Cryptome Hit By Blackhole Exploit Kit

← Back to Stories (view on slashdot.org)

Cryptome Hit By Blackhole Exploit Kit

Posted by Unknown on Monday February 13, 2012 @11:48AM from the leaks-were-sleeping-around dept.

wiredmikey writes with an excerpt from Security Week:"Whistleblower site Cryptome has been hacked and infected by the Blackhole exploit kit. ... Cryptome co-founder John Young however told SecurityWeek that the Cryptome site is in the process of cleaning everything up, and that process should be finished by the end of the day. Founded in 1996, Cryptome publishes thousands of documents, including many related to national security, law enforcement and military. On Feb. 12, a reader advised the site that accessing a file had triggered a warning in their antivirus about the Blackhole exploit kit. ... Subsequent analysis found thousands of files on the site had been infected." Cryptome has certainly seen worse.

9 of 49 comments (clear)

Min score:

Reason:

Sort:

The mysterious command by Anonymous Coward · 2012-02-13 11:53 · Score: 5, Informative

< SCRIPT src="/0002/afg/afg.php" >
I'm sure you all will sleep now that your burning curiosity was satisfied.
Blackhole by Hatta · 2012-02-13 11:55 · Score: 3, Funny

Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?

--
Give me Classic Slashdot or give me death!
1. Re:Blackhole by jenic · 2012-02-13 12:16 · Score: 5, Informative
  Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?
  Whether or not cryptome runs in windows is not for me to say, however I do believe that cryptome was compromised and made to distribute the blackhole exploit. The following is found on TFA:
  
  Although I'm not a full fledged security researcher, I could shed some light on the script that you found on your server. The basic program flow goes like this when a client loads the script (in your case every time anyone visits one of your pages):
  
  the client IP address is compared against a list (net_match(...)) and if it falls within the range of the list it is in scope
  the client OS is determined and if it is a windows machine, it is in scope
  the client browser is determined and if it is a internet explorer (6.0 until 8.0) it is in scope
  if the client is in scope (i.e. all three of the previous are true), a file is created on your webserver (empty text file), the filename is the IP address of the client (probably for later retrieval)
  an iFrame is loaded in the browser of the client that will be impossible to see (width and height of 1 pixel) and that iframe points to the webpage of 'http://65.75.137.243/Home/index.php'
  After step 5 probably the browser is under attack and it will probably be a successful attack since the attackers knows the client to be a windows machine running an internet explorer browser, my guess would be that the client is now infected and part of a botnet to be used in other attacks. The IP address of the attacker is a webserver for the domain http://absolutely-free-meeting.com/ I'm not sure they have anything to do with this attack, probably they are a comprimised server like your webserver was compromised. The WHOIS information for this domain is registered by godady and I include their data and the registrants data below, it would be best to contact both so that they can clean up their server also. Conclusion:
  
  your webserver was compromised and a file was uploaded (the attacking script)
  the attacker was only interested in certain IP address (probably only a certain location)
  the clients that are infected are infected from another web server (no idea why since that attack script could have been put on your webserver also)
  PS: I tried to format that as best I could but slashdot was having none of it
mysterious by Moblaster · 2012-02-13 11:56 · Score: 5, Funny

The secret command shows up as a dot (".") on my system.
This may not be enlightening to anyone, but it appears to be a small black hole.
1. Re:mysterious by user+flynn · 2012-02-13 13:54 · Score: 5, Funny
  
  I clicked on the link and I couldn't see anything.
  Since then I've been slowly depressing my back button for what seems like years... to you.
  
  --
  In the distance you hear an ominous moo.
"Blackhole WINDOWS Exploit Kit". by couchslug · 2012-02-13 12:11 · Score: 4, Informative

Yes, it matters.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
"Blackhole IE Exploit Kit" by sakdoctor · 2012-02-13 12:29 · Score: 4, Informative

This attacks specifically checks for, and excludes browsers which are not IE 6 to 8
Re:Don't criticize, do it ! by hweimer · 2012-02-13 15:51 · Score: 3, Informative

If you can set up a public website so secure that no hacker can ever hack, why don't you set one up?
Formally verified web servers have been around for a while.

--
OS Reviews: Free and Open Source Software
Re:Don't criticize, do it ! by Anonymous Coward · 2012-02-13 19:37 · Score: 4, Insightful

"Formally verified web servers have been around for a while."
This reminds me of Knuth's famous quote about some code he released:
"Beware of bugs in the above code; I have only proved it correct, not tried it."