Real Use Case:
An Apache Web Server was compromised and the following folders were used to store malware code.
/home/XXX/public_html/XXXX/
/home/XXX/public_html/media/XXX/
The primary web page was modified to something similar to a Hacktivism attack ...
But... there's something else behind that.. the hacker included a VB-Script that will drop a file and infect the computer. The script is similar to :
<SCRIPT Language=VBScript><!--
DropFileName = "[Well Known Generic Host Process.exe]"
WriteData = "4D5A9000030000…" and more HEX code and instructions ....
....
Set WSHshell = CreateObject("WScript.Shell")
WSHshell.Run DropPath, 0
//--></SCRIPT>
Then, every user that visited that URL potentially finished infected , a real example of Drive-By exploits.
Protection for your Endpoint
With Symantec Endpoint Protection 12.1.6 client computers that tried to visit that infected Web Server received a Warning about an ongoing Block process, the source: SEP Network Threat Protection (specifically the IPS feature).
The signature was associated with Web Attack: W32.Ramnit Attack 4 , and that was only using the defaults values and an updated SEP platform, the malware didn't downloaded to the system and SEP identified the threat as w32.Ramnit!.html
Lesson Learned: Do not install just an antivirus on your computers!, you need proactive protection, Symantec Endpoint Protection 12.1.6 will do the job for you.
Protection for your Unix/Apache Server
Don't forget your Apache Server !
Think about Hardening with Symantec Data Center Security: Server Advanced (SDCS:SA) !
If you already have SDCS:SA 6.5.x or Symantec Critical System Protection 5.2.9,, apply and customize the UNIX Protection Prevention Policy in order to minimize risk .
Avoid Shellshock , you will find useful information with the following article : Protect Your Servers from the Shellshock Vulnerability with Data Center Security: Server Advanced
Also you can use a Detection policy in order to monitor changes to the index default page and receive an email notification that someone modified the content.
If you are thinking about buying the solution , then DCS:SA v 6.6 is the right option for you , check SDCS:ServerAdvancedApachePHP PreventionPolicyQuick StartGuide where you will find Apache Protection Policies details like:
- Configuring the policy
- Securing files and folders
- Securing system processes
- Securing the network
- Additional hardening steps
Rodrigo Calvo
Sr. Security Engineer
infoLock Technologies