Mass Website Hack Compromises 200,000 Sites

Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."

Please be more forthcoming

[BadAnalogyGuy (945258)]

Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

Re:Please be more forthcoming

[Hao Wu (652581)]

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

Oh they'll have an answer for that -- just buy McAfee's "protection".

Remember- your Mac is spreading viruses, even if it's not infected.... Be ashamed!

Re:

[by Anonymous Coward]

For a properly maintained phpBB site, this isn't that big of a deal. As a maintainer for a site which uses phpBB, I can tell you that I have seen this attempted for months. I believe phpBB is mentioned directly because it seems there are programs which allow individuals to create forum accounts and post messages using an automated script. The scripts post messages to visit a (usually) pornographic site. Once you connect you are presented with a page with a display which mimics YouTube.com, however a pop

Re:

[glwtta (532858)]

Yeah... way to Godwin that up a bit.

Re:

[Loopy (41728)]

While I agree that the synopsis leaves something to be desired, inserting political diatribe equally lacking in factual detail does not improve the situation. I'm not sure who you're trying to score points on that cares but can we stick to the topic at hand or is that just too much to ask?

Re:

[Thanshin (1188877)]

Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

I always thought the news were to report news, and that the knowledge itself was stored somewhere else.

I'd like to report another case then. Last week I read news about a new book, and the book was not printed in the papers. Actually, the news didn't even tell me where to buy the book.

Re:

[whitehatlurker (867714)]

Parent post says it's already sacrificing a kitten [wikipedia.org]

Ewww. Too much information.

Re:

[CustomDesigned (250089)]

If that happens, certifications will likely be available for commercial OSes only - e.g. M$, Solaris, Novell, Redhat, OSX.

Re:Internet-connection license?

[SL Baur (19540)]

How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed

Let's just not go there, O.K.? There isn't anyone I would trust as a licensing body and when you bring in the inevitable licsensing fees ... er, let's just not go there.

Re:

[el americano (799629)]

Come on, this guy was right. the phpBB vulnerability has nothing to do with 9/11, and certainly nothing to do with blaming the government for 9/11.

Do you want more posts that start like this, "This reminds me of George Bush's environmental policy..."

Moderation is supposed to stop that sort of thing. Instead he's +5.

Good news for us, I guess...

[jnelson4765 (845296)]

We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.

Am I completely off-base here?

Re:

[Phantombrain (964010)]

It's targeted because it is so popular. All of the attacks that are publicized are on boards using outdated software. When more details come out, I'll bet that every single board will be several versions out of date.

Re:Good news for us, I guess...

[enoz (1181117)]

It's targeted because it is/was popular and has/had serious exploits. [wikipedia.org]

I do not believe anyone really knows what market share the various forums have, but it is generally believed that the most popular are Simple Machines, phpBB, vBulletin, and Invision Power Board (in no particular order).

I cannot believe that phpBB has so many successful attacks simply because it has a large installation base, otherwise these other forum softwares would also be suffering the same fate.

Re:Good news for us, I guess...

[Dan East (318230)]

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Re:Good news for us, I guess...

[Tablizer (95088)]

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Perhaps they should rename it to PenguinBB so that hackers ignore it. Better yet, EmacsBB (or does it already have one builtin?)
   

Re:Good news for us, I guess...

[mcrbids (148650)]

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Except that popularity != exploitability. Many people think that software is like a safe - if you grind at it long enough, eventually it'll open. Software isn't like that. You can grind at software forever and it won't change anything unless you actually find a vulnerability - a case not handled by the software.

For example, MySQL is much more popular online than Microsoft SQL. Yet MS-SQL gave rise to the slammer worm [google.com] while the vastly-more-commonly-installed MySQL has not ever been infected by anything anywhere near the same magnitude. (Yes, there have been a few. They didn't get very far)

The formula is NOT:
Popularity = Exploited.

It's more like
Popularity * Bad Design = Exploited.

And even bad software can eventually be cleaned up. Sendmail used to be a security nightmare. But despite its position as the #1 mail server software on the Internet, it's been quite a few years since any serious vulns were exploited.

why this happens

[ILuvRamen (1026668)]

My old phpBB forum got hacked. Wanna know why? Cuz I used the auto-installing plugin that my host provided. It was about 20 versions behind and they NEVER updated it. So it had a gaping security hole in it. And guess what else! I couldn't patch it because it was considered some sort of embedded plugin that I couldn't tocuh the system files of. I had to install a fresh, updated version and phpBB and then copy the database over AND alter the database manually to reflect all the changes between between versions, which was a major pain in the ass. Needless to say I was pissed. Oh and I tried to sue/have arrested those Zone-H assholes that posted it like it was some sort of trophy case but apparently they're not hosted in the US so I dropped it. I would be willing to guess that every single hack was because of outdated phpBB quick installs like ipowerweb makes available on their servers.

Re:

[Zebra_X (13249)]

Ah well, you get what you pay for!

Then again, I just had to fix my vista machine from the endless reboot of death. ^ ^

Re:

[kylehase (982334)]

I've never been comfortable with those auto-installers and cpanel tools and now I have good reason to dislike them. Did you have an option to upload and install your own scripts/CGIs? I'm using a host with SSH access. Sure it costs a bit more but the extra level of control is worth every penny.

Re:

[Killshot (724273)]

it is worthwhile to find a host that allows you reasonable amount of control over your website.

Re:why this happens

[snarfies (115214)]

You tried to sue/arrest Zone-H? What are you, an idiot? THEY didn't hack your insecure website. They just reported on it. I suppose you'd also sue the local newspaper if they ran a story on your hacked website.

Well,

[Tablizer (95088)]

It's a good think slashdot is immu PENI5 PILLS FREE WITH DISCOUNT MORT6A6ES! PENISFREE@OFFER.COM NOW!

Re:

[XnavxeMiyyep (782119)]

Pen fifteen? What's that?

Re:

[glwtta (532858)]

Pen fifteen? What's that?

Must be a special offer from Pen Island.

Why is it always porn?

[rhinokitty (962485)]

Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."

Re:Why is it always porn?

[by Anonymous Coward]

Please tell us more about this whole free porn thing that you mentioned.

Language is a Virus

[Detritus (11846)]

200,000 web pages is not the same thing as 200,000 web sites.

Pages, not sites

[Dan East (318230)]

The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.

According to this video [avertlabs.com], the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.

Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.

The attack modifies the forum title

[The Famous Brett Wat (12688)]

According to this video, the pages are being inserted via SQL injection attacks.

When this news broke last night (my local time), my heart skipped a beat because one of my phpBB instances isn't totally up to date, so I did a quick bit of research to see if I could fill in the massive blanks left by this report. Yes, it does look like an SQL injection attack: the attack appends a SCRIPT tag to the forum's main title, which is inserted into various locations on every page from a database field. Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers. I suspect that the search in question is a Google "intitle:" search which keys off the domain name of the site carrying the exploit code, since this becomes a visible part of the title.

I have no idea exactly how the SQL injection is being effected, but my phpBB forum was not impacted. This may be because my version is not too old, because I lack a vulnerable add-on module, or because my custom anti-bot mechanisms deflected the attack. I couldn't see anything in the past few days of log activity which contained key strings used in the exploit, but I didn't search very hard once I determined that my instance was unaffected.

I'm running phpBB

[HangingChad (677530)]

But I've made some modifications to my install. I replaced the registration and profile pages with a web form that posts to an Email parser. There was a lot of activity the last few days, spam registrations out the yang.

It's funny because to them it looks like the registration page and they keep running scripts against it. I block the IP ranges of the spam registrations at the boundary but they just keep block hopping.

They'll still get a script reg through sometimes, so there's something I'm missing. I could just install the security updates but it's so much more fun to try and tweak it myself.

200,000 Sites Hacked

[ponraul (1233704)]

And nothing of value was lost.

Re:

[CrossChris (806549)]

Actually, that's not quite true: my brother's website was abused like this, which resulted in Google referrals warning that "this site contains malicious software". His company ranking was Number 1 in every Google search for his type of service. It's proving very expensive for him.

Re:

[owlstead (636356)]

Except some innocence.

Upgrade to phpBB3

[DraconPern (521756)]

The attack probably targeted phpBB2. Get the latest phpBB version which at this moment is 3.0.0.

ppl r stoop1d.

[rice_burners_suck (243660)]

This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.

Re:

[rolfc (842110)]

Obviously they think they are making more money this way. I for one is happily running Firefox with Noscript. That makes me feel safe.

Re:

[gbobeck (926553)]

if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune

No offense, but this isn't 1337. This is a script kiddie attack.

Now, if someone with real "1337" skills did an attack, we would only find out years after the fact, if ever, and they would have gotten away with a fair sum of cash too.

Making Open Source a harder sell

[QuantumFTL (197300)]

Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!

Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.

The twist

[Thanshin (1188877)]

And then, you read the top of the report and discover that all this is old news, that you've been only reading spam for the last two years.

For a second, you think that humanity may not be the mass of morons you thought. That patching the bug will let you access the real, intelligent, acute comments of human forums.

Then, as the patch starts to work, you see those comments; the beauty of human forums brings a tear to your eye. As you start posting, you feel unable to write, your keyboard doesn't seem to work.

You then understand you were just another spam generator, and the patch is killing you.

Fade to black.

yeah, I find stuff like this in my logs

[JoeCommodore (567479)]

Looking through my 404 logs I get a bunch of kiddie auto scripts either looking to BB spam or hack in, here are some items which I figure are popular entry routes:

///include/print_category.php
/forum/index.php
/bbs/include/print_category.php
/functions.php
/board/index.php
/forums/index.php
/phpbb2/index.php
//calendar//tools/send_reminders.php
//skin/zero_vote/error.php (lots of these)
/skin/zero_vote/ask_password.php
//support/mailling/maillist/inc/initdb.php (a few of these)
/function.main
/comments.php
/MSOffice/cltreq.asp
/cgi-bin/bbs/read.cgi
//include/write.php

Re:

[boost1 (1035958)]

Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.

Re:

[snl2587 (1177409)]

Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.

Which is why you're supposed to upgrade. The article is incredibly short and doesn't specify, but I'd be willing to bet the exploit was one that has already been patched/revealed.

At least with this attack the computer savvy not running NoScript or the like will be able to avoid getting hit with the payload. And now, time to check to make sure my ASP pages haven't been attacked...

Re:

[Goaway (82658)]

No, that's why you're not supposed to use software which is so full of holes that the only way to keep it safe is to continuously upgrade as the problems are discovered one after another.

Re:

[enoz (1181117)]

For the longest time phpBB did not even have the option to force users to authenticate their email address let alone use any captcha on the registration page. For this reason many existing phpBB forums are flooded with fake accounts, and possible these were used in order to post the links or malware.

Re:'social engineering'

[McFadden (809368)]

From another site I read regularly, a forum member posted the following (the link was recently taken down, but I checked it at the time and it's absolutely true):

Some years ago I registered www.confuse.me.uk with some intention of doing something or other with it. Part of that was going to be a forum which I set up, then never had time to do anything more with it.

I took a look today and I have 14,140 members, 8,358 threads and 22,914 posts and each and everyone one of them is spam. Spammers replying to spambots replying to spammers.

Re:

[by Anonymous Coward]

yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.

Re:

[Mortimer82 (746766)]

Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.

Re:

[nacturation (646836)]

It's to most intensive purposes "turned off". How about for purposes which are a bit less intensive?
 

Re:

[gbobeck (926553)]

Buy a cheap $40 home router box.

Re:But most people don't know better...

[Tarwn (458323)]

Ok, what?

First, I'm not sure if your talking ASP or ASP.Net, but either way the vast majority of your comment can be shortened to:
There are lots of PHP packages out there. People think they are safe because they are not MS. PHP packages should be re-written in ASP. PHP breaks due to updates but ASP updates better, therefore ASP is a better choice. PHP isn't inherently insecure, it's the packages.

Your entire statement boils down to this logic:
1) There are a lot of insecure Packages in PHP
3) It's not an insecurity in PHP, it's an insecurity in the packages
2) ASP updates better than PHP

Your comparing apples (ASP) to oranges (PHP Packages). I have no experience how well or poorly the security of packages in PHP perform against the security of packages in ASP.Net, we would have to pick a large pool of them to find out. And just because Windows Updates makes updates available for ASP.Net does not mean that people actually are that willing to reboot their web farms for every update that appears. Your saying the problem is bad coding and that ASP solves it, I would beg to differ.

And here is my anecdotal comment:
I have answered thousands of ASP questions (ASP used to be my primary web 'language') as well as written/re-written many sites and over time I have seen a lot of site examples and snippets that would leave a page wide open or in a position to break on regular occasions (or just plain didn't work). On the other hand I have worked with several PHP packages that were solidly put together and worked against a range of PHP versions. PHP must be better because I haven't personally seen anywhere near as many errors in coding as I have in ASP. None of the first several thousand ASP posts would work at all against the next version of the language (ASP 3 => ASP.Net) and needed to be rewritten from scratch, but most or all of the packages I used with PHP 4 worked just fine with PHP 5.