Categories
Websites

Website Attack Post Mortem

A client’s website was defaced. The client’s phone number was replaced with a sex chat line number. Here is the incident response and the remediation steps that took place. Attacks are very concerning to me and I take security very seriously. Unfortunately it is a real possibility especially lately with so many people staying at home with nothing better to do. The first thing I did was investigate the other websites I host on this server. Since they weren’t affected, I could conclude that the server had not been breached. This is a really good thing as I would have had to move all the files to a new server.

After looking through the logs, I could tell where the attack came from, but not exactly how it was carried out. The attack came from the IP address 138.201.X.X  (Germany). I decided to look through the possible files that could have vulnerabilities in them. The website I had created used several javascript libraries, which were my prime suspects. Attackers are finding new vulnerabilities all the time and javascript is a common attack vector. One library that was used is called “modernizr” which looks for browser functionality. This library was likely the attack vector, as it has a known vulnerability. It is difficult to stay on top of all the possible attacks but I believe this was it: https://www.tenable.com/plugins/was/112381 . The file is used to adapt web browsers if they don’t have specific functionality and change the look of the browser if required. It doesn’t look like the file is required to display properly as web browsers continue to evolve, so I have disabled the file. The website appears fine to me in several browsers and on mobile.

Fixes and mitigations:
– Changed phone number back to what it should be
– Renamed vulnerable file, commented out from the code
– Installed mod_security software on the server which will disallow certain common web attacks
– Activated integrity / defacement monitor using https://visualping.io which monitors for any small changes to the website and sends me an alert.

Unfortunately there are no guarantees in security but I hope these measure will prevent and detect any further attacks.