Greetings All,

Over the last few weeks AusCERT has seen numerous reports of compromised and defaced websites in Australia belonging to organisations of all sizes. While the entry point for the attacks is not always known, we have found three main methods used to compromise or deface the websites. These three methods are:

• Leaked or stolen credentials (eg: stolen FTP or SSH passwords)
• Unpatched and vulnerable software (eg: content management systems, Apache/IIS, PHP/ASP.NET)
• Incorrect or lack of vetting/sanitisation of external data (this can lead to Cross Site Scripting (XSS) or SQL injection attacks)

Mitigating these three entry points will greatly increase the security of your website and data. Methods to help mitigate these are:

1. Leaked or stolen credentials
   • Limit the locations (IP addresses) that are able to login to the systems (eg: using a firewall)
   • Consider using keys or certificates to authenticate, rather than just passwords (eg: SSH keys or X509 certificates)
   • Keep the workstations that can access these systems up to date, and free from malware (to avoid key logging and remote access)
2. Unpatched and vulnerable software
   • Have a regular patching cycle (e.g. the second Wednesday of every month)
   • Keep an eye on security bulletins, and patch critical vulnerabilities immediately!
   • Run only required software, and remove software no longer required
3. Incorrect or lack of vetting of external data
   • Use whitelisting for user input, rather than black listing
   • Use a good encoding library to avoid "unsafe" characters (eg: Reform)
   • Consider using "Stored Procedures" for database access to help with data validation and SQL injection

The "AusCERT UNIX and Linux Security Checklist" has a lot of other good tips for securing a Linux or UNIX server.

Regards,
Richard