5 replies to this topic

[AplusWebMaster]

FYI...

- http://www.theinquir...es-scalped-hack
22 January 2008 - "...more than 10,000 sites running the Linux based Apache software may be hacked and trying to control visitors' computers. Don Jackson, from Secureworks* said that the hackers probably used stolen log-in details to gain access and then infected the Apache servers with a pair of files that generate constantly-changing JavaScript. If a punter visits the hacked site they get walloped with nine exploits including a recent QuickTime vulnerability, the long-running Windows MDAC bug, and a fixed flaw in Yahoo Messenger. Once a hole is opened, the victim receives (a variant of) the Trojan Rbot and are added to a botnet. When the systems administrators, who owned the Apache boxes, were notified and reinstalled the software, the hack came back, apparently. This lead Jackson to believe that it was a direct hack to the Linux server and not based on a vulnerability. He thinks that the only way the hacks will stop is when the Administrators change all the passwords and not just the FTP and Cpanel passwords..."
* http://www.securewor...at=linuxservers
"...The compromised websites, in turn, can infect website visitors. If infected, the malicious code can steal bank usernames and passwords, SSNs, credit card numbers, online payment accounts, basically any information a computer user puts into their web browser. The malicious code can also own the victim’s computer...
> Protection for Organization’s Websites: In order for an organization to protect their website from this attack they need to disable dynamic loading in their Apache module configurations.
> Protection for Website visitors: This is designed to attack Windows PCs. Website visitors can avoid infection by the malware this attack distributes by making sure all anti-virus signatures are up to date and that all vulnerable software is patched. No previously unknown or 0-day vulnerabilities are used in this attack..."

[AplusWebMaster]

Ongoing...

- http://www.theregist..._botnet_menace/
23 January 2008 - "...Security watchers at Sophos are discovering 6,000 new infected webpages every day, the equivalent of one every 14 seconds. Four in five (83 per cent) of these webpages actually belong to innocent companies and individuals, unaware that their sites have been hacked. Websites of all types, from those of antique dealers to ice cream manufacturers and wedding photographers, have hosted malware on behalf of virus writers, Sophos reports. The study sheds fresh light on the well-understood problem of drive-by-downloads from compromised sites, a tactic that's come to eclipse virus-infected email as a means of spreading malware. Cybercrooks target users by spamvertising emails containing links to poisoned webpages, exposing unsuspecting victims to malware. At least one in ten web pages are booby-trapped with malware, according to a separate study by Google published last May. Often these malware packages are designed to put compromised zombie PCs under the control of hackers. Around half a million computers are infected by bots every day according to data compiled by PandaLabs*, the research arm of anti-virus firm Panda Software. Approximately 11 percent of computers worldwide have become a part of criminal botnets..."

- http://www.sophos.co...08/01/1010.html
22 January 2008

- http://www.cpanel.ne...js_toolkit.html

* http://www.pandasecu...news/new-31.htm
Jan. 18, 2008

- http://www.finjan.co...d...=1819&lan=3

> http://www.shadowser....BotCounts#week

:?:

Edited by apluswebmaster, 23 January 2008 - 06:33 AM.

[AplusWebMaster]

Noteworthy:

> http://blog.trendmic...ise-of-the-web/
January 22, 2008 - "...We’ve recently seen literally thousands of compromised Web sites and Web pages that, if an unsuspecting users happens upon the content (and has some arbitrary unpatched vulnerability), they are victimized. I cannot stress how important this issue has become, and how this will fundamentally change the way we use The Internet if we do not take dramatic steps to correct these basic deficiencies. The lifeblood of the Internet depends on it. When Vint Cerf spoke at the World Economic Forum in Davos, Switzerland, last year, he pretty much nailed the issue spot on — 'Criminals may indeed overwhelm the web' as we (collectively) sit idly by..."

[AplusWebMaster]

FYI...

- http://blog.washingt...us_web_sit.html
January 22, 2008 - "...Dan Hubbard, Websense's vice president of security research, said that at any given time there are about two million compromised and malicious sites online, and that slightly more than half of those are hacked sites that range from mom-and-pop type stores to household brand names. The company scans about 600 million sites per week for signs that the sites are trying to foist malicious software on visitors or redirect them to sites that will. The report follows recent discoveries* that almost 100,000 Web sites - including that of security company Computer Associates, the Commonwealth of Virginia, the City of Cleveland - were hacked via Web application vulnerabilities in an apparently coordinated attack. In that attack, the code stitched into hacked sites was designed to perpetrate click fraud and steal online gaming credentials. All Web software applications have flaws, and all need to be updated from time to time to keep the site healthy and to keep opportunistic predators away..."
* http://www.theregist...te_redirectors/

[AplusWebMaster]

FYI... (apologies for the long post; 'had to include details for the admins):

- http://prweb.com/rel...prweb656233.htm
January 26, 2008 - "cPanel announced today that it's security team has identified several key components of a hack known as the Random JavaScript Toolkit. The systems affected by this hack appear to be Linux® based and are running a number of different hosting platforms. While this compromise is not believed to be specific to systems running cPanel software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise. The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures. The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have password-based authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers. Once an attacker manually gains access to a system they can then perform various tasks. The hacker can download, compile, and execute a log cleaning script in order to hide their tracks. They also can download a customized root-kit based off of Boxer version 0.99 beta 3. Finally, the attacker searches for files containing credit card related phrases such as cvc, cvv, and authorize. The actual root-kit has been the subject of much speculation. The cPanel security team asserts that the Boxer variant includes a small web-server which is how the Javascript is distributed to unsuspecting users of any website on the server. It is believed that the Javascript include is injected into the HTML code after Apache has served the file but before it has traveled through the TCP transport back to the user of the website. The web-server is not loaded onto the hard drive directly but loaded directly into memory from the infected Boxer binaries... The JavaScript being loaded by this web-server is directing users to another server that scans the website user for a number of known vulnerabilities. These vulnerabilities are then used to add the website user to a bot net. More information about the JavaScript hacks can be found at: http://www.finjan.com/Pressrelease.a...=1819&lan=3. Cleaning the Random JavaScript Toolkit requires the server to be booted into single user mode and the removal of all infected binaries. More details on how to do this can be found at: http://www.cpanel.ne...js_toolkit.html. The cPanel security team believes that the hacker has access to the database of login credentials, the only way to prevent being hacked again is changing the password and not releasing it to anyone. The preferred method however is to move to SSH Keys and remove password authentication altogether."

> http://blog.cpanel.net/?p=31

Edited by apluswebmaster, 27 January 2008 - 04:24 AM.

[AplusWebMaster]

- http://isc.sans.org/...ml?storyid=4294
Last Updated: 2008-04-16 09:50:39 UTC - "...Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to another site hosting malicious JavaScript files with various exploits. While those exploits where more or less standard, we managed to uncover a rare gem between them – the actual executable that is used by the bad guys in order to compromised web sites. While even before we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site... we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose... a call to all web site owners – check your applications and make sure that they are not vulnerable. We covered this many times in various diaries*, so here are few links to online resources that can help with this:
* http://isc.sans.org/...ml?storyid=3834

http://www.owasp.org...7-A2#Protection

http://weblogs.asp.n...on-Attacks.aspx

http://portal.spidyn...ties_3F00_.aspx

http://erratasec.blo...ingly-easy.html ..."

(Screenshot available at the first ISC URL above.)