How long would it take you to notice that your website has been compromised?

My last post concerning mass sql hacks of websites shows what can happen if your website is distributing malware and you don’t act fast enough. In that post, I also mentioned it might be a good idea to have some sort of self-checking mechanism integrated in your CMS which would alert you if unauthorized changes were made. While I still think that’s a good idea, there’s a much easier and faster option when it comes to small, rather static websites: change detection services!

Here’s a few I found through search engines, a blog post from 2005 by Marshall Kirkpatrick and an article in c’t magazine 4/2008 (page 170):

ChangeAlarm – free, typically checks for updates once per day

ChangeDetect – free and paid membership options

ChangeDetection – free, typically checks for updates once per day, does not detect changes in HTML tags

InfoMinder – no free membership, 30 day trial available

TheWebWatcher – free for personal use, monitoring intervals starting from 1h

TracerLock – no free membership, max 20 URLs, 4 US$/month

TrackEngine – free, 19,95 US$/year for 10 “bookmarks”, 4,95 US$/month for 50 “bookmarks”, possibly includes more frequent updates for paid services

WatchThatPage – free, priority accounts available for donation of US$ 20/year. Fastest update: once per day. There seems to be no limit on the number of pages you can watch. Pages can be organized in folders. Simple keyword filtering available. Refuses to watch pages with badly mangled HTML.

Yes, I know, most of these sites scream “web 1.0” at you and – ironically – seem to be averse to change themselves (the latest news on TrackEngine are from December 2001, Merry Christmas!). They won’t really help if you’re in charge of large websites with thousands of pages. However, they might be appropriate for small websites, like this one which has been displaying “OwNed By un alien …” for months on the “liens” and “evenements” pages.

I’ll update this post after trying out some of these services (you can subscribe to my RSS feed here 😉 ). Please note there’s also tons of change detection software (running locally on your computer) which I’m not covering here.

SQL Injections – why companies should care (and users, too)

While I had read reports about successful mass SQL attacks on hundreds of thousands – by some estimates even millions – of websites months ago, I didn’t really care much, assuming that this issue would only concern outdated, irrelevant and poorly coded websites.

I realized I was wrong (partially wrong) about a week ago when I was looking for recipes for my newest toy, a blender from a brand every YouTube user knows. Unfortunately, the manufacturer’s website contained not only recipes, but also references to a malicious external script:


For a moment, I thought about making a stupid video showing some JavaScript that does not blend but then decided on contacting the company first. Indeed, only one day later the site had been cleaned.

Normally, I wouldn’t even mention this on my blog, since I believe “public shaming” is only justified if a company or webmaster does not react withing a reasonable time or if the case at hand is particularly outrageous (before you disagree, please consider that my entire blog is about not being perfect and still having a lot to learn). However, when I visited the website again on Sunday (in order to show the company’s products to a friend and restaurant owner), NoScript showed the site had been compromised once more and was trying to distribute malware again (this time, the evil domain was mainadt.com instead of suppadw.com). When I tried to send another message over the contact form this morning, Firefox 3 wouldn’t even let me visit the page without a very clear warning:

The reason Firefox is showing this warning is that Google now “officially” considers this site (possibly) harmful:

Aside from the obvious “make sure your code is not vulnerable to SQL injections (and don’t forGET it’s not only about POST parameters*), what can be learned here?

If your site has been compromised, you should react quickly and make sure it can’t happen again. Otherwise Google will sooner or later list your website as “suspicious” and you’ll certainly lose visitors and business. A compromised website also reflects poorly on your company and your brand. I would be particularly concerned about the negative effects in the case of companies relying heavily on the internet for business (including internet marketing). Furthermore, one has to wonder if you might be held liable for exposing your visitors to malware.

Don’t rely on expensive third party scanning tools. Did you notice the “Hacker safe” logo in the first screen shot above where my virus scanner was already showing a warning? Instead, I suggest hiring a capable programmer (you’ll need one to fix the vulnerabilities anyway) and have him customize a monitoring solution which issues a warning anytime your website or database has been “illegally” modified (I might pick this idea up in a later post). This would make sure you’re the first to realize when something is wrong, not your visitors or Google.

If I were a capable programmer familiar with ASP and MSSQL and had some free time, I’d think about spending a few hours searching for affected websites, somehow ranking them (e.g. “best known”, “in my area”, etc.) and then contacting them with an offer to remove the malicious code and the vulnerabilities (or maybe redesign the entire website). Think about it, there might be millions of affected websites out there, this seriously screams “business opportunity” (BTW, I’m not a… er, not familiar with ASP and MSSQL and I’m busy, so please don’t contact me). Of course, sooner or later someone’s bound to misunderstand your offer (“this guy hacked our website and now he’s asking for money”). 😉

As a user, don’t follow my bad example in the first screenshot. Instead, disable JavaScript by default and enable it only for sites you can trust. This can be done best by using the excellent NoScript plugin for Firefox. Don’t think that Firefox + Google alone can always protect you, you won’t get the big red warning above unless the site in question has been compromised for some time.

*technical details can be found in Michael Zino’s article ASCII Encoded/Binary String Automated SQL Injection Attack and by following some of the links I posted before.

Best of SQL injection attacks*

Click to resize:

A fix? Uhm… maybe you can find a good self-help book on SQL injections:

This must be a world record

You should also consider hosting scripts locally:

SCNR.

*no, it wasn’t me. 😉

For serious information: