Detecting Web Servers with Malicious Javascript
Recently, Tenable Network Security introduced Nessus plugin #29871 which looks at the content of a web site to see if it is hosting potential hostile javascript code. There have been several recent mass defacements and infections of 1000s of web sites through SQL injection attacks. Plugin #29871, named "Web Site contains links to malicious javascript files", specifically checks web sites for links to the "uc8010.com" addresses used in this recent wave of infections.
When performing CGI scans, Tenable recommends several strategies:
- By default, Nessus will only mirror 200 pages for a scanned site. If your site has more pages than this, you should increase this value to a relative amount.
- Plugin #29871 is dependent on the webmirror.nasl script so this plugin (#10662) should either be enabled, or the test should be performed with dependencies enabled at runtime.
- If you are scanning web servers that run on ports other than 80 or 443, be sure to include these in your scan policy.
Tenable also introduced a plugin for the Passive Vulnerability Scanner (#4334), which also detects web sites that are hosting this type of content based purely on traffic analysis.
Plugin #29871 is currently available to Nessus Direct Feed and Security Center users.
Related Articles
Want to Learn More about Exposure Management? Check Out This Gartner® Report
June 6, 2023At Tenable, we believe that you need exposure management to protect your modern attack surface. But it’s not just us. We feel the Gartner “Predicts 2023: Enterprises Must Expand from Threat to Exposure Management” report is required reading for cybersecurity teams adopting an exposure management program and platform.
Tenable Cyber Watch: China’s ‘Volt Typhoon’ Targets U.S. Critical Infrastructure, BEC Attacks Skyrocket, and more
June 5, 2023This week’s edition of the Tenable Cyber Watch unpacks the White House’s updates to its National AI R&D Strategic Plan and addresses the recent surge in business email compromise scams. Also covered: CISA’s warning about Volt Typhoon, the hackers backed by the Chinese government that have been targeting U.S. critical infrastructure.
CVE-2023-34362: MOVEIt Transfer Critical Zero-Day Vulnerability Exploited in the Wild
June 2, 2023Discovery of a new zero-day vulnerability in MOVEit Transfer becomes the second zero-day disclosed in a managed file transfer solution in 2023, with reports suggesting that threat actors have stolen data from a number of organizations.
