I’m writing this post because in the last month two security issues on our customer’s websites have come to light. Before I continue, it’s worth mentioning that neither of these issues relate to customers on RatwareUKHosting. Both customers were using different third party web hosts. For obvious reasons I’m not going to name any of the companies involved.

Security Issue 1:

RatwareUK were asked to do some general housekeeping on a client’s web space. Upon logging in we noticed an odd looking file called phishing.tar. On investigation somebody or something had uploaded a zip file to the root of the hosting package, unzipped and installed a mini Bank of Scotland login page! It became instantly apparent that a little corner of this customer’s web space was being used to collect valuable bank login details from those people foolish enough to click through from spam emails! How did it get there? We have no idea and as we didn’t have control over the server, we passed it up to the third party web hosts. Eventually they returned our call saying it was nothing to do with them and we should just deal with it. Nothing in the logs or in the permissions to be worried about then?

We removed the zip file, changed the root passwords and also made sure the file permissions were locked down. However, this is pretty basic stuff and we felt quite helpless. We are now monitoring the site for the customer and if this happens again we’ll recommend they move web hosts. Nasty files like these must get uploaded due to a generic security weakness on the web server. Totally unacceptable and I can’t believe the web hosts weren’t concerned.

Security Issue 2:

Recently a client made us aware of a strange occurrence when they accessed their corporate homepage; when they loaded the page in their browser, a small command prompt window opened and closed quickly and their Sophos AV system sent out alerts. On inspection, RatwareUK discovered that a script had been injected into their index.html which executed a download and install! Upon further inspection, the new files were running processes and attempting to open ports - typical trojan behaviour. I hadn’t seen anything like this in action before and it was particularly concerning how smooth the infection was.

For a script to be injected into an HTML file, there must be vulnerabilities in the web server’s software, enabling the remote administrator to change the permissions and upload the “cuckoo’s egg”. RatwareUK changed all the passwords, permissions and removed the script. Since then there hasn’t been a problem, but without knowing your vulnerabilities, how do you plan your security?

Similar to the issue above, we contacted the web hosts and they didn’t want anything to do with it. They wouldn’t alter the file or shed any light on the incident. Almost as if they didn’t want to admit liability or in fact confirm the issue. There certainly was an incident though and these recent events would only lead you to believe cybercrime is on the increase. Especially with web hosts not prepared to look into them.

With the new release of Back Track 3 BETA; RatwareUK now have a vast range of security auditing tools. If you are concerned about your company’s firewall, VPN, wireless or network security, please get in touch and we’d be only happy to advise.