Friday, June 11, 2010

FortiGate signature for Robint.us Mass Website Hack

This is highly technical and goes beyond the "tech tips for everyday users" that I initially intended Rod'sTech to be about, but it's important and I want to share this with the InfoSec community.

If you haven't heard of this mass SQL injection hack that happened recently read about it on one or more of these sites:

http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
http://www.net-security.org/secworld.php?id=9395&utm_source=feedburner&utm_medium=email&utm_campaign=Feed%3A+HelpNetSecurity+%28Help+Net+Security%29

For goodness sake, do not go looking for the URL mentioned here with a JavaScript enabled browser!

For users of FortiGate brand UTM firewalls I've put together a FortiGate IPS custom signature that should help by blocking/reporting on infected sites.

It is:

F-SBID( --name "robint-us-web-ad-hack"; --protocol tcp; --flow bi_direction; --pattern "ww.robint.us/u.js}{/script}"; --service HTTP; --context body; )

Note: You will have to replace } with > and { with < in the pattern section to make the signature work. I cannot publish it in full here or it might trigger the attack accidentally if a browser parsed it as an instruction.

Open up your FortiGate system, go to Intrusion Protection|Signature and click the Custom Tab at the top. Click the "Create New" button.

Paste in the code (remember to make the modifications I mentioned) and name it robint-us-web-ad-hack. Click OK.

Now click IPS Sensor on the left hand menu, and choose your sensor (If you are not using IPS refer to the FortiGate manuals. It is way beyond the scope of this blog post to tell you how to set that up) Click the little edit button in the right-most column next to the sensor you want it in.

Click the "Add Custom Override" button.
Fill in the Signature name and check enable, select the action you want to take and select logging to get your alerts.
Post a Comment