From: Al on


On 4/29/2010 1:35 PM, Gary . wrote:
> On 4/29/10, Al wrote:
>> Ross had a good suggest about planted links to external malicious sites. One
>> of
>> the sites I worked on a couple of years ago had this happen. They ask me to
>> look
>> into it.
>>
>> There were about 90 htaccess files that redirected the user to a malicious
>> site
>> whenever there was an error, 404 etc.
>>
>> About 400 html files had a javascript appended on the end that sent the
>> visitor's IP and the file's complete URL to a website in Russia.
>>
>> About 300 php files had some php code that generated html code had likewise
>> sent
>> the visitor's IP and the file's complete URL to a website in Russia.
> [snip remainder of horror story]
>
> How do people get their sites into this state? Is it just me, or
> wouldn't a regular comparison of MD5s of the site contents with SCM
> contents stop most of that kind of thing (after the event, but still,
> better that than continue in that state).


You are correct in theory; but, in practice maybe somewhat limited for CMS which
have DB contents and raw text files changed almost hourly.

When I departed the site I was working on a couple of years ago, I left a strong
recommendation that someone run my FileSniffer program weekly and check out any
suspect changes. They didn't and now have the above situation.