MAJOR WWW SERVER EXPLOIT BY HACKERS

Discussion in 'other security issues & news' started by TeMerc, Nov 20, 2004.

Thread Status:
Not open for further replies.
  1. TeMerc

    TeMerc Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    127
    Location:
    PHX. AZ.
    From DSLR, by Eric Howes:
    Everyone needs to read this thread and spread the word about.
    http://www.broadbandreports.com/forum/rema...04374~mode=flat
     
    Last edited by a moderator: Nov 20, 2004
  2. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    This exploit proves just how serious a threat spyware is.
    Vey disturbing indeed!!!
     
  3. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Also shows that having an AV can save your ass. AV are not the perfect solution, but if youre not the first person to find new threats then you will usually be safe.
     
  4. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Spyware seems to be getting worse day by day.
     
  5. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    I think we are going to be seeing more and more of heuristics and other methods that don't use signatues in the near future. Seems like there will soon be too much to keep up with otherwise.
     
  6. no13

    no13 Retired Major Resident Nutcase

    Joined:
    Sep 28, 2004
    Posts:
    1,327
    Location:
    Wouldn't YOU like to know?
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Hacked websites ued to install parasites.

    Hacked Web Sites Used To Install Parasites


    Security researchers are warning of a new method of installing unwanted parasitic software onto the computers of unsuspecting victims who use Microsoft Internet Explorer (MSIE).

    How It Works


    Most of the following information is based upon a detailed write-up of the process which is available at vitalsecurity.org.

    The process starts with a flaw in the OpenSSL module which is installed alongside most Apache web servers. Apache is the software that serves up web pages on most of the world's web sites. By exploiting this flaw, an attacker can install a rootkit on the web server. The rootkit allows the attacker to take over the server completely. It has been modified to avoid detection by most available rootkit detectors.

    Once installed, the compromised web server will attach a javascript to every HTTP packet sent to a browser used to surf the site. This javascript causes the surfer's browser to open an IFrame, a small inline window which loads a page different from the one in the surfer's address bar.

    The IFrame loads a page from one of three sites. One of the sites hosting these pages is owned by someone using an email address associated with CoolWebSearch (coolsearch.biz).

    The pages which are loaded in the IFrame causes the browser to load several additional pages, each of which tries a different method of installing parasitic software. Once the browser encounters an exploit for which it is not patched, the browser will download and execute a variety of parasite installers. Any of the following parasitic software may be installed on the victim's computer:

    180solutions
    BlazeFind
    BookedSpace
    BullsEye Networks
    CashBack (Bargain Buddy)
    ClickSpring
    CoolWebSearch
    DyFuca
    Hoost
    IBIS Toolbar
    Internet Optimizer
    ISTbar
    Power Scan
    SideFind
    TIB Browser
    WebRebates (TopMoxie)
    WhenU (VVSN)
    Window AdControl
    WindUpdates
    YourSiteBar


    The installers for each of these have been modified to make them harder to detect with antivirus and antispyware software. At no time is the user presented with a EULA ( End User Licencing Agreement), privacy policy or any other disclosure or the ability to opt out of installing these parasites.

    There is evidence to suggest that an infected PC could be used by an attacker to participate in a distributed denial of service attack.

    Protect Yourself

    There is no complete defense for MSIE users. There is no patch for the IFrame vulnerability. However, you can set Internet Explorer to disable IFrames.

    Go to your control panel and double-click on the Internet Options icon. Click the Security tab. Click on the Internet icon to highlight it, then click the Custom Level button near the bottom. On the next screen, scroll about 2/3 down until you find the following options: "Launching programs and files in an IFRAME" and "Navigate sub-frames across different domains". Set both of these options to Disable and click OK. On the Security tab, click Apply.

    This advice is untested so I cannot guarantee that it will protect you. However, it should work just fine. It will not protect you if your browser directly loads one of the pages that start the infection process.

    Non-MSIE browsers are safe from this attack. I recommend either FireFox or Opera. However, these browsers still may experience pop-ups on infected web sites. There is evidence to suggest that these pop-up windows somehow may infect MSIE. Immediately close any pop-up windows that slip past the pop-up blocking features of these browsers. Do not click any links or buttons within the pop-up window.

    If you are using Windows XP, install Service Pack 2 if you have not already done so. This will protect you from most of the exploits involved but not all.

    I don't know what is being done about the people responsible for this situation. It is illegal to break into a web server. Unfortunately, it currently is not illegal to use a security hole to install parasitic software in most places. This is a strong argument for the need to pass antispyware legislation that would punish behavior such as this.

    The US Congress wants to pass such legislation. The Federal Trade Commission opposes the idea. It might be a good idea to contact your Congressperson or Senator and urge them to pass the antispyware bills now under consideration. Feel free to point them here for a good example of the need for it.
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
Loading...
Thread Status:
Not open for further replies.