[Owasp-delhi] Audit your web server lately?

Soi, Dhruv dhruv.soi at torridnet.com
Tue Apr 1 04:19:08 EDT 2008


Web servers being hacked is nothing new and Web administrators continue to
maintain their servers in the attempt to prevent this from happening. Well,
it might a good time for everyone to audit their servers again because we
(Symantec) have confirmed yet again another campaign of IFRAME injection
attacks today (2008-03-28). Earlier this month (March 2008), we had a
similar mass attack as well, making this a popular theme so far this year.

Earlier today, Dancho Danchev, a security consultant, published
<http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.ht
ml>  a blog about another batch of servers getting injected with malicious
code and we have confirmed the attack here at Symantec. IFRAME code has been
inserted into Web pages on these servers, leading to rogue security software
and codec sites, further leading to downloads of Trojan.Zlob variants and
dowloaders. These threats ultimately attempt to install misleading
applications onto the compromised computers.

Please avoid the IP addresses below, which are hosting the unwanted files,
for the time being. If you're an IT administrator, you will want to
temporarily add them to the list of IPs to filter:

*	72.232.39.252
*	195.225.178.21
*	89.149.243.201
*	89.149.220.85

In the past we've seen many low-profile sites being targeted with the IFRAME
attack, but this time the list of hacked sites include many high-profile
sites as well. This is very disturbing because many big corporations often
go out of their way to protect themselves, yet get hit like this. A
reevaluation of how we secure our IT infrastructure may be in order.

Source: http://www.securityfocus.com/blogs/708

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20080401/8aa518e6/attachment.html 


More information about the Owasp-delhi mailing list