Detecting Web Servers with Malicious Javascript
Recently, Tenable Network Security introduced Nessus plugin #29871 which looks at the content of a web site to see if it is hosting potential hostile javascript code. There have been several recent mass defacements and infections of 1000s of web sites through SQL injection attacks. Plugin #29871, named "Web Site contains links to malicious javascript files", specifically checks web sites for links to the "uc8010.com" addresses used in this recent wave of infections.
When performing CGI scans, Tenable recommends several strategies:
- By default, Nessus will only mirror 200 pages for a scanned site. If your site has more pages than this, you should increase this value to a relative amount.
- Plugin #29871 is dependent on the webmirror.nasl script so this plugin (#10662) should either be enabled, or the test should be performed with dependencies enabled at runtime.
- If you are scanning web servers that run on ports other than 80 or 443, be sure to include these in your scan policy.
Tenable also introduced a plugin for the Passive Vulnerability Scanner (#4334), which also detects web sites that are hosting this type of content based purely on traffic analysis.
Plugin #29871 is currently available to Nessus Direct Feed and Security Center users.