Slashdot Mirror
Mass Website Hack Compromises 200,000 Sites
Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."
And this is why I have never, and will never recommend phpBB to anyone.
punBB > invision > * > phpBB
Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.
Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.
We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.
Am I completely off-base here?
Why can't I mod "-1 Idiot"?
My old phpBB forum got hacked. Wanna know why? Cuz I used the auto-installing plugin that my host provided. It was about 20 versions behind and they NEVER updated it. So it had a gaping security hole in it. And guess what else! I couldn't patch it because it was considered some sort of embedded plugin that I couldn't tocuh the system files of. I had to install a fresh, updated version and phpBB and then copy the database over AND alter the database manually to reflect all the changes between between versions, which was a major pain in the ass. Needless to say I was pissed. Oh and I tried to sue/have arrested those Zone-H assholes that posted it like it was some sort of trophy case but apparently they're not hosted in the US so I dropped it. I would be willing to guess that every single hack was because of outdated phpBB quick installs like ipowerweb makes available on their servers.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
It's a good think slashdot is immu PENI5 PILLS FREE WITH DISCOUNT MORT6A6ES! PENISFREE@OFFER.COM NOW!
Table-ized A.I.
Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."
I read both those articles and got the impression that the attack was 'social engineering' meaning that phpBB's only role was to allow someone to post a URL to a site which actually hacked the stupid victims. There is no specific mention of any exploit.
There *is* a mention of an exploit on ASP machines.
I'm a little confused here - how can it be "social engineering" when the javascript required to create the porn/codec popup had to be inserted somehow?
This IS Slashdot, right? Or have I been posting to the NSA all this time?
Hi mom!
What?
How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed (or hire someone, who is). I mean, we require licenses and/or permits to alter plumbing in a house or to add a porch — aren't botnets more threatening to the country, than an improperly placed pipe here and there?
Since most attacks originate from abroad, we could relax the rule by applying it only to those, who wish to be reachable from outside US (rather than be automatically firewalled by their ISP)...
Licensing requirements would include familiarity with firewalls, computers and network security...
To be sure, I'd hate having to go through this, but having to deal with a botnet-running extortionist is, likely, even worse... Or not? What do you think?
In Soviet Washington the swamp drains you.
There is no NSA. The NSA does not exist. They are not run by CmdrTaco as they do not exist to be run. There are no Macra! (Sorry, wrong series.)
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
It's just the usual Joe-Sixpack conspiracy theory crap.
200,000 web pages is not the same thing as 200,000 web sites.
Mea navis aericumbens anguillis abundat
yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.
The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.
According to this video, the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.
Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.
Better known as 318230.
But I've made some modifications to my install. I replaced the registration and profile pages with a web form that posts to an Email parser. There was a lot of activity the last few days, spam registrations out the yang.
It's funny because to them it looks like the registration page and they keep running scripts against it. I block the IP ranges of the spam registrations at the boundary but they just keep block hopping.
They'll still get a script reg through sometimes, so there's something I'm missing. I could just install the security updates but it's so much more fun to try and tweak it myself.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
And nothing of value was lost.
Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.
At least I think that's what it does - I've never actually used it, as the cable modem is outside my hardware firewall anyway.
He's just referring to the Presidential Daily Briefing from August 6th, 2001. It's pretty well known.
The attack probably targeted phpBB2. Get the latest phpBB version which at this moment is 3.0.0.
Most of us can say phpBB or even the 1000s of php based 'pre-packaged' web sites out there are disasters waiting to happen. Either being poorly coded, not keeping up to date with the latest patches or able to use the current secure versions of PHP, etc.
The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.
These packages are not only presented as free and easy, but safe because they are built on non-MS technologies, which is where the anti-MS FUD actually hurts the Web and consumers.
In contrast, if these projects were built on ASP for pre-processing instead of PHP, they wouldn't break with each security update as often happens in PHP land, and unlike PHP, ASP stays updated and has proven to be highly secure. The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.
I am hoping that MS's interest in help PHP to play nice with Windows 2008 IIS even better, that as MS is able to quality check PHP code used through IIS, that MS's automation security investments will pay back to even the PHP world, as potential security risks would be something that is now also in Microsoft's interest to publish back to the PHP group.
I know this isn't saying PHP is inherently insecure, we are talking about phpBB and similar products, but if they can get into a cycle of consistent security minded models and staying current with PHP updates without having to worry about applications breaking it will make a big difference.
Developing for PHP and/or working with pre-built PHP applicaitons, I have watched developers spend the majority of their time working around bugs in the applications or in PHP itself. Where an ASP developer there are very few known problems that have to be coded around and they also don't have the hours of ensuring version matching to make the application work like you end up doing with PHP pre-built apps.
This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates.
Don't, like, trust anyone with a UID shorter than 6 digits, man...
This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.
You can disable the connection to the internet in your modem's driver options (or ethernet port's driver's options...) or your computer's network settings. Leaving a link to the settings on your desktop ensures you won't forget to turn it back on when you come back to your computer after going out to do whatever the hell anyone would do without a computer (buy a new moniter?).
Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect. But I'm sure there's something you can do during that time (boot up your MP3 player...etc...).
Ginga no Rekshiya Mata Each page.
Buy a cheap $40 home router box.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Most if not all cable modems have a standby button on it to literally "turn off the internet".
It's usually located on the top, if it's a Motorola.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
When this news broke last night (my local time), my heart skipped a beat because one of my phpBB instances isn't totally up to date, so I did a quick bit of research to see if I could fill in the massive blanks left by this report. Yes, it does look like an SQL injection attack: the attack appends a SCRIPT tag to the forum's main title, which is inserted into various locations on every page from a database field. Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers. I suspect that the search in question is a Google "intitle:" search which keys off the domain name of the site carrying the exploit code, since this becomes a visible part of the title.
I have no idea exactly how the SQL injection is being effected, but my phpBB forum was not impacted. This may be because my version is not too old, because I lack a vulnerable add-on module, or because my custom anti-bot mechanisms deflected the attack. I couldn't see anything in the past few days of log activity which contained key strings used in the exploit, but I didn't search very hard once I determined that my instance was unaffected.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
It's to most intensive purposes "turned off". How about for purposes which are a bit less intensive?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!
Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.
Come on, this guy was right. the phpBB vulnerability has nothing to do with 9/11, and certainly nothing to do with blaming the government for 9/11.
Do you want more posts that start like this, "This reminds me of George Bush's environmental policy..."
Moderation is supposed to stop that sort of thing. Instead he's +5.
Those are my principles. If you don't like them I have others. -Groucho Marx
And then, you read the top of the report and discover that all this is old news, that you've been only reading spam for the last two years.
For a second, you think that humanity may not be the mass of morons you thought. That patching the bug will let you access the real, intelligent, acute comments of human forums.
Then, as the patch starts to work, you see those comments; the beauty of human forums brings a tear to your eye. As you start posting, you feel unable to write, your keyboard doesn't seem to work.
You then understand you were just another spam generator, and the patch is killing you.
Fade to black.
Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect.
20 seconds?!? Who's got that kind of time? I'll be old by then!
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
I noticed a sudden spike in traffic last week on one of my customer's hosted sites that ran phpBB. Sure enough they were allowing self-registration and things got worse from there. I killed the threads, users, and checked the server logs and sure enough there were some nasty processes that got left behind. After we killed them too and disabled auto-logins things went back to normal. This happened because I had recently upgraded to a stand-alone server, and the software that normally rejects automated probes for known exploits wasn't running correctly. As so many of you have said, this is a technical problem that can easily be defended against. The nature of open source software means that the code is available for scrutiny and exploit, and the side effects are a part of the 'maturing' process of such free tools.
Looking through my 404 logs I get a bunch of kiddie auto scripts either looking to BB spam or hack in, here are some items which I figure are popular entry routes:
///include/print_category.php
/forum/index.php
/bbs/include/print_category.php
/functions.php
/board/index.php
/forums/index.php
/phpbb2/index.php
//calendar//tools/send_reminders.php
//skin/zero_vote/error.php (lots of these)
/skin/zero_vote/ask_password.php
//support/mailling/maillist/inc/initdb.php (a few of these)
/function.main
/comments.php
/MSOffice/cltreq.asp
/cgi-bin/bbs/read.cgi
//include/write.php
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Although the other guy's comment was much funnier, it probably is worth me point out the expression is "all intents and purposes" not "all intensive purposes". Still; better you make the mistake and get corrected online than in the boardroom ;-)
The Fully Modded phpBB website is down, but it is basically a fork or extension of the base phpBB code, which remains secure.
I know I've labored the point about phpBB not being vulnerable to this kind of attack, but it really is built from the ground up for security. This exploit does not affect phpBB, just the heavily modified for "Fully Modded phpBB".
Damn, I already moderated this topic. Now I'll have to log in with my sock puppet to comment.
I am so lucky, because I upgraded my forum phpbb2 to phpbb3 in time. I think that phpbb2 is not well writen, but it is the best free (and open source) forum cms I know. I hope phpbb3 will be better than its father. The important thing is update immediatly when a security upgrade will be released. That is my opinion.
Does *anyone* know how to detect this exploit in your PHPBB install?
I've been getting auto-scripts lately on my Linux web server that are trying to explot a file called xmlrpc.php...
I love PHPBB, but I am truly disappointed with both responses I've seen from the phpBB guys. It's really a shame.