Mass Website Hack Compromises 200,000 Sites

Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."

Re:Good news for us, I guess...

[Evil+Kerek]

LOL, this is the logic I expect from here.

Perhaps popularity * use in a site that I want to get on = exploited.

MySQL is free - this is why it's more 'popular'. But more 'popular' in this case means every little installation by any coder messing around. Wonder what the number of installations would be if you said 'only count those where the company has 1000+ employees and has data that someone would want to steal'.

The reality is if you want to hit a target that actually has something you want, you are better off attacking SQL Server.

What I see here is a bit of a smack in the face of the open-source security myth. (The idea that all these people spend their spare time looking at other peoples code - that's just funny - most really good coders aren't going to have time to do this - and what's the point of a bad coders looking for security flaws) Here you have a piece of software, PHPBB, that is very popular and open source. And it is constantly being hacked, year after year. What I find interesting here is that it's because it's popualar and every joe blow around has written an extension for it - unfortunately most of them aren't very good coders.

EK