Last month I blogged about Trend Micro's website being compromised as well as thousands of others with an IFRAME injection to 2117966.net .
The ISC has followed up with an analysis of the tool used to compromise the sites. It uses an SQL injection attack to infect the server, but the interesting thing is that it uses Google to enumerate the vulnerable sites first, a technique called Google Hacking.
I guess there are a few things to note here - despite the ubiquitousness of SQL, it can still be tricky to set up and is best left to people who know what they are doing. Keep your patches up-to-date, and consider carefully if you want Google (or any other search engine) to be able to index your WHOLE site and adjust your robots.txt if necessary.
The ISC article also links to some good resources if you want to properly secure your database.
Showing posts with label Iframe attacks. Show all posts
Showing posts with label Iframe attacks. Show all posts
Wednesday 16 April 2008
2117966.net revisited
Labels:
Iframe attacks,
Viruses
Thursday 13 March 2008
trendmicro.com compromised - sort of.
McAfee has flagged up another mass defacement on their blog here, various sites have been injected with a reference to hxxp:||www.2117966.net|fuckjp.js (I assume that you can undo the trivial obfuscation if you really, really want to look).
A Google search for 2117966 fuckjp.js shows over 9000 hits. Obviously you won't want to visit any of these infected sites, so take care.
However, one of the sites showing up is trendmicro.com (see screenshot). At the time of writing, the Trend Micro site has been cleaned up, and it looks as though the infection wouldn't have worked on that particular site. Nonetheless, it is always worrying when you see a security vendor site compromised in this way. This isn't the first time this has happened to this type of site - CA.com was infected back in January.
The Google cache gives away the infection (use WGET, SamSpade or a non-Windows machine to examine the cache, never a full blown browser on a Windows system).
This is the current (clean) version of www.trendmicro.com/vinfo/grayware
/ve_graywareDetails.asp?GNAME=TSPY_LINEAGE&VSect=St
The infected version (from the cache) shows the altered code:
A close look at the code shows that the injection has been borked somewhat and wouldn't actually work. However, there were potentially hundreds of infected pages, some of which may have been more successful in injecting malware.
The date of the Google cache is or or about 4th March, so a week ago.
2117966.net is on 125.46.105.224 in China, at the time of writing the site is down, however the Google cache comes up with something funny for the front page:
Hacker humour?
Anyway, I have no particular axe to grind against Trend Micro, they have a decent set of products and are one of the more useful companies in the security arena. Again, it just goes to show that even trusted sites can be compromised.
A Google search for 2117966 fuckjp.js shows over 9000 hits. Obviously you won't want to visit any of these infected sites, so take care.
However, one of the sites showing up is trendmicro.com (see screenshot). At the time of writing, the Trend Micro site has been cleaned up, and it looks as though the infection wouldn't have worked on that particular site. Nonetheless, it is always worrying when you see a security vendor site compromised in this way. This isn't the first time this has happened to this type of site - CA.com was infected back in January.
The Google cache gives away the infection (use WGET, SamSpade or a non-Windows machine to examine the cache, never a full blown browser on a Windows system).
This is the current (clean) version of www.trendmicro.com/vinfo/grayware
/ve_graywareDetails.asp?GNAME=TSPY_LINEAGE&VSect=St
The infected version (from the cache) shows the altered code:
A close look at the code shows that the injection has been borked somewhat and wouldn't actually work. However, there were potentially hundreds of infected pages, some of which may have been more successful in injecting malware.
The date of the Google cache is or or about 4th March, so a week ago.
2117966.net is on 125.46.105.224 in China, at the time of writing the site is down, however the Google cache comes up with something funny for the front page:
Hacker humour?
Anyway, I have no particular axe to grind against Trend Micro, they have a decent set of products and are one of the more useful companies in the security arena. Again, it just goes to show that even trusted sites can be compromised.
Labels:
Iframe attacks,
Viruses
Subscribe to:
Posts (Atom)