I know: "Brian sounds like a broken record here, doesn't he? Blah blah security blah blah updates. Either he's paranoid, or he's vigilant."
OK, I'm not going to say I overly vigilant. But I am cautious when it comes to web server security. And even with my monitoring of installed scripts on the servers (automated and manual), some slip past.
And, when I don't find the exploit, the hackers/spammers will. Like last week.
A website is not just 'build' and go, as many designers do. Newer websites use scripts, and basically any active program on a web server has potential to 'go bad'. But too many designers quickly build with tools 'that work' for them, and move on.
Then the headlines read:
Zero-day Vulnerability Threatens Many WordPress Sites
Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.
The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.
One of the best reasons to have a website for your business (or even yourself) is to ensure any info out there is accurate. Whether you like it or not, your name/business is out there in multiple directories on the web. And you have no control over that.
Occasionally we Google/Bing our names to see if we have popped up anywhere, and try to keep a list of the sites with profiles for Seven Sages Website Management. And sometimes we find one that is incredibly inaccurate...
This morning, while double-checking online profiles for a client (Divorce Attorney Profiles) I decided to do a quick search for SevenSages.com to see if I had most of the links posted. And I found one that was way way out of touch.
As being reported more today, there is a large virus attack spreading across the internet. Unfortunately, the reporting appears to be on April Fool's Day, however it is not a joke. The reports actually started earlier in the week.
Websense Security Labs has updated its Tuesday alert concerning a malicious mass-injection scareware campaign it has dubbed LizaMoon -- an SQL injection attack that adds a line of JavaScript code to web pages that redirects users to a bogus web page that rotates on a periodic basis. Based on Google search results Thursday, more than 500,000 URLs had a script link to lizamoon.com, which has since been changed, Websense said.
"We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought," Websense security analysts wrote in a blog Thursday. "All in all, a Google search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack." --- reported on newsfactor.com -LizaMoon Pay-Up Scareware Spreads To 500,000 Sites - By Mark Long
The important thing to learn from this is that it is vital to update and patch your systems.
Read more: Large attack may be related to out-dated scripts.
I know, you bore of all this spam news. I do too. But, volume has increased yet again and I'm not just seeing it on my own servers, but also with Google App's and Postini.
Following the wave last month using the familiar looking 'Delivery Status Notification' (DSN) faking a bounced message, the spammers new technique appears to be using more familiar messages like Amazon order confirmations that look a lot like real Amazon orders. But it's getting a little scarier...
These spammers are good, really. Not wholesome good, but good at what they do which is bad. They are using simple mind games to infect your computer. Like their recent vector of attack using DSN (Delivery Status Notification), they are preying on your fear of trouble. The lastest is "Email Policy Violation" coming from your host's mailer-daemon.
subject Email Policy Violation
The attached message contains content which violates our email policy. The message was not delivered.
Who wouldn't open it to see if it was an important message you sent?
The newest wave of spam is quite clever. They are abusing the geek-sacred protocol of the DSN (Delivery Status Notification), adding an attached html file that is a script set to redirect to a distant website, maybe selling Viagra.
Delivery Status Notification (Failure)
This is an automatically generated Delivery Status Notification.
Delivery to the following recipients failed.
Look familiar? The standard, important notice that your email has bounced for some reason. Now it could be spam.
I received this email the other day:
"Brian, Have you heard about this? Have you scanned your server for this issue?"
Thanks. Yes, this is an old type of attack, at least for responsible server admins. (old being anything more than 6 months old) The problem comes from older scripts on the server.
Nothing is more expensive than trying to save a buck.