homepage Welcome to WebmasterWorld Guest from 54.161.202.234
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque

Webmaster General Forum

    
10,000 Sites Are Unwitting Hosts of Malicious Software
engine




msg:3373340
 11:36 am on Jun 20, 2007 (gmt 0)

More than 10,000 websites have become unwitting hosts of malicious software, say security experts.
Those visiting the hijacked pages risk having keylogging software installed on their PC if it is not protected with the latest patches.

The webpages compromised are all legitimate sites devoted to subjects such as tax, jobs, tourism and cars. The sites are thought to have been booby-trapped using a malware kit, called MPack, sold commercially online.

10,000 Sites Are Unwitting Hosts of Malicious Software [news.bbc.co.uk]

 

MatthewHSE




msg:3373379
 12:14 pm on Jun 20, 2007 (gmt 0)

10,000 hacked sites sounds like a very, very low figure to me - isn't it?

cmendla




msg:3373404
 12:35 pm on Jun 20, 2007 (gmt 0)

10,000 hacked sites sounds like a very, very low figure to me - isn't it?

It's all relative. Don't forget the leveraging aspect. .. 10,000 site x ___ visitors per day. At 100 visitors per day per site that's 100,000 exposures. at 1000/day/site that is 1,000,000 exposures/day. More than likely the hackers can find a way to further exploit the machines they infect.

cg

Edge




msg:3373422
 12:52 pm on Jun 20, 2007 (gmt 0)

The report seems vague to me. I did not see any information that helps webmasters check thier site..

No solutions, hints, or what to look for, just be scared unless you own updated anti-virus software....

[edited by: Edge at 12:53 pm (utc) on June 20, 2007]

carguy84




msg:3373424
 12:53 pm on Jun 20, 2007 (gmt 0)

10,000 site x ___ visitors per day. At 100 visitors per day per site that's 100,000 exposures

Close, but even worse ;)

10,000 x 100 = 1,000,000

Leonard0




msg:3373430
 12:58 pm on Jun 20, 2007 (gmt 0)

From another BBC article, Google searches web's dark side:

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC.
Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis".
About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge.

[news.bbc.co.uk ]

vincevincevince




msg:3373434
 1:01 pm on Jun 20, 2007 (gmt 0)

Google's results sound a bit closer. I wonder what they call a site... I presume it's one domain name not one page.

Romeo




msg:3373502
 2:19 pm on Jun 20, 2007 (gmt 0)

The report seems vague to me. I did not see any information that helps webmasters check thier site..
No solutions, hints, or what to look for, just be scared unless you own updated anti-virus software....

The report is not vague. It is just public news.
For the security of your webservers, you shouldn't depend solely on BBC-news. There is other IT security related information worth checking, too.

This one seems to be just an IFRAMEd pointer to a 'bad' web server hosting an MPACK exploit tool.
Short story at SANS with more pointers:
[isc.sans.org...]
[blog.trendmicro.com...]
[websense.com...]

So the solution/hint is to check your own page sources if someone planted an IFRAME into them that shouldn't belong there ...

Kind regards,
R.

Edge




msg:3373595
 3:29 pm on Jun 20, 2007 (gmt 0)

"The report is not vague. It is just public news."

Can you be less vague and more specific?

Matt Probert




msg:3373597
 3:29 pm on Jun 20, 2007 (gmt 0)

It would appear that MPack requires PHP and MySQL to operate. There is a report on it at the Panda Labs blog here:

[blogs.pandasoftware.com...]

The hack uses a file named index.php which is usually placed in an iframe (apparently).

Matt

gibbergibber




msg:3373601
 3:34 pm on Jun 20, 2007 (gmt 0)

"One in 10 web pages scrutinised by search giant Google contained malicious code"

Google's figures in that report are VERY deceptive. Many news outlets interpreted this to mean one in ten of all sites, but this is NOT what Google's report says.

If you look at the small print, it's only one in ten of the sites that Google had already flagged as suspicious, so they aren't representative of the web as a whole. Google deliberately sought out sites that were already thought to be compromised, so one in ten was actually a surprisingly low figure.

To use a non-computing analogy: If you hang around a court and one in ten drink drive cases results in a conviction, that doesn't mean that one in ten people is a drunk driver, it just means one in ten people already suspected of being a drunk driver have been convicted. The actual figure for the entire population would be much lower.

jeffgroovy




msg:3373973
 9:12 pm on Jun 20, 2007 (gmt 0)

I don't use iframes so I just did a search on a site of mine using frontpage checking the box that says "find in code" for the term "iframe" since that's what the mpack uses. I found an iframe tag but it turns out it was an old project of mine from a year ago, and I was clean. That might not be the best logic, but since I'm running on a windows box with no php in site I'm okay for now. I stopped using unix servers running php when the shared server I was running on got hacked last year so that the home page of every site on the server was replaced with an anti-American terrorist type message.

Romeo




msg:3374476
 9:37 am on Jun 21, 2007 (gmt 0)

Can you be less vague and more specific?

... more specific? Didn't you see the attached 3 *specific* links with further *specific* information? What else do you need?

And today, the SANS came out with an authorized reprint of an analysis authored by iDefense:
[isc.sans.org...]

Sorry, I can't be more specific than these specific links I provided.

Kind regards,
R.

RonPK




msg:3374486
 10:20 am on Jun 21, 2007 (gmt 0)

Specific enough to me, Romeo. Thanks for the links. From the last one:

It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server.

I guess that explains how the bad guys get the iframes into a site's HTML.

Edge




msg:3374919
 5:50 pm on Jun 21, 2007 (gmt 0)

Romeo,

The links you provided are just that and nothing else. They may or may not be related...

If you go back and read the original post and follow the link to the press release there are no such links. There are some semi-related and related links on the right side of the page.

The press release - editorial or what ever, is in-conclusive, vague, and doesn't give any specifics.

I do not doubt the possibilty that the editorial is correct, however without specifics, evidence, case studies and other supporting information I have to take the artical/editorial at face value.

Again, a general editorial on a security risk.. I submit to you: So, Whats New? Give me solutions not hype or type fodder!

aeramas




msg:3377115
 12:21 am on Jun 24, 2007 (gmt 0)

is there a way to "lock" your htm so that it can still be viewed and function properly without allowing anyone else to modify it? Unless I am not understanding it, can't you just chmod it to where everything except root can read only?

spinnercee




msg:3377687
 1:18 am on Jun 25, 2007 (gmt 0)

A script running PHP can do anything you can do to a file -- that includes running chmod on the file -- if you are "root" any application that is running as root (or a superuser) can impersonate you -- as a sole webadmin, you probably have root access to all of your applications and files -- but if you are on a hosted system, you can never be root, so the bad script will probably have more access than you.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved