Follow Up To Yesterday’s Mass Hack Attack
Thursday March 13, 2008 at 2:04 pm CST
Posted by Craig Schmugar
Yesterday we uncovered a newer mass hack affecting over 10,000 web pages. That number has since doubled. Today, I took a look at another recent mass attack, which was similar to those reported by Dancho Danchev, but reference a JS file rather than an IFRAME.
The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB. This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP). The ASP attacks are different than the phpBB ones in that the payload and method are quite different. Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.
Here’s a brief video demonstrating how the phpBB attack looks from the end user’s perspective.
March 13th, 2008 at 3:14 pm
Hi, I made the website for my research lab using mambo and it seems to me that the website has been hit by the attack. How can I be sure of that and remove the malicious code?
March 13th, 2008 at 6:45 pm
Hi, do you know the vulnerability or vulnerabilities were in the ASP or phpBB pages that allowed the injection to take place?
March 14th, 2008 at 12:02 am
Hello
I have problems with a virus that show it is present in the computer, changing the explorer.exe’s name in the MS Windows task list, to Explorer.Exe, Explorer.exe and EXPLORER.EXE. It change de mbr, boot and next atack the windows register, slow the system and send ping to unknow internet for next suffer a not wellcome’s atacks from internet.
Please, anybody know it name or any killer’s solutions.
March 14th, 2008 at 8:30 am
That’s what you get when you run an incompetent operating system from a company run by incompetent and ignorant executives.
Windows is a festering cesspool of virii and anyone who runs it, quite honestly is a complete imbecile.
March 14th, 2008 at 8:43 am
Nicolas - You can compare your original source with that on the server; though it’s possible that an ARP poisoning attack is/was at play, which could be observed by the server displaying code not present in the source.
However, isolating any injected code isn’t enough. One must find the root cause of the compromise in order to prevent it from happening again (at least for that vector). Make sure the box is fully patched. Also a full security audit should be done on the server.
PJ - We can tell the target of the attacks by looking at the pages that were hit.
Papa - It sounds like you may have multiple instances of a file named ‘explorer.exe’. Run something like Pocess Monitor or Process Explorer to look at the file paths on disk and isolate any potential malware. You can submit a sample to Avert Labs @ http://www.webimmune.net
March 14th, 2008 at 8:59 am
Nicolas: Since it is related to SQL (mysql,postgre…etc) You would need to load your backup database file. I would then disable phpbb since that is the add on it attacks.
PJ: It can hit any site running any scripting language. This is a SQL attack. I loads data into your SQL server (can be mysql,postgre,ms’s database server… etc). It is a very common attack.
How it works you ask? php/asp…etc that write to a database also pull from the database to show posts, the name of the site, stories, news… heck this page you are on right now is most likely grabbing all of what you see from a table in a SQL server. They find a weak script that doesn’t do correct input checking then they use it to put the virus script into a page that everyone can get to on that site. Now that the payload is waiting its a matter of time before someone going to the site gets infected.
papa: Your going to have to run anti-spyware software. I would do a complete format of the drive and reinstall of windows. You can never be sure if you got it all out. After you are done go and get a virus/anti-spyware tool. Some ISP’s give it to you for free. Comcast is one of them.
March 14th, 2008 at 12:16 pm
Papa Indian, buy some antivirus software and keep it up to date.
Truthteller, I guess almost every system admin of almost every company is a complete imbecile. You, surely, are smarter than them all put together. In that case, perhaps you can help rewrite all the required productivity software, everything from CAD to healthcare to financial to manufacturing apps, that run on Windows.
On the other hand, maybe some Linux fanbois just don’t understand business software, and think it’s “kewl” to slam Windows while being too obtuse to realize this attack had nothing to do with WIndows.
March 14th, 2008 at 5:08 pm
The only sure solution is what my friends and I call ‘Nuke and Pave’. wipe the os completely and start again. type format c:\ and all will be revealed to you.
March 15th, 2008 at 7:10 am
It can happen to any operating system… Apple OSX would also be affected by the server attack. If website sharing is turned on of course.
March 17th, 2008 at 10:15 am
as the author points out, this is not a “drive by” if you are asked to install something and can circumvent the entire infection by clicking ‘no’ or ‘cancel’ then it’s not a ‘drive-by’….
second, i hesitate to even call this a virus since you have to install something knowingly….then it’s just called an ‘attack’.
March 17th, 2008 at 7:58 pm
This is a really useless report I have to say - you haven’t provided any links for further information, any information on the source of the attack - is it actually a phpBB vulnerability? are you talking about 200,000 forums, or one broken forum with 200,000 pages? Are you sure it’s just not an malware ad on the forum?
Why say ‘phpbb’ and not ‘apache’ or ‘internet explorer’?
March 18th, 2008 at 2:58 am
Mass Hacking of phpBB Forums!…
From McAfee:
Yesterday we uncovered a newer mass hack affecting over 10,000 web pages. That number has since doubled. Today, I took a look at another recent mass attack, which was similar to those……
March 18th, 2008 at 3:27 am
Not quite true keng.. Pressing “no” does not stop the installation of the trojan. Simply because it really is 2 OK-buttons in most cases. The ony difference between the Yes/OK and the No/Cancel -buttons usually is that the No/Cancel makes the installation go into stealth mode…
It installs anyway.
March 18th, 2008 at 4:59 am
TruthTeller(4): Satisified?
It’s nice to be bad mannered in forums isnt it, no one can touch you. And nobody knows that you spend your days alone, so maybe we think you are a real toughguy. You probably are, a toughguy laughing silently to yourself while posting forum replies from your empty chair.
March 18th, 2008 at 6:34 am
I’d agree with keng. A virus is in my oppinion somthing that spreads. This is just a forced redirect to a place where you can download the “virus” and run it you self.
March 18th, 2008 at 7:28 am
Möglicherweise 200.000 ASP und phpBB-Websites infiziert…
Weiterempfehlen
……
March 18th, 2008 at 8:43 am
Tim - It’s 200,000 phpBB pages over hundreds of domains. All affected pages are running out of date versions of phpBB. The script is injected ‘out of bounds’ of user added content (such as the page TITLE containing the malicious script reference).
As for the further details, we often omit or censor information as we have a policy of not directing people to malicious code in public forums.
March 18th, 2008 at 8:59 am
I’m going to echo what Tim (March 17th, 2008) wrote about this being a vague report. I’d very much like to know which version of phpBB was affected.
And BTW, the site in the demonstration still seems to be infected.
March 18th, 2008 at 9:00 am
Many (lay) people still consider malicious code to be a virus. Technically all viruses must self-replicate recursively. This does not mean self-execute.
The term worm is often defined as a virus that spreads by creating copies of itself (in the antivirus sense at least), as opposed to those that require a host file to parasitically infect. Network focused people still reserve the term Worm for viruses that self-execute (such as Sasser).
Non-replicating malicious code is considered to be Trojan.
So the threat in question is a Trojan, not a virus. Now if the Trojan was responsible for the phpBB pages getting compromised to then create the reference to the payload executable, which then spread to more phpBB pages, etc…then it would be considered a virus.
March 18th, 2008 at 11:59 am
Although PHPBB is mentioned numerous times, this article does not once mention how one might detect the so-called ‘phpbb exploit’ on one’s server.
Any data would be much appreciated.
March 18th, 2008 at 1:35 pm
IFRAME Attacks - actions to be taken…
System admins should be ready to prevent their clients from getting exploited and redirected to those malicious domains. …
March 18th, 2008 at 1:40 pm
System admins should be ready to prevent their clients from getting exploited and redirected to those malicious domains.
check here: http://extremesecurity.blogspot.com/2008/03/iframe-attacks-actions-to-be-taken.html
March 18th, 2008 at 3:34 pm
Hi
considering that we are getting very distressed questions from our userbase, could you please provide me with an address to get in touch with you?
We reviewed your findings and found phpBB installations where XSS vectors were obviously introduced via an SQL injection (for instance the site in the video). We also found other software, particularly a severely outdated version of a popular blogging script, to be present in all surveyed instances.
~H
March 19th, 2008 at 8:51 am
I’ve responded to Henry S offline.
For those looking for more about how they can tell if they have been impacted. Compromised sites have script injected on pages.
script src="http://... .jsMarch 24th, 2008 at 7:58 am
Very interesting to have come across this article and video. It was possibly last Thursday/Friday that I was using the internet for general use. I like to read the news. During the evening, my browser would open, but would not close. This issue was quickly resolved but I still wonder what might have caused it.
April 15th, 2008 at 11:41 pm
[…] étaient des pages de serveur actives (.ASP)”, explique Craig Schmugar, chercheur chez McAfee,dans une note publiée sur le blog de […]