Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Security Site Under New Kind of Attack

Posted by kdawson on from the novel-twist dept.

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

5 of 73 comments (clear)

  1. Re:FTFA... by TheThiefMaster · · Score: 4, Informative

    Ummmm... I think if malicious code is inserted into your site, it's been compromised. Except it's not being inserted into the website itself, the page is being modified en-route to the client.
    Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes.
  2. Common knowledge by packetmon · · Score: 3, Informative

    It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...

    Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page

    Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.

    We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).

    --
    Infiltrated dot Net
  3. New? by DNS-and-BIND · · Score: 4, Informative
    No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

    I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  4. Re:CSIRT is dying by will_die · · Score: 3, Informative

    IIS 7 is actually rather nice. It is a complete rewrite from IIS 6, didn't they do that from IIS 5?
    They use Apache methods for uploading files, major fix over IIS6.
    The security is modular and supports security similar to what Apache does.
    And the configuration files are now text files which edit with your text editor. Wasn't that the main selling point with the IIS pros saying IIS was better because you did not have to use some text file where you had to go in manually edit?

  5. shame, but it's a lie by Anonymous Coward · · Score: 1, Informative

    I know another site who got EXACTLY this problem (iframes in the code, linking to malware), this was because of a worm exploiting vulnerabilities in php scripts, i wouldn't be surprised if they got hax0red and tried to say "hey it's ARP poisoning, another server got owned, not us!" what a shaaaame, they got pwn3d that's it, you can be sure.