com12306身份信息待核验要多久?审核要多久开源网店开源网店系统 独立网店系统 淘宝 有什么区别?无忧登陆无忧登录好吗?