Matthew Buck’s Blog - Principal Engineer at RatwareUK

I’m writing this post because in the last month two security issues on our customer’s websites have come to light. Before I continue, it’s worth mentioning that neither of these issues relate to customers on RatwareUKHosting. Both customers were using different third party web hosts. For obvious reasons I’m not going to name any of the companies involved.

Security Issue 1:

RatwareUK were asked to do some general housekeeping on a client’s web space. Upon logging in we noticed an odd looking file called phishing.tar. On investigation somebody or something had uploaded a zip file to the root of the hosting package, unzipped and installed a mini Bank of Scotland login page! It became instantly apparent that a little corner of this customer’s web space was being used to collect valuable bank login details from those people foolish enough to click through from spam emails! How did it get there? We have no idea and as we didn’t have control over the server, we passed it up to the third party web hosts. Eventually they returned our call saying it was nothing to do with them and we should just deal with it. Nothing in the logs or in the permissions to be worried about then?

We removed the zip file, changed the root passwords and also made sure the file permissions were locked down. However, this is pretty basic stuff and we felt quite helpless. We are now monitoring the site for the customer and if this happens again we’ll recommend they move web hosts. Nasty files like these must get uploaded due to a generic security weakness on the web server. Totally unacceptable and I can’t believe the web hosts weren’t concerned.

Security Issue 2:

Recently a client made us aware of a strange occurrence when they accessed their corporate homepage; when they loaded the page in their browser, a small command prompt window opened and closed quickly and their Sophos AV system sent out alerts. On inspection, RatwareUK discovered that a script had been injected into their index.html which executed a download and install! Upon further inspection, the new files were running processes and attempting to open ports - typical trojan behaviour. I hadn’t seen anything like this in action before and it was particularly concerning how smooth the infection was.

For a script to be injected into an HTML file, there must be vulnerabilities in the web server’s software, enabling the remote administrator to change the permissions and upload the “cuckoo’s egg”. RatwareUK changed all the passwords, permissions and removed the script. Since then there hasn’t been a problem, but without knowing your vulnerabilities, how do you plan your security?

Similar to the issue above, we contacted the web hosts and they didn’t want anything to do with it. They wouldn’t alter the file or shed any light on the incident. Almost as if they didn’t want to admit liability or in fact confirm the issue. There certainly was an incident though and these recent events would only lead you to believe cybercrime is on the increase. Especially with web hosts not prepared to look into them.

With the new release of Back Track 3 BETA; RatwareUK now have a vast range of security auditing tools. If you are concerned about your company’s firewall, VPN, wireless or network security, please get in touch and we’d be only happy to advise.

I’ve spent most of the weekend testing out a distribution of Linux called Back Track. The latest version is a BETA release and from what I’ve seen so far, it is the most convenient and comprehensive set of security and vulnerability tools I’ve seen. Expect a full review of this distro on my blog at some point in the future.

The rest of the weekend has been dedicated to meeting an old business partner and long time friend of mine, Chris Bishop. Chris is Hotel Chocolat’s Online Marketing Manager turned e-business guru. He’s now moving onto House of Fraser leaving behind a 200% increase in online sales at Hotel Chocolat through his affiliate marketing schemes and Google traffic engineering. Truly inspiring. Chris now undertakes Online Marketing Advice and Consultancy for various clients and will be assisting with the online marketing of RatwareUK

We spoke for a while about life-cycles and eventually touched on Microsoft’s aspirations to go virtual within the next decade, but the most surprising topic, which I knew nothing about, was the use of technology and the Internet by large corporations to categorise individuals and market their products dynamically. Chris tells me that Tesco are developing their clubcard so that their computer systems know when you are in the stores; know when you are passing the small aisle displays and know what your product choices and moods may be. Through the displays they can visually alert you to a product you were probably 50/50 on the way to buying and help you make up your mind. I guess it’s easy when you know a person’s sex, age, address and weekly buying habits. There is a lot of information an artificial intelligence system can derive. Our conversation was a timely reminder of how the Internet and technology has only just been born and we have not yet even begun to understand its potential.

Welcome to the new RatwareUK Website and also to my blog. I hope to make my first entry soon, in the meantime, please continue browsing our new website.