Step 1. We will run reports to see how you’ve been hit.
Step 2. We will clean infected files.
Step 3. We will increase security within your website and work with your hosting company to increase security on your server.
Step 4. We will monitor your website from this day forward. Typically 90% of websites that have been hacked, will be hacked over and over until the underlying problems are fixed. We will fix the problems as they become revealed.
10 Common Types of Website Hacks
- The web server fails to parse the URL properly.
- e.g. the Unicode / Superfluous decode attack.
- Mismatched resource mappings in the configuration.
- e.g. +.htr, .JSP, Java remote command execution, etc.
webOPTIMA FIX: Usually requires entirely new files (java, etc.), Thorough inspection of the web server configuration and bindings
- Ability to retrieve complete directory listing within directories on the web server
- Usually happens when the default document is missing
- Not-so-strict Web server configuration
webOPTIMA FIX: Web server configuration lock-down, Disable serving of directory listings, Sometimes the error may require entirely new java scripting.
RETRIEVING NON-WEB FILES
- Web proxy servers may work both ways!
- Typically meant to allow users from within a network to access external websites
- May end up proxying HTTP requests from the outside world to the internal network
- e.g. Compag Insight Manager
- Usually happens when the front end web server proxies requests to back end app servers
webOPTIMA FIX: Check the web server proxy configuration thoroughly, Check for created URL mappings to internal servers
- Java Bytecode can be decompiled quite effectively
- May disclose sensitive information such as passwords, application paths, etc.
- May also disclose application logic - such as generation of session IDs, encyrption, etc.
- Java Archive files (.jar files) may contain files other than bytecode, such as configuration files.
webOPTIMA FIX: Java bytecode obfuscation, Elimination of sensitive configuration information within bytecode, Elimination of unnecessary files within .jar files
SOURCE CODE DISCLOSURE
- Ability to retrieve application files in an unparsed manner
- Attackers can recover the source code of the web application itself.
- The code can then be used to find further loopholes / trophies
- May be caused by many ways: Misconfiguration or vendor errors, poor application design, etc.
webOPTIMA FIX: Vendor (modules, etc) supplied fixes, Locking down the web server configuration, Secure coding practices
- Root cause of most web hacks
- All inputs received should be validated (data types, date ranges, buffer sizes and bounds, metacharacters)
- Tampering with hidden files
webOPTIMA FIX: These are the worst to deal with. This requires removal of files, rewriting of files, and proper coding practices in order to close the door.
SQL QUERY POSITIONING
- Parameters from the URL or input fiuelds get used in SQL queries
- An instance of Input Validation attacks
- Data can be altered to extend the SQL query. (e.g. http://server/query.asp?item=3+OR+1=1)
- Execution of stored proceedures
- May even lead to back-end database server compromise
webOPTIMA FIX: Pretty in-depth thorough source code review, following the principle of least privilege for the database application, elimination of unnecessary database users and stored procedures, cleanup of all database files for basecode injections.
- Poor bounds checking
- Web server HTTP requests (e.g. ASP buffer overflow, .printer, etc.)
- Application Input fields
- Can cause: (Denial of service - crashing the app / service, Remote command execution - shellcode)
webOPTIMA FIX: Vendor supplied fixes, Bounds checking within applications, Source code reviews, Buffer overflow testing