Main Content

How was my web site compromised?

Archive - Originally posted on "The Horse's Mouth" - 2009-02-24 08:28:08 - Graham Ellis

It looks to me as if this car has left the road and come to a sudden halt against the building, with the result that both have been somewhat damaged. But why did it happen? Was there a mechanical failure such as brakes or tyres? Did the driver fall asleep at the wheel or something distract him? Was he drunk? Or did he swerve to avoid a child on a cycle? Perhaps there's a more unlikely reason - perhaps there was no driver in the car, but it was left stopped on a slope and ran away, or it fell off the back of a lorry.

When presented with a web site that's been compromised - with new files created, databases and their records changed, or data injected into existing files, it can be rather hard to work out what has happened - rather like trying to find what caused a motor accident. And one photograph is going to give clues, but no more - the picture above is from a page of public domain images, and I know no more than that. So "educated guess" is my best hope.

If I'm going to be looking at a system that's been compromised, I'm going to look not only at the content of the file(s) and database(s) that are infected, but also for certain other tell-tale files that might have been added to the system - especially at around the same time. And I'm also going to take a very careful look at who is allowed to do what to which resources. In other words, file permissions, and user and group ownerships.

Here's an answer, just written, concerning infected files...

If you have infected files, have a look at the write permissions on the infected files .... who can write to them? If they're writeable by the web server user, then is that just yourself, or is this a shared hosting machine? If the scripts are PHP and it's a shared server, then the start of the hole may not be in your area, but the write permissions being wrong in your area have let the sh*t land on you.

What causes such scripts to allow files to be written? Typically scripts written with the best intent, but in which the file name can be taken from the user / seeded by a form. John can create a file called "John.html", perhaps. And Harry a file called Harry.html ... all perfectly good names in a directory called "users". Then along comes someone called ../index.html ... and he overrides the home page at the top of the site. Be aware, too, off the cross-site scripting possibilities of Mr "http://www.sheepbingo.co.uk/" who might find one of your scripts that he can pull his code into and have it run on your system. And these concerns apply not only to the scripts you have written yourself, but also those which you have sourced from elsewhere.

With Perl, the script may be run as the user (via setuid) or as the web server, and you should take a look at which of the two your setup uses in order to help you with the analysis.