Franklin Veaux (tacit) wrote,
Franklin Veaux
tacit

  • Mood:

Whew! I just dodged a bullet...

So this morning, a member of a mailing list I belong to pointed out to me that a Web site had reprinted an essay from my BDSM Web page without attribution.

At about 10:40 this morning, I started to write a polite email to the owner of that Web site asking him to attribute any of the material he uses from my Web site.

At about 10:42 this morning, my Web site came under attack from a person or persons who had located a JavaScript injection vulnerability in my guestbook script (which is hand-rolled, so it wasn't a script kiddie attack).

At about 10:44, I went to my BDSM page to copy the exact URL of the essay the other site owner had "borrowed" without permission. When I went to the BDSM page, an alert dialog popped up that just said "2".

At 10:45, I took apart the HTML of the page and realized that the intruder had injected a JavaScript into the site that popped up an alert dialog, just to let him know that his injection had been successful.

At 10:46, I reuploaded the page.

At 10:47, the attacker injected a different JavaScript. I don't know what it was; i overwrote it immediately and reuploaded the page again.

At 10:48, I started examining the guestbook, and worked out how he'd managed to inject the JavaScript.

At 10:49, I disabled all the guestbooks on the page. Simultaneously, the attacker injected a new JavaScript onto the page, just seconds before I disabled the guestbook.

We went back and forth for quite while after that. Somehow, I don't know how, he'd gained sufficient access to be able to change the httpd path and was trying, I believe, to install a hostile drive-by downloader script on my site. I successfully prevented him from doing so, and closed the holes as fast as he was opening them.

At about 11:15, I closed the injection vulnerabilities in the guestbook and reuploaded it. By 11:20, the attack was over, and I had re-uploaded a clean copy of the affected pages.

Had I not been composing an email to someone who'd used my work without permission, I would not have been on my site at the beginning stage of the attack, and my site might now be home to a malicious JavaScript or JavaScripts.

My heart is still pounding. It's like PvP in World of Warcraft, only with higher stakes.

I didn't keep a copy of the pages he was modifying, and I'm kicking myself for that now. In hindsight, I should have, but at the time the only thing I wanted to do was undo his changes faster than he could make them.
Tags: computer security
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 29 comments