Over the past few weeks, SophosLabs have been monitoring an attack on several sites, compromising pages with a malicious script (pro-actively detected as Mal/ObfJS-C) that silently loads malicious content from a remote server. The attack uses exploits to attack the client browser and infect with a Trojan (pro-actively detected as Mal/Basine-C).
One of the compromised sites belongs to a financial services company based in the UK. With over 500 visitors per day, the site is certainly not small, and a significant amount of users are being exposed to the exploit scripts from this one site alone. A time line of events that followed is detailed below:
- 0 hours: I contacted the owners of the site, who contacted the hosting provider to alert them to the problem.
- +3 hours: A reply came back, fairly quickly, stating that the site was not compromised, and that the problem was one of the other (legitimate) scripts on the site. I provided further information about the attack to the owner of the site, who passed it on to the provider. This information included the line numbers of the legitimate and malicious scripts to clearly identify the rogue script in question.
- +48 hours: The site is still compromised, the malicious script has not been removed.
So, what to do? Expose the hosting provider? Very tempting. Reading through various reviews, the general consensus is that the provider in question here is renowned for poor customer service. There is a difference between poor customer service and a genuine disregard for security issues. But, fear not (extract from provider's FAQ):
Clearly not quite seriously enough though, eh?
Web hosting is a cutthroat business, with competition continually driving monthly charges down. I am sure this has a negative effect upon the availability and capability of suitable support and technical staff able to tackle security issues. However, this is not an excuse for a blatant disregard for security. The case described above is sadly not unique - there have been many other cases we know of where compromised sites have remained online for days, weeks, even months!
In fact, I suspect the problem is poor management, not size. I host a few web sites with a small web host provider. The servers were attacked earlier this year, and pages were compromised (including some on my sites). Within hours, the provider had identified the problem, fixed the security hole, cleaned up all affected content and notified affected webmasters. Pretty good service for a cost of only 20 GBP or so a year. I am sure there are many other customers of small providers who are very satisfied with the service they receive.
In cases where sites have been compromised, it is imperative that certain steps are performed as quickly as possible, including:
- Removal of malicious content (which may involve taking the site temporarily offline in some cases)
- Identify the security hole (how the site was compromised)
- Close the security hole (prevent site being re-compromised)
The first step may be quite complex, particularly for sites where the content is dynamically generated from databases, or other server tools/applications. Failure to identify how the attack happened leaves the site still vulnerable to attack, and cleaning the content will only be a short term fix.
As web attacks continue to grow and the web hosting business wakes up to that fact, perhaps we can hope that security starts to feature as a competitive differentiator? In the meantime, webmasters can make use of tools such as SpyBye to help to monitor their sites. For those with sufficient access, writing a simple script to traverse the web root folders in order to monitor changes to pages and scripts can help to detect when a site has been compromised. The bottom line is that when a site is compromised, the reputation of the owner of that site suffers, irrespective of whether they are to blame or not.