Websense gave a
heads up about yet another mass defacement, impacting a few high profile web sites. Just to make life difficult, they didn't specify the domain in use.. but it isn't exactly rocket science to find out that it is nihaorr1.com.
I'm going to make an assumption that if you're reading this blog, you're at least somewhat technically savvy. Don't visit any of these sites unless you know what you are doing.
Googling nihaorr1.com/1.js brings up several thousand matches. Surprisingly, an eximination of www.nihaorr1.com/1.js shows that it is not obfuscated at all and points to www.nihaorr1.com/1.htm.. and
that has all the exploits nicely laid out -
MS07-055,
MS07-033,
MS07-018,
MS07-004 and
MS06-014. Also there are exploits for RealPlayer, Ajax, QQ Instant Messenger and some sort of Yahoo! product (probably Instant Messenger).
If your site has been compromised and you're looking for answers.. well, all I can tell you is that it will have been done through some sort of
SQL Injection similar to
this one.
If you're supporting client PCs that are fully patched, you have a little less to worry about unless you have RealPlayer or Yahoo! IM installed. Perhaps it is a good time to consider banning these applications in any case, particularly RealPlayer which is a very common vector for attack.
Why do I say there's no such thing as a "safe" site? Well, among the compromised sites are the following:
www.redmondmag.com [Independent publication about Microsoft]
www.pocketpcmag.com [Smartphone & Pocket PC magazine]
www.careers.civil-service.gov.uk [UK Civil Service]
www.faststream.gov.uk [UK Civil Service]
www.safecanada.ca [Canadian National Security]
www.n-somerset.gov.uk [UK Local Government]
events.un.org [United Nations]
www.unicef.org.uk [UNICEF]
www.iphe.org.uk [Institute of Plumbing and Heating Engineering]
www.umc.org [United Methodist Church]
www.umita.org [United Methodist Information Technology Association]
www.simplyislam.co.uk [Islamic Information site]
www.rsa.org.uk [Royal Society for the Encouragement of Arts]
www.24.com [Sports]
www.oddbins.co.uk [Major UK wine retailer]
www.avx.com [Electronic components]
www.advantech.com [Computer components]
www.aeroflot.aero [Airline]
www.aeroflot.ru [Airline]
In other words, you can't rely on the site you are visiting to be safe.. so the onus is on the end user to make sure their PC is fully patched and as secure as possible.