homepage Welcome to WebmasterWorld Guest from 54.226.213.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

This 61 message thread spans 3 pages: 61 ( [1] 2 3 > >     
Large Scale Net Attack Underway?
Microsoft Servers & User Machines Targets
rogerd




msg:388947
 3:19 am on Jun 25, 2004 (gmt 0)

AP is reporting an unusual virus attack. Microsoft IIS servers become infected, and append code to the bottom of web pages. The code is Javascript which attempts to access a file on a remote site. The code is presumably malicious, but details are still sketchy.
[msnbc.msn.com...]

 

txbakers




msg:388948
 5:15 am on Jun 25, 2004 (gmt 0)

from that article:
The U.S. Computer Emergency Readiness Team said computer users also could protect themselves by disabling JavaScript in their Web browser software. However, that "may also degrade the appearance and functionality of some Web sites that rely upon JavaScript," the team noted.

This from the same agency that recommended everyone buy duct tape and plastic sheeting to protect against chemical attacks.

And no, I don't want to start a "why we should all disable javascript" argument on this thread.

rogerd




msg:388949
 1:19 pm on Jun 25, 2004 (gmt 0)

CNN has picked up the story: Experts study massive Internet attack [cnn.com] - odd that so few details seem to be emerging, and that the virus software vendors don't seem to be talking about it yet.

bakedjake




msg:388950
 1:23 pm on Jun 25, 2004 (gmt 0)

The majors aren't real good at picking this stuff up quickly. :)

[isc.sans.org...]

If your SERVER was compromised, you will observe:

* All files sent by the web server will include the javascript. As the javascript is delivered by the web server as a global footer, images and other documents (robots.txt, word files) will include the javascript as well.
* The files on your server will not be altered. The javascript is included as a global footer and appended by the server as they are delivered to the browser.
* You will find that the global footer is set to a new file.

We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects.

If you visited an affected page, and your BROWSER is compromised:

* you may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
* AV software will detect the javascript as 'JS.Scob.Trojan'.


MaxM




msg:388951
 1:41 pm on Jun 25, 2004 (gmt 0)

Some useful info.

Microsoft:
[microsoft.com...]

F-Secure blog:
[f-secure.com...]

MatthewHSE




msg:388952
 1:54 pm on Jun 25, 2004 (gmt 0)

Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to ]b]infect users of Internet Explorer[/b] with malicious code.

If this is a javascript file that does the dirty work, couldn't other browsers be affected as well?

encyclo




msg:388953
 2:21 pm on Jun 25, 2004 (gmt 0)

If this is a javascript file that does the dirty work, couldn't other browsers be affected as well?

From ISC:

The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.

So it's MSIE-only if I understand it correctly.

CritterNYC




msg:388954
 4:10 pm on Jun 25, 2004 (gmt 0)

So it's MSIE-only if I understand it correctly.

Yup. This affects ALL Windows Internet Explorer versions, even when fully patched. There is no patch to fix this as Microsoft has been twiddling its thumbs. And the list of websites being used to install this exploit now includes personal websites and banks.

So, the only way to surf safely with Internet Explorer right now *IS* to disable Javascript.

Or you could go and get yourself a REAL browser :-)
[mozilla.org...]

isitreal




msg:388955
 5:22 pm on Jun 25, 2004 (gmt 0)

From Sophos [sophos.com]

JS/Scob-A downloads a file from a Russian website, this website is no longer accessible.

From Security Focus [securityfocus.com]:

Time to Dump Internet Explorer
...It could be possible for an attacker who exploited this vulnerability to run arbitrary code on a user's system. If a user visited an attacker's Web site, it would be possible for the attacker to exploit this vulnerability without any other user action.

That article was written Jun 17 2004, 1 week before this exploit was discovered.

I'd agree, time to dump IE, or at least turn off all active x/javascripting. Microsoft has had plenty of time to deliver a secured browser/ web server, there is no reason for the market or consumers to put up with this kind of nonsense, either IIS or IE, just dump all that garbage.

Installing constant security patches is not a solution, it's an indication of how serious the problem is.

[edited by: isitreal at 5:24 pm (utc) on June 25, 2004]

encyclo




msg:388956
 6:01 pm on Jun 25, 2004 (gmt 0)

Can anyone confirm that the hacked websites were all running IIS? It's not clear in the information provided so far...

Leosghost




msg:388957
 6:24 pm on Jun 25, 2004 (gmt 0)

Well I for one just spent all my afternoon reuploading site that I have that can't run without javascript enabled in IE. And now ...

I'll have to spend my weekend and most of next week rebuilding a site so as noneone will panic and think it was me ....

And this was the first sunny weekend we've had here in the last 3 weeks ...:(

[edited by: tedster at 4:50 am (utc) on July 1, 2004]

bcolflesh




msg:388958
 6:40 pm on Jun 25, 2004 (gmt 0)

Something I've observed so far - no virus sites are showing actual cases in the wild in numbers that would signify "spreading" - and the Russian site it attempts to download it's payload from is offline -

Bit of a non-starter: JS/Scob-A

MatthewHSE




msg:388959
 6:56 pm on Jun 25, 2004 (gmt 0)

Couldn't that Russian website get online again any time? I imagine their ISP or host could have shut them down, but still, I would think it pays to be careful. I'm still urging everyone I know to switch to Mozilla or FireFox at least until this all blows over.

CritterNYC




msg:388960
 7:13 pm on Jun 25, 2004 (gmt 0)

Can anyone confirm that the hacked websites were all running IIS? It's not clear in the information provided so far...

The ones being reported on are IIS, simply because IIS is the easiest to crack. Realistically, it doesn't matter the server you hack as long as you get your payload delivered.

And just because that Russian site is offline doesn't mean you're safe. Anyone can install anything they want into IE with their own website. It could be a zombie, a simple trojan, something to erase your hard drive... ANYTHING they want!

Microsoft has known of this vulnerability for quite some time. It was already being exploited by a spyware company to automatically install porn popup software. It isn't new. This is just a new way of exploiting it... combining the weakness of IE with the weakness of IIS.

Hanu




msg:388961
 9:33 pm on Jun 25, 2004 (gmt 0)

We know that clients accessing an infected server get infected. The main question remains: How did the servers get infected? It doesn't take a brain surgeon to imagine that an infected client infects any IIS server it accesses, right? That would be the ideal distribution method. Why didn't they (the virus' authors) do it that way? Afaik, the client side of the virus only installs a keylogger.

isitreal




msg:388962
 11:05 pm on Jun 25, 2004 (gmt 0)

Here's the latest from symantec/nav [securityresponse.symantec.com]:

Modifies the configuration of IIS Web sites on the infected computer to make one of the iisXXX.dll files the document footer.

This is an IIS only exploit, apparently.

Here is the MS security update [microsoft.com].

More stuff on itvibe [itvibe.com]

And on f-secure:
[f-secure.com]
Accoding to reports, the script has not been appeded by modifying the actual files on the server but using the so called footer feature from Microsoft's Internet Information Server.... there has been reports that this downloader has been used to install variants of Padodor backdoor. Further information about Padodor is available at: [f-secure.com...]

kaled




msg:388963
 11:17 pm on Jun 25, 2004 (gmt 0)

I doubt that Russian site will be online any time soon. I imagine the forces of law and order will kill it very very dead indeed, and with Putin in charge, the perps may follow suit - even if they they thought they were somehow protected.

Russia may be the home of spam these days but that sort of hacking will likely be considered as crossing the line - BIG TIME.

Kaled.

isitreal




msg:388964
 11:20 pm on Jun 25, 2004 (gmt 0)

I somehow doubt that the guys who wrote this product were stupid enough to place a link to their own website in that exploit, it's more likely they hacked into a server and simply placed the file there.

encyclo




msg:388965
 11:24 pm on Jun 25, 2004 (gmt 0)

At least with MS you get updates. If this kind of attack was happening on linux it would take a while to get a fix and it would not be automatic.

We're not actually talking about a zero-day exploit here: the current analysis by the security folk is saying that the vulnerability is to do with something called the "adodb.stream" (I'm not a security person, so I can't go into any more detail). Problems with the adodb.stream were found ten months ago. There is still no patch, no workaround, nothing. Only last week, there was a real zero-day exploit in the Linux kernel, and only last night, I downloaded and installed a patched kernel with a one-line command.

What are Microsoft's billions buying you?

This is categorically not script-kiddie stuff going on. The people behind this are true, old-fashioned professional criminals. They don't hold grudges against Microsoft or anyone else, they just look for the easiest path. In this case, the easiest path was via Windows servers running IIS.

More information from Symantec here [tms.symantec.com]. To quote:

The malicious JavaScript in question is designed to compromise client systems through multiple known, but unpatched vulnerabilities in Internet Explorer.

grelmar




msg:388966
 2:30 am on Jun 26, 2004 (gmt 0)

You know what the most amusing aspect of this is to me? Just last week, I got into an argument with my account manager at my bank because I refuse to have anything to do with online banking.

He wanted to know why, and I responded "Because there is no way you can guarantee me even reasonable security for my account online, and you require IE to access your services, and IE is a buggy, hacker magnet, POS."

My account manager went on an on about security measures they take, and that he uses IE all the time an rarely has any propblems...

I laughed at him and called him a naiive fool. The conversation went downhill from there.

I think I'll e-mail him a link to that Security Focus article, and to the F-Secure weblogs.

Anyone who keeps defending IE and MS after this, is a deluded "extremist" who'll never learn.

I feel no pity for banks and large instituions who feel the wrath of this or other similar IE and MS server related issues. They're big boys, and they should do their research and act accordingly.

I DO, however, feel sorry for all the "Aunt Tilly" types out there. They just want convenience, reliability, and security, without having to become a geek and do endless research.

IMHO: Microsoft should be fined out of existence by the government.

MS twiddles its thumbs over known vulnerabilities (this is a vulnerability that has been known about in security circles for well over a year), and these vulnerabilities place the public's financial well being at the mercy of criminals.

If a Bank was as careless with our money, then the Securities and Exchange Commission would shut them down in a heartbeat and divide up its assets among more reliable instituions.

Stefan




msg:388967
 2:48 am on Jun 26, 2004 (gmt 0)

Website on Apache, using Firefox as my personal browser, resisting the urge to feel smug.

amznVibe




msg:388968
 3:07 pm on Jun 26, 2004 (gmt 0)

I didn't see anyone mention the offending javascript code which is what concerned me more than the unpatched servers so I did a little reading to find:

[62.131.86.111...]
(an analysis of the attached code on the IIs servers)

This is NOT a pure javascript hole. It's using activex to install the malware.

It's using the "adodb.stream" activex issue that was reported to Microsoft on Aug 26 2003.
All you have to do is block activex and you are set. No need to block javascript as a solution which is overkill.

MSJava and activex are the devastating issues in IE, not javascript.
Rip out MSJava with microsoft's uninstall tool, and block activex in your settings.

adfree




msg:388969
 3:45 pm on Jun 26, 2004 (gmt 0)

Der SPIEGEL reports that a Russian server gets data delivered that they could crack after installing

Kk32.dll and
Surf.dat

"somewhere" I guess what they mean is a random location at target boxes.

Any mention of that somewhere else for a second opinion?

[edited by: tedster at 4:53 am (utc) on July 1, 2004]

CritterNYC




msg:388970
 3:59 pm on Jun 26, 2004 (gmt 0)

This is NOT a pure javascript hole. It's using activex to install the malware.

It's using the "adodb.stream" activex issue that was reported to Microsoft on Aug 26 2003.
All you have to do is block activex and you are set. No need to block javascript as a solution which is overkill.

MSJava and activex are the devastating issues in IE, not javascript.
Rip out MSJava with microsoft's uninstall tool, and block activex in your settings.

Right on the explanation, but what are the settings to block it? I haven't seen any short of disabling Active Scripting that will.

Set these across all 4 security zones:

Download Signed ActiveX Controls: Disabled
Download Unsigned ActiveX Controls: Disabled
Initialize and Script ActiveX Controls Not Marked As Safe: Disabled
Run ActiveX Controls and Plugins: Disabled
Script ActiveX controls marked safe for scripting: Disabled
Java Permissions: Disabled

Then try the exploit test (a harmless graphics program)

Guess what? Still works. So disabling ActiveX and Java doesn't solve the problem.
[62.131.86.111...]

amznVibe




msg:388971
 6:18 pm on Jun 26, 2004 (gmt 0)

I would have hoped disabling activex on the local zone would fix it, sorry to hear it doesn't, not good.

I get around this problem as my firewall can turn off activex entirely for IE (ATGuard, or newer bloated version from Norton as NIS) but I realize this isn't an answer for the mainstream users.

wattsnew




msg:388972
 3:13 am on Jun 27, 2004 (gmt 0)

Haven't looked at Mozilla for a long time, but thanks to this I've installed Firefox on XP. Fast. Nice Webtools. Good old "bookmarks" and "reloads" are back!

I'll have to use IE to check my site, but otherwise...

bignet




msg:388973
 11:10 am on Jun 27, 2004 (gmt 0)

IE Users: If you allow ActiveX regardless, then it is you to blame

MS Blamers:


Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.


Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk.

Check http:/*www.microsoft.com/security/incident/download_ject.mspx


skippy




msg:388974
 11:28 am on Jun 27, 2004 (gmt 0)

IE Users: If you allow ActiveX regardless, then it is you to blame

My mom has no idea what activeX is and I am sure never will. So if there are fundamental security flaws that fault lies with the manufacturer. Not because a novice can not figure out how or why to use the advanced security options.

bignet




msg:388975
 12:44 pm on Jun 27, 2004 (gmt 0)

what about the expert who set up the computer, internet connection, or the less- responsible for system and virus updating? Or blame the car manufacturer if you do not know how to change oil

anyone seen GG smiling when reading this thread, and hiding from gembarrasing threads

skippy




msg:388976
 12:56 pm on Jun 27, 2004 (gmt 0)

Actually the experts that set up her computer are pretty good. Every time she gets a windows update she calls them because she canít get her email thru outlook express and they walk her thru it.

But seriously the people that do ecommerce should thank their lucky stars that media really did not pick up what happened and what sites were hit. This is the type of stuff that can do very serious damage to ecommerce.

This 61 message thread spans 3 pages: 61 ( [1] 2 3 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved