We all have or will face getting our site hacked, it may come of non sanitized input, cms or even hosting bugs.
The biggest problem is that we have to check if the attacker has injected something into our site.
Most
common are iframe attacks, they show an iframe injection who has no
width and height and allows malicious files to be included, ex <iframe
src="site/a.jar"></iframe>
In the example above a jar file is included, it can be a java drive or even a java 0day.
How to detect them
We can use a simple grep command if running on linux
Searching in a single file
grep ".jar" filename
Searching in multiple files
grep "string" FILE_PATTERN
Case insensitive search
grep -i "string" FILE
What else to check for:
system, eval, passthru, popen, base64_decode, mail(used for sending data)
It is recommended checking php.ini, it keeps a log of all the actions made on the server(note! they can be modified)
There are also other type of injection using Get/Post handling but a simple grep search for dangerous functions can do
some useful resources on the web
No comments:
Post a Comment