Wednesday, November 28, 2007

How to tell when you are SE0wN3d?

For many successful attacks there are several ways to tell when something has been owned. When pages on your web server contain malware that’s infecting visitors. Or perhaps when the web servers begin making outbound Internet connections. Databases may see huge CPU spikes and network usage from data going out the door from SQL Injection issue. DB records that should NEVER be accessed (honeytokens) is another good indication. Web users will tell you right away when they’re passwords are changed, money is missing, something of of theirs has been defaced, or perhaps they have a new friend named Samy. The list goes on, but what got me thinking was the SEOwN3d hack that targeted the blog for former U.S. Vice President Al Gore’s Inconvenient Truth movie.

In this case the standard IDS stuff would not have applied. No money or value was lost, user accounts hacked, mysterious outbound connections, or malware payloads present - Only silent defacement containing an HTML link that no one was even expected to see or even click on. The SE0Wn3D hack was used to simply boost the search engine rank for another website - and not even through blog spam that we’re used to dealing with. So my original question stands, how did they find out? And for that matter if your website/blog was hacked in this way, would you notice? How would you notice? Maybe many thousands of blogs are already hacked for this purpose and we don't realize it yet. For all I know this blog has been hacked to boost Andy, ITGuy to his #1 status on Google and the only way to tell would be through viewing source.

Hmm…. Andy? :)


Anonymous said...

Links with "buy you-know-what" wouldn't go past my anti-spam filter which simply checks all fields in all POST requests made to my application, except few specific whitelisted ones (previews, log-in).

Also for all output I use templating engine that HTML-escapes all variables by default (PHPTAL), so if any rogue link sneaked past anti-spam and user-crap-filtering functions, it would likely got escaped and became visible and harmless.

But if these failed, it would be really difficult to find it. It wouldn't show in *mine* referrer logs.
I think I'd have to spider my website and check all links :(

Anonymous said...

There's definitely a lot of older wordpress installs that have been hacked by blackhat seos in that way for ranking purposes.

Andy, ITGuy said...

Jeremiah, I would never hack your site for several reasons.
1. It would break my ISC2 Ethics Code
2. You would get me back and you are better at this than me. :)
3. As Bill Pennington told me "He's 6'3" and knows Brazilian Jujitsu." :)

Jeremiah Grossman said...

LOL. Ok, that has got to be the funniest comment I think I've ever gotten here. Im just wondering if you have the list is proper order. :)

Windigo said...

Actually, this happened to a site that I maintained - the previous vendor had implemented a weak password on a FTP user, and the web host's FTP servers were brute-forced.

I'm not sure how long it went on for, but the only way I found out about it was a helpful tip from the previous vendor. They had web sites hosted by the same hosting service, and stumbled upon it before we did.

After that experience, I make a habit to view the source code of the live site at least once and a while. It's the only way I can think of to keep tabs on things... for now.