RE: Part of the web page being MODIFIED !

Out of curiosity, this pic wouldn't happen to be on a page that is a forum would it? If so, check to see if you allow scripts in HTML posts. If so, it would be easy for a user to post a message that would change the pic.

-----Original Message-----
From: Bryan Wagstaff [mailto:bryanw@xmission.com] Sent: Tuesday, November 26, 2002 1:24 PM To: Frank Cheong
Cc: security-basics@securityfocus.com
Subject: Re: Part of the web page being MODIFIED !

Quoting Frank Cheong <chocobofrank@hotmail.com>:

> I received complains regarding one of the image on my web site has been

You say you have had complaints, but don't state if you have seen it or not. Can YOU repeat the problem?

> Therefore, the image haven't been modified. So I do want to know what is

There are many ways of that sort of thing happening, but you need to do more research to find it.

If this is something you can verify and repeat, I would first check your local machine.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Has the machine been compromized? If no, are you sure?

If using unmodified versions of the http server, do the checksums match those of the source? (assuming you are using Apache or some other Free/Open server) When posting back to the group, please include the versions of the software you are using.

Does the problem appear on another similarly configured machine?

> As these activities mostly happens outside my server boundry, I assume I

You say 'mostly happens outside my server boundary'. Please be more specific.

Do those outside your network ALWAYS see the corrupted pages then the proper image? Does everyone inside your network see the corrupted pages? If only some machines inside your 'server boundary' see the corrupted pages, are those machines within a NAT device? For example, are machines within a 192.168.1.* seeing the corrupted pages while 192.168.0.* are seeing the original?

> As I know going for SSL maybe one of the alternative to stop this but

You need to know where the problem is beore you can fix it. Right now I would say you have some script kiddie playing with the site, but I wouldn't remove other posibilities without more research.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

If you have a corrupted web server, moving to SSL would not solve the problem, it would actually make it appear that you are intentionally sending the images.

For the man-in-the-middle attack, you could test that out by changes to your network or Internet connections. If you are a small business, your ISP would probably help.

If someone were performing a targeted man-in-the-middle attack, you need to have a trusted root CA give you a cert. (If you have a self-signed or unsigned cert, then they could easily forge one.) If you don't already have one, those can take a little work and money to get.

Best of luck!

bryanw@xmission.com

--