iHwy Hosting Blog

Recently a client of ours, who hosts their own ecommerce solution on our servers, called and asked us to take a look at their web site. They said odd things seemed to be happening up there: pages were distorted, dropdown lists had incorrect information in them and some parts of pages just weren't showing up. The first thing that came to mind was that their site might have been hacked. We took a look at the site and what we saw pretty much aligned with our hunch: we saw some stray HTML for some javascript script tags showing up in unusual places, which was skewing the layout and preventing some functionality. It looked like most of the places where those were appearing were probably content that came from their ecommerce database.

We pulled the site offline so we could analyze what we saw and prevent things from getting potentially worse. A quick search on google, using some words from the stray HTML we saw on the site's pages, resulted in us finding that hundreds of thousands of other sites also had the same issue. So many sites had the issue that it was actually hard to find information about the root cause of the issue, since all the searches brough up 'infected' sites.

We analyzed the web and database server logs, looking for signs of a "SQL Injection" attack, which is a kind of attack that forces it's way into a database and modifies records with malicious intent. We found a few partially encrypted web server requests in the web logs and decrypted them to see what they contained. What we found was indeed a SQL injection attack. The injection attack located "text fields" in the database and wrote the HTML script tags that we saw on the site into every single text field. It also truncated (shortened) the text in each field, basically mangling the data.

A pretty bad attack.

We then commenced a recovery effort, using the decrypted injection attack as a model for identifying all of the affected data. We created some data recovery scripts, using a combination of the reverse-engineered injection attack and a recent backup of the system's database. Our script was able to scrub the injected text out of the affected database tables and restore the data from before the injection attack back to the state it was in before the attack. Our client fortunately also had a secondary database replicating some data to the web database. Using the replication we were able to add another layer of recovery for the affected data.

In the end the bulk of the data was recovered and the injection attack was scrubbed out of the database.

Before we turned the system back on, we also put in place a custom asp.net module that we developed in-house to prevent these kinds of injection attacks. It provides additional protection for sites that need it, specifically targeting these kinds of SQL injection attacks. The module works for asp.net 1.x through 3.5 (latest version) web sites and can be applied as a simple add-on without having to touch the original site. For more information about this module, please feel free to contact us.

As seen from the hundreds of thousands of sites that we found via google that were also affected by this attack, there are many vulnerable sites out there. As a general practice we build sites using techniques that prevent these kinds of attacks, but it's clear that the 'attack area' on the net is very large. We hope that a hard lesson learned by the affected sites will lead to closing of many of these holes. If you have any concerns that your web site may have a vulnerability like this, please contact us. We can help you assess your site and consult with you about how to protect yourself from this kind of attack.

Start the new year off right! Host any new-to-iHwy site with iHwy and we'll give you the first three months web hosting free. No payment required. Zip. Zilch. Nada. You can use those first three months "rent free" to grow your business.

So, while we may not see our share of that $700,000,000,000 that the US Government gave to banks, you can have three months of web hosting on us to develop your web site, grow your business and generate income at a little less cost.

Surf forth and prosper.

We've observed an end to the previous NDR storm, but continue to see some spammers falsifying the "From" address of their spam messages, resulting in some users receiving numbers of bounce messages for messages they didn't send.

What is an NDR?

A non-delivery receipt (NDR) is a message that a mail server sends to notify the sender when a problem occurs with delivery.

For example, if you type a recipient's address incorrectly, the receiving server might send you a message that looks similar to this: 

Undelivered Mail Returned to Sender  
Your message did not reach some or all of the intended recipients.
Subject: Report update The following recipient(s) could not be reached: webmmaster@yourcompany.com on 05/15/2008 08:09 PM
The e-mail account does not exist at the organization this message was sent to. Check the e-mail address, or contact the recipient directly to find out the correct address. 

Types of normal NDR messages include:
 

• User unknown: The recipient's address doesn't exist on the receiving server, and the message is bounced
• Server resources are unavailable; for example, the recipient's mailbox is full
• Auto-reply vacation or out-of-office messages
• Auto-reply list server or mailing list responses 

NDR spam: Why am I receiving an NDR for a message I didn’t send?

NDRs are a normal part of email exchanges, but spammers' activities can cause spikes in NDR activity. Spammers send junk messages to thousands of email addresses, some of which exist and some of which do not. To give the appearance that their messages are legitimate, spammers use a practice called "spoofing," whereby they manipulate the "From" address to use a real domain or sender.
 
When a spammer sends email to an invalid address, the receiving mail server sends an NDR message to the "From" address, rather than to the actual sending server. Because spammers spoof common addresses, such as sales or info of well-known companies, these NDRs may be destined for your mail server.



The good news is that your message security service recognizes the spam content in an NDR, and blocks large numbers of these messages so they never reach your mail server.

We have implemented secure encryption for all backups and restores. These tape backups can only be restored from the DPM install in our secure cage at the Network access point.

The SSL certificate is generated from our Certificate authority only for the DPM server in question. It is installed for both backups and restores. This certificate is only issued for authentication purposes and uses a SHA1 RSA signing algorithm. The public key is an RSA 1024 bit encryption standard and the encryption itself is a SHA1 hash algorithm. Details on the features of DPM as well as a brief summary on the encryption of tape backups can be found here:

http://technet.microsoft.com/en-us/dpm/bb798076.aspx
http://technet.microsoft.com/en-us/magazine/cc137717(TechNet.10).aspx

When choosing the name for your domain, always remember that:

• You can't use stressed vowels (such as à, é, ò, etc.)
• You can't use symbols (such as ' + . , | ! " £ $ % & / ( ) = ? ^ * ç ° § ; : _ > ] [ @ )
• The name's length must range between 3 and 63 characters (excluding the extension)
• The name can neither start nor end with the character "-", although the character "-" is allowed inside the name. 

So, to name your domain you can use any letter, numbers between 0 and 9, and the symbol "-". Length may vary, from 3 to 63 types. For domain names registered under the geographical structure, the limit is between 1 and 63 types.

Following is the summary of recent email threats and trends.

Anti-Bot-net Protection: Our recently introduced advanced bot-net protection continues to perform well against the growing number of bot-net attacks. We've observed that bot-net generated spam now comprises over 20% of the spam traffic, and on April 14, a single powerful attack accounted for 46% of all spam volume.

This graph shows the actual bot-net activity patterns. Spammers try to take advantage of the reactive nature of most spam protections by attacking with maximum volume when defenses are low.

Advanced Anti-virus Heuristics: In January, we completed the release of advanced anti-virus heuristics that specifically targeted zero-hour attacks (the period of vulnerability between a new virus in the wild and release of the anti-virus signature file). If the bot-net protection identifies a suspicious message, the anti-virus heuristics also scan the message for zero-hour viruses.

We've observed a number of attacks in which the anti-virus heuristics successfully identified viruses. For example, the anti-virus heuristics identified a viral message pattern -- later identified as a new strain of the Spy Agent Downloader ( http://vil.nai.com/vil/content/v_141846.htm ) -- in the wild at 11:12 AM GMT. At 2:50 PM GMT, when the volumes had grown dramatically, we received the new virus signature file from one of the anti-virus engines. 

Filter Updates: We continue to update filters to combat spammers’ tactics. Attacks blocked include new variations of pharmaceutical and automotive scams, penny stock ploys (ZYTO Corp), and numerous phishing attacks.

Spam Traffic Trends: Spam levels continue to remain high, and April 23rd brought a record level of spam for the year, with the 194 spam messages per user per day. With such high spam volume, organizations with in-house solutions require equally high capacity to handle the load. Since spikes in spam can happen overnight, we must carry precautionary -- but generally unused—capacity to avoid a meltdown.

An often endless battle for us is the battle against SPAM. We spend a great deal of effort and resources fighting spammers and educating our users on various tools and techniques used in the war. One common method for spammers to add new email addresses is the use of special software known as mail "harvesting bots" or "harvesters", which spider web pages to obtain e-mail addresses. If your web site contains an email address that is readable by a machine in the form of <username> at <domain> then your mail address is easily picked up by email harvest software. This includes email addreses that may be embedded in hidden fields in your forms.

One such method of fixing this problem is to obfuscate your email address and "mailto:" tag with encoded HTML characters. For example, this address, support@ihwy.com, works like you would expect a normal email address to work but is actually obfuscated and hidden SPAM Harvesters.

You can access this tool by going to: http://www.ihwy.com/Tools/Email-Obfuscation-Tool.aspx

Tinkering with Expression Engine for a few moments, it instantly received a "wow." Clever, adaptable, accommodating, Expression Engine has qualities of a good friend, a good program, while being a fantastic site-structuring application. It has a general versatility within the administrative interface as well as designing capabilities. Written, coded, and constructed with a type of genius resourcefulness, it easily stands with other frontrunners of web-based site design and construction.

Expression Engine does have peers. Like any web-based site builder, the limitations are not absent. The mixture of dynamics are often hindered by the nature of web-based platforms; so, what attracts a designer to one web-application over another is its functionality. Two noticeable characteristics of this application are simplicity and diversity.

One can easily paste a line of code within the builder interface, click on or off widgets, and scoot over to admin options without having to get a search and rescue team to locate necessary links. Often tenuous is the task of giving permissions or enabling widgets but in the interface of ExpressionEngine is the exciting and rare ability to know where to find the things you need.

What one may produce using Expression Engine are operational, smooth, content complimentary sites, which visitors, and their browsers, navigate with facility and ease. A site's flare and zest, style and pizzazz are in the fingertips of who ever brandishes this mighty application.