What Went Wrong?

Previous page
Table of content
Next page

What Went Wrong?

The defacement of www.example.com was an unusual attack. Most defacement occurs when hackers use canned exploits against a known vulnerability, gain super-user privileges, and modify Web pages hosted on the site. This attack wasn't even directed at the Web server hosting the pages. The attacker managed to chance upon a proxy server that also hosted a staging copy of the company's Web pages. Modifying the Web pages in the staging area caused the site to be defaced after an automatic replication had been performed.

The administrator of the proxy server had taken some preventive measures for blocking unwanted traffic. However, some areas had been left exposed. The first and most vulnerable entry point into the network was the HTTP proxy port. It allowed use of the proxy server to tunnel HTTP proxy requests inside the network.

Although the Web site hosted on the server was protected by an HTTP password authentication mechanism, the attacker easily used a brute force password guessing approach to obtain the credentials required to access the site. The attacker used a homegrown Perl script to perform HTTP authentication and brute forcing with an HTTP proxy. Quite a few HTTP brute-forcing tools are commercially available. Later in this chapter, we take a look at two of our favorite HTTP brute forcers Brutus and WebCracker.

What helped the attacker next was the fact that, unlike most Web servers, directory browsing hadn't been disabled on this server. Typically, in the absence of a default Web document, the server won't present the browser with a list of files and subdirectories in the directory requested. In this case, directory browsing was left turned on, leaving areas exposed that normally would have been hidden from public access. The /admin/ directory contained a PHP script that performed Web site management and allowed the graphics artist to upload Web pages to the staging directory, and eventually allowed the attacker to upload the defaced pages too!

The step that completed the defacement was the automatic replication process executed periodically by the system scheduler. It caused the modified Web pages to be copied to the main Web site.

There are quite a few cases of unusual ways of defacing Web sites. Two of our favorite stories are the defacement of PC Week and the defacement of www.apache.org. The descriptions of these attacks are available on the following URLs:

         "The PC Week hack" http://packetstormsecurity.nl/web/pcweek/jfs_pcweek.txt

         "How we defaced Apache" http://packetstormsecurity.nl/papers/general/how.defaced.apache.org.txt

 


Previous page
Table of content
Next page
Web Hacking(c) Attacks and Defense
Web Hacking: Attacks and Defense
ISBN: 0201761769
EAN: 2147483647
Year: 2005
Pages: 156
Authors: Stuart McClure, Saumil Shah, Shreeraj Shah
BUY ON AMAZON
WebLogic: The Definitive Guide
Documenting Software Architectures: Views and Beyond
Managing Enterprise Systems with the Windows Script Host
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
MPLS Configuration on Cisco IOS Software
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy