JPCERT-AT-2016-0047
JPCERT/CC
2016-11-14
<<< JPCERT/CC Alert 2016-11-14 >>>
Alert regarding website compromise
https://www.jpcert.or.jp/english/at/2016/at160047.html
I. Overview
JPCERT/CC has been receiving various reports on website compromise.
According to these reports, attackers have compromised a number of
domestic websites by placing malicious files on the web server,
designed to inspect the websites including its access counts and
visitors.
- Attackers place a malicious file on the web server named
'index_old.php' and add a process (shown below) on the homepage
which makes the browser load this malicious file
<script type="text/javascript" src="./index_old.php"></script>
- When a user visits a compromised website, the above malicious file
is executed, and the visitors IP address and time of visit is
recorded as a log.
In addition to above mentioned inspection, attackers also seem to be
conducting searching activities to see if the websites can be exploited
for use in cyber attacks, such as water hole attacks.
Website administrators should refer to information provided in
"II. Solution" to check whether the contents of their website have been
compromised or not and consider applying any necessary countermeasures.
II. Solution
Please consider the following check points and countermeasures:
(Check points)
- Check for any process to load malicious files, such as the
following in the homepage of the website
<script type="text/javascript" src="./index_old.php"></script>
- Check the public facing contents of the website for any malicious
files or compromised contents
- Check the FTP/SSH logs and web application access logs for any
suspicious source IP addresses, access times, request URIs, etc.
* If any suspicious activity is discovered, isolate the web server,
change the account passwords for website maintenance, and report
to JPCERT/CC
(Countermeasures)
- Apply security updates to the OS and software used on the web
server
- Disable 20, 21/TCP (FTP), 23/TCP (TELNET) and perform website
maintenance through a secure protocol, such as SSH
- Restrict the PC (IP address) that can be used for website
maintenance
- Change the password for website maintenance account (SSH/CMS etc.)
to a strong one
- Obtain a backup of the website contents, and periodically check
for any differences
III. References
@Police
Alert regarding website compromises (PDF) (Japanese)
https://www.npa.go.jp/cyberpolice/detect/pdf/20161114.pdf
JPCERT/CC
Alert "Periodic checks for websites in preparation for cyber attacks" (Japanese)
https://www.jpcert.or.jp/pr/2016/pr160004.html
IV. Contact Information
JPCERT/CC Incident Response Group
Tel: 03-3518-4600 Fax: 03-3518-2177
E-mail: info@jpcert.or.jp
JPCERT/CC Watch and Warning Group
Tel: 03-3518-4600 Fax: 03-3518-4602
E-mail: ww-info@jpcert.or.jp
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top