Comments on: Visual Studio as a powerful search and replace tool http://jw0rd.net/2009/02/14/visual-studio-as-a-powerful-search-and-replace-tool/ Archived Tech Knowledge Mon, 19 Apr 2010 21:01:18 -0400 http://wordpress.org/?v=2.8 hourly 1 By: admin http://jw0rd.net/2009/02/14/visual-studio-as-a-powerful-search-and-replace-tool/comment-page-1/#comment-15 admin Fri, 06 Mar 2009 03:00:52 +0000 http://jw0rd.net/?p=138#comment-15 Hello Jim, The root issue was web server file permissions. A certain Windows users group had full permissions recursively to all web files. One site was compromised and was used to inject files on the entire server. First you need to make sure your site's file permissions are secure, depending on your host you may not be able to see the entire ACL (access control list) for your files. If that's the case just ask them to double check to make sure no random Windows users groups have write permissions to your files. Second also verify the original compromise was not an FTP compromise. Have your host check the FTP logs from the day your files were injected. If it was an FTP compromise, update your passwords and scan all workstations used to connect via FTP for viruses, loggers, sniffers, etc.. If it wasn't an FTP compromise have your host double check the sandbox securities in ColdFusion admin and verify that no other sites have something stupid like recursive write access to the directory where all the websites are stored. Assuming your site is on a Windows server have your host setup Windows file auditing/logging for the EVERYONE group on a few of the files that got injected previously. That way if it does happen again you (well, your host) will have evidence of what Windows user wrote to the file. Hope that helps. Hello Jim,

The root issue was web server file permissions. A certain Windows users group had full permissions recursively to all web files. One site was compromised and was used to inject files on the entire server.

First you need to make sure your site’s file permissions are secure, depending on your host you may not be able to see the entire ACL (access control list) for your files. If that’s the case just ask them to double check to make sure no random Windows users groups have write permissions to your files.

Second also verify the original compromise was not an FTP compromise. Have your host check the FTP logs from the day your files were injected. If it was an FTP compromise, update your passwords and scan all workstations used to connect via FTP for viruses, loggers, sniffers, etc..

If it wasn’t an FTP compromise have your host double check the sandbox securities in ColdFusion admin and verify that no other sites have something stupid like recursive write access to the directory where all the websites are stored.

Assuming your site is on a Windows server have your host setup Windows file auditing/logging for the EVERYONE group on a few of the files that got injected previously. That way if it does happen again you (well, your host) will have evidence of what Windows user wrote to the file.

Hope that helps.

]]> By: Jim http://jw0rd.net/2009/02/14/visual-studio-as-a-powerful-search-and-replace-tool/comment-page-1/#comment-14 Jim Thu, 05 Mar 2009 15:38:31 +0000 http://jw0rd.net/?p=138#comment-14 May I ask for more details about the injection itself, specifically how it happened and how you resolved it? You mentioned "getting permissions in order". Could you elaborate? I'm asking because I have a Coldfusion site that has fallen victim to the same compromise. I can repair the damage just fine, but I'm not sure how to prevent it from happening again. Thanks! May I ask for more details about the injection itself, specifically how it happened and how you resolved it? You mentioned “getting permissions in order”. Could you elaborate? I’m asking because I have a Coldfusion site that has fallen victim to the same compromise. I can repair the damage just fine, but I’m not sure how to prevent it from happening again.

Thanks!

]]> By: admin http://jw0rd.net/2009/02/14/visual-studio-as-a-powerful-search-and-replace-tool/comment-page-1/#comment-13 admin Mon, 02 Mar 2009 19:55:51 +0000 http://jw0rd.net/?p=138#comment-13 SQL injection is a completely different subject. The injections I spoke of above were directly in files, not in database records. It was also file permissions related. Preventing SQL injection is a matter of sanitizing all GET and POST variables. http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection SQL injection is a completely different subject. The injections I spoke of above were directly in files, not in database records. It was also file permissions related.

Preventing SQL injection is a matter of sanitizing all GET and POST variables.

http://en.wikipedia.org/wiki/SQL_injection#Preventing_SQL_Injection

]]> By: Koyst http://jw0rd.net/2009/02/14/visual-studio-as-a-powerful-search-and-replace-tool/comment-page-1/#comment-12 Koyst Mon, 02 Mar 2009 17:18:10 +0000 http://jw0rd.net/?p=138#comment-12 How did you stop theSQL injection? How did you stop theSQL injection?

]]>