Mass host hack bigger than first thought, hits 10,000 sites
Some hacked Apache servers reinfected even after clean-up and Linux reinstall
Computerworld - A large-scale hack of legitimate Web sites to infect visitors' PCs is much more massive than first thought, researchers said today. At least 10,000 sites have been compromised, and have hijacked unpatched systems that steered to their URLs.
On Monday, Mary Landesman, a senior security researcher at ScanSafe Inc., said that she had uncovered hundreds of sites which had been hacked and were feeding exploits to visitors. Today, Don Jackson, a senior researcher with Atlanta-based SecureWorks Inc., said the number was considerably larger.
If the visitor's PC is unpatched against any of the nine exploits Jackson listed, it's infected with new variant of Rbot, the notorious backdoor Trojan he called "a very nasty piece of software." The end result: The PC is added to a botnet.
Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials; one reason why he came to that conclusion is that hosts that have been cleaned of the infection -- or in some cases even had Linux reinstalled -- are quickly reinfected.
"There was no sign of brute forcing [of passwords] just prior to the infection," said Jackson, "but attackers hosting companies are hit all the time with password attacks. It's part of doing business."
Earlier in the week, Landesman of ScanSafe drew a link between the security breach at U.K.-based Fasthosts Ltd., that country's largest Web hosting vendor, and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts.
Fasthosts denied such a cause-and-effect, and cited what it called "technical discrepancies" with Landesman's claims, but said it was investigating nonetheless.
Friday, Landesman said more data during the week had made her change her mind about the link to Fasthosts. "There are a great deal more of these [compromised] sites than earlier," she said today. "There are a number of them that can be traced to Fasthosts, but not all of them do."
Like Jackson, Landesman remained convinced that the hacks were possible because of stolen log-on usernames and passwords. "From everything we have it does point to some kind of compromise of usernames and passwords," she said. "My theory remains that the eventual source of the compromise is going to be a fairly finite number [of hosting companies]."
Jackson stressed that while the site hacks were done sans a true vulnerability, the Apache feature used by the hackers -- "dynamic module loading" -- is little known by most site administrators, making it extra difficult for all infected sites to cleanse themselves.
More to the point, said Jackson, administrators must change every password on the infected server; failing to do so has led to quick reinfections on some hosts. "All passwords must be changed," he said, "not just FTP and Cpanel passwords." There's some evidence, he said, that other passwords besides those for FTP and Cpanel -- a popular server control panel program -- have been used to access the hacked sites.
Other clues led Jackson to speculate that the attackers are not the usual cyber criminals based in Russia or China, but are likely from North America or western Europe. The code for the hacking and file upload tools lack any comments written in Russian or Chinese, which is normally the case when an attack originates in Russia or China. Instead, the comments and code snippets are in English only. "Almost all the hacking business in western Europe is done in English," Jackson said, mentioning Germany specifically.
Users can protect themselves from attack by making sure all software on their systems is patched and that their security software signatures are up-to-date. Web site administrators, on the other hand, should disable dynamic loading in their Apache module configurations.
Read more about Security in Computerworld's Security Topic Center.
- HTTP Status Code Cheat Sheet Look at the Graph, Find the Code and Boom - You're Solving Problems. Identifying and understanding common HTTP status codes can go a...
- 10 Steps to Application and Network Performance Nirvana 10 simple steps that network operations teams can take to ensure that applications and underlying infrastructure can both be tuned for maximum performance.
- Application Performance Management for Dummies Application performance management helps deliver the application performance users and the business demand. Effectively monitoring and troubleshooting application performance issues requires a comprehensive...
- IDC Report: Optimize IT and Business Gains This IDC Whitepaper outlines how CIOs can understand what the "total cost of data" is across their entire organization and how Delphix can...
- Accelerate your innovation with IBM Bluemix™ Join us for a webcast introducing the new IBM BluemixTM. IBM Bluemix (www.bluemix.net) is a developer oriented Platform as a Service (PaaS) environment...
- Maximizing Availability for the Modern Data Center Check out this information-packed resource center for help in maximizing the availability of your data center - from overcoming challenges to choosing the... All App Development White Papers | Webcasts