Sponsored by..

Sunday, 11 May 2008

Mass phpBB attack free.hostpinoy.info and xprmn4u.info

Another injection attack reported by the ISC, and this time it appears to be using one of many potential flaws in phpBB. Injected code points to free.hostpinoy.info/f.js and xprmn4u.info/f.js, and a Google search of these two terms currently comes up with 858,000 matches between them indicating that this is a very large scale attack.

phpBB is a great bit of software, but sadly it is riddled with security holes and requires constant updating. If you're running a phpBB forum then you need to patch it as a matter or urgency. If you don't run phpBB and are looking at running a forum then I've got to say.. try something else.

It looks like some version of the Zlob trojan is being served up, see here and here for more details. (Thanks sowhatx). Detection rates seem to be patchy. It's possible that the injected code is using some sort of geotargetting as the destination sites are not consistent.

free.hostpinoy.info is 209.51.196.254 (XLHost.com)
xprmn4u.info is 217.199.217.9 (Mastak.ru)

Updated: A brief analysis of some of the impacted sites shows a mix of high traffic forums and long-dead ones. Some of these forums are hit with multiple exploits and massive amounts of spam, which indicates that they are running a very out of date version of phpBB.. so folks, if you have a forum which you don't use any more, do everyone a favour and delete it.

2 comments:

CM said...

It is serving up zlob codec loaders.

Each site has a particular space that when opened redirects to a codec site,which in turn will auto dload the DNS Changer Codec but Im sure it fails to run in most cases.

None the less,this appears alongside some defacements as well and does look to be some 45 days old at best.

sowhatx said...

Dynamoo...have a look here...
http://uploadmalware.blogspot.com/2008/05/mass-file-injection-redirecting-to-zlob.html
http://www.malwaredomainlist.com/forums/index.php?topic=1792.0