Slashdot Mirror
Mass Website Hack Compromises 200,000 Sites
Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."
Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.
Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.
We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.
Am I completely off-base here?
Why can't I mod "-1 Idiot"?
Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."
200,000 web pages is not the same thing as 200,000 web sites.
Mea navis aericumbens anguillis abundat
yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.
Most of us can say phpBB or even the 1000s of php based 'pre-packaged' web sites out there are disasters waiting to happen. Either being poorly coded, not keeping up to date with the latest patches or able to use the current secure versions of PHP, etc.
The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.
These packages are not only presented as free and easy, but safe because they are built on non-MS technologies, which is where the anti-MS FUD actually hurts the Web and consumers.
In contrast, if these projects were built on ASP for pre-processing instead of PHP, they wouldn't break with each security update as often happens in PHP land, and unlike PHP, ASP stays updated and has proven to be highly secure. The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.
I am hoping that MS's interest in help PHP to play nice with Windows 2008 IIS even better, that as MS is able to quality check PHP code used through IIS, that MS's automation security investments will pay back to even the PHP world, as potential security risks would be something that is now also in Microsoft's interest to publish back to the PHP group.
I know this isn't saying PHP is inherently insecure, we are talking about phpBB and similar products, but if they can get into a cycle of consistent security minded models and staying current with PHP updates without having to worry about applications breaking it will make a big difference.
Developing for PHP and/or working with pre-built PHP applicaitons, I have watched developers spend the majority of their time working around bugs in the applications or in PHP itself. Where an ASP developer there are very few known problems that have to be coded around and they also don't have the hours of ensuring version matching to make the application work like you end up doing with PHP pre-built apps.
This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates.
This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.
Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!
Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.
Or girlfriend.
Gentoo Linux - another day, another USE flag.
No, that's why you're not supposed to use software which is so full of holes that the only way to keep it safe is to continuously upgrade as the problems are discovered one after another.
You tried to sue/arrest Zone-H? What are you, an idiot? THEY didn't hack your insecure website. They just reported on it. I suppose you'd also sue the local newspaper if they ran a story on your hacked website.