Web servers protection

The article "Modern Internet attacks" is provided by Sophos Plc and SophosLabs.

August 2007

Hackers use various methods of attacking web servers to infect hosted sites. Potential threats include:

  • Insecure combinations of usernames and passwords.

  • Vulnerable web applications.

  • Vulnerable operation systems.

  • Vulnerable server software, database management systems, tools and libraries.

After discovering a vulnerability, hacker will most likely try to instal a remote console on the server. There are many of such programmes, see Figure 14 for screenshots of the most wide spread of them. Additional functionality depends on specific type, but in most cases, it lets you load extra files and run remote commands. Some programs support a number of features designed for infecting the computer — for example, automated addition of scripts and iframe tags to all pages in the root directory of the web server.

Fig. 14. Screenshots of popular consoles used for compromising sites.

The use of the same software to support the work of all sites on the server allows hackers to infect all such sites at once. Infecting a template or a database can lead to compromising all pages hosted on the server.

Evidently, many servers don't check files (neither in the whole system nor in the root directory). Turning on this check can protect the server from different kinds of viruses and let the administrator know about infected pages in time. For a small site, such simple measures as checking root directory files with special scripts can also help administrator learn about the problem in time. Webmasters may use SpyBye [64] that checks the content of the opened web pages.