SRE engineer on duty was surprised when he got a defacement alarm from his monitoring solution. He checked his company’s website. It looked weird with junk characters and some crypto currency related links.
He alerted his Boss, the team started firefighting to retrieve the website from the backup.
So web defacement is an act by the third-party actor ( hacker) login to the Service and change the content after the website. This will happen when the security is weak and easily breakable.
We have to fix the root cost. That is, the week security has to be fixed by following the security standards. But he needs to ensure his website shows right information.
Here are the 10 numbers you may need to watch to detect the web defacement attack.
- Is the DNS of the website changed?
Hackers may tamper the DNS of your website to redirect the users to malicious website - Are there any changes in the third party URL?
Your website may have links to third party URL. Links to genuine sites like social media, partner sites are fine. A sudden increase or decrease in the third party URL count is a symptom that has to be checked. - Are there any changes in the third party image URLs?
Your website may have images to third party sites. Genuine images from from authorized sites like social media, partner sites are fine. A sudden increase or decrease in the third party image URL count is a symptom that has to be checked. - Are there any new iframes added?
Attackers often use iframes to inject malicious content onto a website without directly modifying the original code. This content may mimic legitimate login forms to steal user credentials; automatically download malware onto visitors’ devices; Inject spam emails into visitors’ inboxes. change the website’s appearance to promote the attacker’s message. Hence a sudden increase or decrease in the third party image URL count is a symptom that has to be checked. - Monitoring third party scripts?
Third party scripts are being used in websites. Examples may include jQuery library, Real User Monitoring script etc. But attacker may inject his script to take control of user navigation to display inappropriate content, lead him to phishing sites etc. Hence a sudden change in the third party JavaScript count is a symptom that has to be checked. - Is the text got changed?
This is one of the basic check. This is to identify if the content of the website is changed. If the web site is not modified and you got a change in number of text in website, it is symptom that has to be checked.
As a summary, web site defacement is a basic reactive check to identify the content change in a website in different forms. To take necessary remediation, you need to take a regular backup of your website. That will help to recover your website immediately. Ensure the application and operating system is regularly patched.
If your website became a victim –
- Take down your website. This will safe guard your users.
- Change your passwords of FTP, SSH, web application, database and any other service accounts
- Check how the attacker came. Application logs, sys logs may help in this case. Close the open door.
- Remove the defacement. If not, recover the site from backup.
- Depending on the severity of the attack, communicate it to the users. Report it to the agencies if needed.
- Change your security practice to prevent such attack in the future.
—
This post is written as part of #WriteAPageADay campaign of BlogChatter
