Whew! I just dodged a bullet…

So this morning, a member of a mailing list I belong to pointed out to me that a Web site had reprinted an essay from my BDSM Web page without attribution.

At about 10:40 this morning, I started to write a polite email to the owner of that Web site asking him to attribute any of the material he uses from my Web site.

At about 10:42 this morning, my Web site came under attack from a person or persons who had located a JavaScript injection vulnerability in my guestbook script (which is hand-rolled, so it wasn’t a script kiddie attack).

At about 10:44, I went to my BDSM page to copy the exact URL of the essay the other site owner had “borrowed” without permission. When I went to the BDSM page, an alert dialog popped up that just said “2”.

At 10:45, I took apart the HTML of the page and realized that the intruder had injected a JavaScript into the site that popped up an alert dialog, just to let him know that his injection had been successful.

At 10:46, I reuploaded the page.

At 10:47, the attacker injected a different JavaScript. I don’t know what it was; i overwrote it immediately and reuploaded the page again.

At 10:48, I started examining the guestbook, and worked out how he’d managed to inject the JavaScript.

At 10:49, I disabled all the guestbooks on the page. Simultaneously, the attacker injected a new JavaScript onto the page, just seconds before I disabled the guestbook.

We went back and forth for quite while after that. Somehow, I don’t know how, he’d gained sufficient access to be able to change the httpd path and was trying, I believe, to install a hostile drive-by downloader script on my site. I successfully prevented him from doing so, and closed the holes as fast as he was opening them.

At about 11:15, I closed the injection vulnerabilities in the guestbook and reuploaded it. By 11:20, the attack was over, and I had re-uploaded a clean copy of the affected pages.

Had I not been composing an email to someone who’d used my work without permission, I would not have been on my site at the beginning stage of the attack, and my site might now be home to a malicious JavaScript or JavaScripts.

My heart is still pounding. It’s like PvP in World of Warcraft, only with higher stakes.

I didn’t keep a copy of the pages he was modifying, and I’m kicking myself for that now. In hindsight, I should have, but at the time the only thing I wanted to do was undo his changes faster than he could make them.

60 thoughts on “Whew! I just dodged a bullet…

  1. Sounds like a scene from one of the movies made from a Tom Clancy novel: Our Intrepid Hero (Harrison Ford) is in his CIA office trying to copy super-secret documents proving that his office-mate committed illegal acts onto a CD-ROM; on the other side of the open office door is the guy whose super-secret documents he’s trying to copy. Both are pounding furiously at their keyboards, shooting nasty looks at each other, engaged in a fierce and furious cyber-battle.

    • More like Disclosure, where our Hero (Michael Douglas) is using an experimental interface to access and copy files while the villain is deleting them. Complete with snazzy “virtual reality” special effects.

        • Yes. I was working at a startup web development firm at the time and the secretary came in one day raving about how excellent that scene was. When I finally saw it… ennggh.

          I own the film because I think it’s not bad, overall, but that scene is not the best. Hence the description of “snazzy” above 🙂

  2. Sounds like a scene from one of the movies made from a Tom Clancy novel: Our Intrepid Hero (Harrison Ford) is in his CIA office trying to copy super-secret documents proving that his office-mate committed illegal acts onto a CD-ROM; on the other side of the open office door is the guy whose super-secret documents he’s trying to copy. Both are pounding furiously at their keyboards, shooting nasty looks at each other, engaged in a fierce and furious cyber-battle.

  3. Very doubtful. The site has been using my essay for quite a while, and I had not yet finished composing the email to the site’s owner when I noticed my page was behaving oddly.

    • It was actually embarrassingly stupid. I can’t believe I didn’t catch it when I wrote the script.

      The script takes text input from a form and dumps it to a text file; on read, it dumps the text file into a textarea. Any HTML that is posted is not interpreted, because a browser won’t parse HTML inside a textarea. But if the very first line in a message that’s posted is a tag, then anything after that, including JavaScripts, will be processed.

      Dumb, dumb, dumb. I can not believe I let something that obvious slip through. (The guestbook now parses the entered text, strips away any HTML tag, and rejects the message outright if it encounters any JavaScript or textarea tags.)

      Of course, once he was in, it was trivial for him to inject server-side includes that messed with the http path and all kinds of fun stuff. I watched him doing it in real-time as I was frantically chasing after him and undoing all the changes he was making.

      • This is possibly a common mistake for web forms that have text areas, so it wouldn’t surprise me if you _had_ been caught by a scripted attack, at least to identify potential targets.

  4. It was actually embarrassingly stupid. I can’t believe I didn’t catch it when I wrote the script.

    The script takes text input from a form and dumps it to a text file; on read, it dumps the text file into a textarea. Any HTML that is posted is not interpreted, because a browser won’t parse HTML inside a textarea. But if the very first line in a message that’s posted is a tag, then anything after that, including JavaScripts, will be processed.

    Dumb, dumb, dumb. I can not believe I let something that obvious slip through. (The guestbook now parses the entered text, strips away any HTML tag, and rejects the message outright if it encounters any JavaScript or textarea tags.)

    Of course, once he was in, it was trivial for him to inject server-side includes that messed with the http path and all kinds of fun stuff. I watched him doing it in real-time as I was frantically chasing after him and undoing all the changes he was making.

  5. Dude. That and dizzying camera angles and you’ve got Hackers.

    It’s easy to analyze in hindsight, of course, but I’m curious why you didn’t just stop your httpd until you’d resolved the problem?

      • Yeah, that makes it a little harder. Deny all access in htaccess, maybe?

        Not that it’s relevant now, but it’s handy to ponder of the offchance it happens again.

        • Deny all access (or password-protect all access) in the webroot would effectively shut the Web site down, and it might not be a ad idea to keep an appropriately configured .htaccess file handy for that purpose if something like that ever happens again.

          I’ve calmed down a bit and done a postmortem on the attack, and realized that contrary to what I first thought, the attacker was not actually uploading or midifying HTML files on the site; he was merely injecting server side includes into the HTML stream via the flaw in the guestbook. So he didn’t root the site, though he still could have done considerable damage had the attack gone undetected.

          My working theory is that most likely, he was trying to install a drive-by downloader or something similar on the site, via SSIs to fetch content from some server under his control elsewhere.

  6. Dude. That and dizzying camera angles and you’ve got Hackers.

    It’s easy to analyze in hindsight, of course, but I’m curious why you didn’t just stop your httpd until you’d resolved the problem?

  7. More like Disclosure, where our Hero (Michael Douglas) is using an experimental interface to access and copy files while the villain is deleting them. Complete with snazzy “virtual reality” special effects.

  8. Yes. I was working at a startup web development firm at the time and the secretary came in one day raving about how excellent that scene was. When I finally saw it… ennggh.

    I own the film because I think it’s not bad, overall, but that scene is not the best. Hence the description of “snazzy” above 🙂

  9. This is possibly a common mistake for web forms that have text areas, so it wouldn’t surprise me if you _had_ been caught by a scripted attack, at least to identify potential targets.

  10. Yeah might be pretty easy to do, especially if register_globals is not turned off. There’s another setting, (slips my mind), that I oops and didn’t turn off on one of my servers when I put it in production, (I run a web hosting company)…it allows you to run scripts across user directories. If Suexec and/or PhpSuexec are not turned on that can be a nightmare. :-S

    • That’s an interesting point. Most of my scripts (including the one I left the gaping security hole in) are Perl, not PHP, so the mod_php register globals isn’t relevant. In this particular case, the attacker appeared to use injection of JavaScript just to verify that he could get in; once he’d done that, he injected server side includes (which I have turned on on that server, as I use them all over the place) to do the real dirty work. And, of course, from that point, the door is wide open.

      Now that I’ve calmed down and had a chance to take a less frantic look at what was going on, I’m realizing that the attacker did not actually modify any of my HTML files. Instead, he injected SSIs into the guestbook which, when served up by a visitor, changed the httpd path (among other things). This would, in theory, have allowed him to serve up content from servers under his control when visitors viewed my site, but it did not (I don’t believe) actually give him the ability to upload or directly modify HTML files on my site, other than by injecting his own code into them as the guestbook Perl script was executed.

  11. Yeah might be pretty easy to do, especially if register_globals is not turned off. There’s another setting, (slips my mind), that I oops and didn’t turn off on one of my servers when I put it in production, (I run a web hosting company)…it allows you to run scripts across user directories. If Suexec and/or PhpSuexec are not turned on that can be a nightmare. :-S

  12. Yeah, that makes it a little harder. Deny all access in htaccess, maybe?

    Not that it’s relevant now, but it’s handy to ponder of the offchance it happens again.

  13. That’s an interesting point. Most of my scripts (including the one I left the gaping security hole in) are Perl, not PHP, so the mod_php register globals isn’t relevant. In this particular case, the attacker appeared to use injection of JavaScript just to verify that he could get in; once he’d done that, he injected server side includes (which I have turned on on that server, as I use them all over the place) to do the real dirty work. And, of course, from that point, the door is wide open.

    Now that I’ve calmed down and had a chance to take a less frantic look at what was going on, I’m realizing that the attacker did not actually modify any of my HTML files. Instead, he injected SSIs into the guestbook which, when served up by a visitor, changed the httpd path (among other things). This would, in theory, have allowed him to serve up content from servers under his control when visitors viewed my site, but it did not (I don’t believe) actually give him the ability to upload or directly modify HTML files on my site, other than by injecting his own code into them as the guestbook Perl script was executed.

  14. Deny all access (or password-protect all access) in the webroot would effectively shut the Web site down, and it might not be a ad idea to keep an appropriately configured .htaccess file handy for that purpose if something like that ever happens again.

    I’ve calmed down a bit and done a postmortem on the attack, and realized that contrary to what I first thought, the attacker was not actually uploading or midifying HTML files on the site; he was merely injecting server side includes into the HTML stream via the flaw in the guestbook. So he didn’t root the site, though he still could have done considerable damage had the attack gone undetected.

    My working theory is that most likely, he was trying to install a drive-by downloader or something similar on the site, via SSIs to fetch content from some server under his control elsewhere.

  15. I am ashamed to say I know nothing about what you are talking about…. LOL I am, however, proud to know such smarties that can fix these types of things. It is ridiculous that people have to stoop to levels of ignorance and do malicious things to others. Jealousy is almost always the motive.

    Think about it, someone is so completely jealous of you to want to try and harm you in that manner. Le Sigh. Kudos for being so cool to make someone else uber jealous.

    Glad you were there to counter their attacks.

    • In this particular case, the motive was most likely profit. Most Web attacks and most computer viruses any more are written for the purpose of making money.

      Hackers, typically associated with Eastern European organized crime, hack Web sites in order to install “drive-by downloaders” on them–scripts that will try to use Windows security flaws to download viruses onto the computers of anyone who visits using Windows and Internet Explorer. The purpose is to try to infect the computers belonging to people who visit the Web site.

      The viruses themselves make money for the hackers in three ways.

      First, some viruses install “keystroke loggers.” These are small, invisible programs that make a record of every key a person hits on the keyboard, and send these records to the hackers. The keystroke loggers are sometimes programmed to activate when the infected user types certain words into a Web browser, such as “bank.” So the next time that person goes to his online banking site, the record of his username and password is sent to the hackers.

      Second, most viruses allow the hacker to take over control of the computer remotely. The hackers can command the computers to do things such as attack other Web sites. A hacker might gain control over thousands of computers; a network of compromised, remote-controlled computers is called a “botnet.” The hacker can use a botnet to wipe out a victim’s Web site by instructing five or six thousand computers to go to that Web site and request information from it, thousands of times per second. The web site can’t handle the load and goes down. The owners of the computers that are infected don’t know anything is wrong–their computers might slow down a little, but they have no idea that they are being used this way. The hackers will seek to extort money from the owners of large Web sites, especially gambling Web sites–“Pay us or we will use the network of computers we own to wipe out your site.”

      The third way that hackers profit from viruses is by writing viruses that install mail relays on infected computers. When a computer is infected by a virus, that computer sends a signal back to the hackers. The virus includes a mail server program that allows the hacker to send email through the infected computer. The hackers sell lists of infected computers to spammers. Most spam these days comes through virus-infected home PCs. That way, when people complain about the spam, there is no way to trace it back to the spammers. Sometimes, the virus-infected PCs will contain Web server software as well, and the spammers will actually host their Web sites for penis pills or whatever on people’s home computers without those people even knowing it.

  16. I am ashamed to say I know nothing about what you are talking about…. LOL I am, however, proud to know such smarties that can fix these types of things. It is ridiculous that people have to stoop to levels of ignorance and do malicious things to others. Jealousy is almost always the motive.

    Think about it, someone is so completely jealous of you to want to try and harm you in that manner. Le Sigh. Kudos for being so cool to make someone else uber jealous.

    Glad you were there to counter their attacks.

  17. Most of my scripts (including the one I left the gaping security hole in) are Perl, not PHP, so the mod_php register globals isn’t relevant.

    Ooooh, I love it when you talk dirty. Not that I understand any of it, but foreign languages are so sexy.

  18. In this particular case, the motive was most likely profit. Most Web attacks and most computer viruses any more are written for the purpose of making money.

    Hackers, typically associated with Eastern European organized crime, hack Web sites in order to install “drive-by downloaders” on them–scripts that will try to use Windows security flaws to download viruses onto the computers of anyone who visits using Windows and Internet Explorer. The purpose is to try to infect the computers belonging to people who visit the Web site.

    The viruses themselves make money for the hackers in three ways.

    First, some viruses install “keystroke loggers.” These are small, invisible programs that make a record of every key a person hits on the keyboard, and send these records to the hackers. The keystroke loggers are sometimes programmed to activate when the infected user types certain words into a Web browser, such as “bank.” So the next time that person goes to his online banking site, the record of his username and password is sent to the hackers.

    Second, most viruses allow the hacker to take over control of the computer remotely. The hackers can command the computers to do things such as attack other Web sites. A hacker might gain control over thousands of computers; a network of compromised, remote-controlled computers is called a “botnet.” The hacker can use a botnet to wipe out a victim’s Web site by instructing five or six thousand computers to go to that Web site and request information from it, thousands of times per second. The web site can’t handle the load and goes down. The owners of the computers that are infected don’t know anything is wrong–their computers might slow down a little, but they have no idea that they are being used this way. The hackers will seek to extort money from the owners of large Web sites, especially gambling Web sites–“Pay us or we will use the network of computers we own to wipe out your site.”

    The third way that hackers profit from viruses is by writing viruses that install mail relays on infected computers. When a computer is infected by a virus, that computer sends a signal back to the hackers. The virus includes a mail server program that allows the hacker to send email through the infected computer. The hackers sell lists of infected computers to spammers. Most spam these days comes through virus-infected home PCs. That way, when people complain about the spam, there is no way to trace it back to the spammers. Sometimes, the virus-infected PCs will contain Web server software as well, and the spammers will actually host their Web sites for penis pills or whatever on people’s home computers without those people even knowing it.

  19. Re: from a stranger

    So far, there are no “in the wild” viruses that affect Macs; this is almost entirely a Windows issue. Feel free to repost!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.