Collected using mod_security across out entire network Let's jump right in!
Nice average Trending down?
Broken down between SQLI, file upload, File inclusion, and arbitrary code execution attacks
Showing an example of “background noise” These attacks have been aroudn 1+ year
A wild zeroday appears Released beginning of august
Exponential growth until they're caught/cleaned up.
Many just forward the complaint to their customer (whomever owns the server assigned the IP address) An unsettling few are unable to address this and request help with it (to which we oblige the best we can) These responses let us know who the attackers are, and it's no surprise!
It should be no surprise that compromised sites are the leading attack source. Compromised sites are used to attack other sites.
I pretty much exclusively see money as the motivating factor. There are exceptions though, quoting Mikko Hypponen, the top three are money, ideology, and espionage So, how do they get money from compromising sites?
The people taking the first step may not be the same who take the final step.
Two examples how this was done via .htaccess
SiteCheck.com's report on the domain being redirected to.
Breakdown of the TLD used for the domreg.
Domain name registrar breakdown
IP addrss the domains resolved to.
Do not confuse the two, thinking about long term fixes when your site is down is wasting precious time. Thinking that you fixed that “one” hole is good enough is not really a good long term fix.
Example “flow cycle” Presumes you've addressed all other security concerns (backups, updates, policy, etc..)
Never stop improving
Time stamp correlation with file creations, logs, etc... Note the POST request … shady!
This eventually breaks down the the old standard “eval(base64_decode...”