Results 1 to 6 of 6

Thread: Major WWW server exploit by hackers

  1. #1
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

    Major WWW server exploit by hackers

    http://www.broadbandreports.com/foru...4374~mode=flat

    The video: http://www.benedelman.org/spyware/security-111804.wmv




    From DSLR, by Eric Howes:

    Hi All:

    Some of you may have seen one of today's new stories about a stealth installation exploit that Ben Edelman wrote up and published on his web site:

    »www.benedelman.org/news/111804-1.html

    Included with Ben's write-up is an eye-opening video. Ben's web site is down at the moment, unfortunately -- too much traffic. Edit: see Ben's post below -- his site is back up.

    I thought you all might like some additional information about the exploit that Ben documented.

    This is a developing story and our information is still incomplete, so the information presented here may need to be revised in the light of new developments.

    It appears that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

    sp2bleeped.biz
    splitinfinity.info
    xpire.info

    Those pages use several security exploits to stealth install a variety of different software packages on users' PCs, all without any warning whatsoever. Several other domains are used in that installation/exploit process, including:

    69.50.168.147
    195.178.160.30
    213.159.117.133
    b00gle.info
    coolsearch.biz
    newiframe.biz
    pizdato.biz

    Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

    The software installed on users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed, as in Ben's test. The packages that we've seen installed via this exploit include:

    180solutions
    BlazeFind
    BookedSpace
    BullsEye Networks
    CashBack (Bargain Buddy)
    ClickSpring
    CoolWebSearch
    DyFuca
    Hoost
    IBIS Toolbar
    Internet Optimizer
    ISTbar
    Power Scan
    SideFind
    TIB Browser
    WebRebates (TopMoxie)
    WhenU (VVSN)
    Window AdControl
    WindUpdates
    YourSiteBar

    The screenshot included with this post comes from the video that Ben made, and it gives a sense for the great variety of junk that can be installed.

    We have started seeing evidence of this exploit in victims' HJT logs at several anti-spyware forums -- a few samples:

    »forums.spywareinfo.com/index.php?showt..
    »forums.spywareinfo.com/index.php?showt..
    »forums.spywareinfo.com/index.php?showt..
    »forums.spywareinfo.com/index.php?showt..
    »forums.spywareinfo.com/index.php?showt..
    »forums.spywareinfo.com/index.php?showt..
    »castlecops.com/postlite85832-sp2bleeped..
    »castlecops.com/postlite86439-sp2bleeped..
    »castlecops.com/postlite86459-sp2bleeped..
    »castlecops.com/postlite87626-sp2bleeped..
    »computercops.biz/postp364469.html
    »computercops.biz/postp364553.html
    »forums.tomcoyote.org/index.php?showtop..
    »forums.tomcoyote.org/index.php?showtop..
    »forums.tomcoyote.org/index.php?showtop..
    »forum.aumha.org/viewtopic.php?t=9340
    »www.trojaner-board.de/archive/index.ph..

    There have been a few other public discussion threads on the Net about this exploit. In particular, see:

    »www.gossamer-threads.com/lists/fulldis..
    »seclists.org/lists/fulldisclosure/2004..

    Wayne Porter has some interesting comments on this exploit:

    »www.revenews.com/wayneporter/archives/..

    I might add that I stumbled upon this because of a post by Andrew Clover (of doxdesk.com fame) in response to the Aluria/WhenU controversy:

    »www.aluriasoftware.com/forum/thread351..

    In closing, I should note that the latest updates for IE-SPYAD and AGNIS (released last night) include all of the key domains documented here.

    I'll be posting with more information as it becomes available.

    Best,

    Eric L. Howes
    Last edited by lynchknot; November 20th, 2004 at 18:36 PM.

  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    wow! his computer is owned!

    did you see the popups and new icons on the descktop?

    like I always say "DO NOT SURF WITH INTERNET EXPLORER."
    ------------------------------------------------------------



  3. #3
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Gotta love "CoolWebSearch".

  4. #4
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,536

  5. #5
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,852
    LK, is that process guard for Web servers or also for normal PCs??

    That video was a little shocking

    --- 0wN3D by 3gG ---

  6. #6
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Cool I didn't know they had upated PG - I'm off to get my update. Process Guard actually shows the loading of rootkits like hackerdefender - I don't think anything else does. You can download a limited version for free - it will only protect one process but the interface will show all sorts of stuff happening on your PC that you would otherwise have no clue about. It is also handy for finding out the hidden command lines needed to run apps in different modes. If you are going to run on a server take care in configuration or you may stop the server while waiting for user input confirming patches are OK, scheduled tasks waiting to run etc....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •