While this is not unusual it is still worth reiterating.
A web server at the Paul F. Glenn Center for the Biology of Aging at Stanford hosted malware for months, undetected. The malware started by installing a web shell onto the web server. This shell was able to do a number of things including upload files to the web server. Hackers figured out that this shell was accessible to any other hacker – it didn’t even require a password. Other hackers uploaded a more sophisticated web shell than the original one and then uploaded many other files including phishing web pages, defacement pages and mailer scripts.
Effectively, the hackers were using the Stanford web server as a launch pad for attacking users all over the world and certainly all over the U.S. After all, people are not going to consider a web site at Stanford University as a hacker’s site – most users would consider a Stanford web site as “safe”.
As I watch the spam come through my system every day, I am amazed at the fact that large quantities of the spam points to links deep in legitimate web sites that I am sure the web site owners are completely oblivious to.
Based on that, I have a question for you.
If a hacker compromised one of your web servers and did not affect any existing functionality but added malware that the hacker could use to launch major attacks against U.S. users and infrastructure, would you be aware of that and be in a position to neutralize it?
My guess is that the answer to this question is that, for most companies, especially given the number of web sites that they run, the answer is no.
Of course, if the attack is big enough, the FBI will likely come visit you and ask you why you are attacking U.S. infrastructure. You will plead ignorance and the FBI will tell you to clean up your servers, but, of course, if the news hears about it, it will not stay below the radar.
There are relatively easy ways to manage this such as generating alerts if new pages are added or existing pages modified on any of your web servers. That would pretty much deal with it, but I would guess that 95% of businesses do not have that capability today.
From a purely financial standpoint, the hackers are consuming your bandwidth, slowing down access for your real users and possibly causing your ISP to hit you with usage charges.
Just food for thought.
Information for this post came from Help Net Security.