Mass host hack bigger than first thought, hits 10,000 sites
Some hacked Apache servers reinfected even after clean-up and Linux reinstall
Computerworld - A large-scale hack of legitimate Web sites to infect visitors' PCs is much more massive than first thought, researchers said today. At least 10,000 sites have been compromised, and have hijacked unpatched systems that steered to their URLs.
On Monday, Mary Landesman, a senior security researcher at ScanSafe Inc., said that she had uncovered hundreds of sites which had been hacked and were feeding exploits to visitors. Today, Don Jackson, a senior researcher with Atlanta-based SecureWorks Inc., said the number was considerably larger.
If the visitor's PC is unpatched against any of the nine exploits Jackson listed, it's infected with new variant of Rbot, the notorious backdoor Trojan he called "a very nasty piece of software." The end result: The PC is added to a botnet.
Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials; one reason why he came to that conclusion is that hosts that have been cleaned of the infection -- or in some cases even had Linux reinstalled -- are quickly reinfected.
"There was no sign of brute forcing [of passwords] just prior to the infection," said Jackson, "but attackers hosting companies are hit all the time with password attacks. It's part of doing business."
Earlier in the week, Landesman of ScanSafe drew a link between the security breach at U.K.-based Fasthosts Ltd., that country's largest Web hosting vendor, and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts.
Fasthosts denied such a cause-and-effect, and cited what it called "technical discrepancies" with Landesman's claims, but said it was investigating nonetheless.
Friday, Landesman said more data during the week had made her change her mind about the link to Fasthosts. "There are a great deal more of these [compromised] sites than earlier," she said today. "There are a number of them that can be traced to Fasthosts, but not all of them do."
Like Jackson, Landesman remained convinced that the hacks were possible because of stolen log-on usernames and passwords. "From everything we have it does point to some kind of compromise of usernames and passwords," she said. "My theory remains that the eventual source of the compromise is going to be a fairly finite number [of hosting companies]."
Jackson stressed that while the site hacks were done sans a true vulnerability, the Apache feature used by the hackers -- "dynamic module loading" -- is little known by most site administrators, making it extra difficult for all infected sites to cleanse themselves.
More to the point, said Jackson, administrators must change every password on the infected server; failing to do so has led to quick reinfections on some hosts. "All passwords must be changed," he said, "not just FTP and Cpanel passwords." There's some evidence, he said, that other passwords besides those for FTP and Cpanel -- a popular server control panel program -- have been used to access the hacked sites.
Other clues led Jackson to speculate that the attackers are not the usual cyber criminals based in Russia or China, but are likely from North America or western Europe. The code for the hacking and file upload tools lack any comments written in Russian or Chinese, which is normally the case when an attack originates in Russia or China. Instead, the comments and code snippets are in English only. "Almost all the hacking business in western Europe is done in English," Jackson said, mentioning Germany specifically.
Users can protect themselves from attack by making sure all software on their systems is patched and that their security software signatures are up-to-date. Web site administrators, on the other hand, should disable dynamic loading in their Apache module configurations.
Read more about Security in Computerworld's Security Topic Center.
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Adobe Creative Cloud FAQ The following are answers to common questions about Adobe® Creative Cloud™ for teams membership, purchasing, security, and storage.
- What's coming to Adobe Creative Cloud Editing and video content creation workflows are about to get easier and more exciting, with major updates coming soon to Creative Cloud, bringing...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Why Are Customers Really Deploying an NGFW? It seems every IT Security expert is talking about the NGFW, but what are people really doing? This webcast covers 5 real-world customer... All App Development White Papers | Webcasts