Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

2M New Websites a Year Compromised To Serve Malware

Posted by kdawson on Fri Jan 25, 2008 10:33 AM
from the wave-upon-wave dept.
Security
SkiifGeek writes "Sophos claims that they are detecting 6,000 new sites daily that have been compromised to serve malware to unsuspecting site visitors, with 80% of site owners not aware that they have been compromised — though this figure is probably on the low side. With increasingly vocal arguments being put forward by security experts criticizing the performance and capability of site validation tools (though many of these experts offer their own tools and services for similar capabilities), and rising levels of blended attacks, perhaps it is time you reviewed the security of your site and what might be hiding in infrequently used directories."

Related Stories

Firehose:2 Million new Websites serve Malware Annually by SkiifGeek (702936)
[+] Apache: Breakdowns of Website Defacement by Platform 54 comments
SkiifGeek writes "Zone-H have recently posted the statistical breakdown of the collected website defacements from the last few years. Surprisingly, in 2007 more Linux servers suffered a successful attack than all versions of Windows, combined. Similarly, more Apache installations were successfully attacked than all IIS versions combined. A day after posting this data, Zone-H have questioned the appropriateness of continuing to operate the archive. Despite the valuable information that can be gleaned from the service, it may soon be lost to the world. The natural successor to the now-defunct Alldas archive of defaced websites, Zone-H's archive maintains records of over 2.6 million defaced sites but may be shut down due to the continuous accusations of impropriety leveled against them any time they disclose and mirror a reported defacement."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

2M New Websites a Year Compromised To Serve Malware 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Keybindings Beta
Q W E
A S D
Loading ... Please wait.

  • How to Check a LAMP Server? (Score:4, Interesting)

    by MankyD (567984) on Friday January 25, @10:39AM (#22181118) Homepage
    Everytime I read about a new form of server malware, I try to check a LAMP server that I run. So far I've come up clean but I've hardly done a full inspection. Anyone know of a good way to scan a set up? Sophos says that they are detecting thousands of new sites - how are they scanning them?

    • Re:How to Check a LAMP Server? (Score:5, Informative)

      by Smidge204 (605297) on Friday January 25, @10:52AM (#22181260)
      I thought about this myself. One possible solution that I considered would be to maintain a local list of files on your server and their CRC/Hash values. A script on the server would scan all the files and output a similar list than you could then check against your local copy and would quickly identify any new or changed files. This could be set to a cron job to do periodic scans or just initiate a manual scan whenever.

      Might not be the best solution but it should be easy to implement. Larger sites can do incremental scans. It would be harder to detect corruption of databases, though, unless you know what to look for or have a concrete way of validating the contents.
      =Smidge=
      [ Parent ]

      • Re: (Score:2, Informative)

        by Bongfish (545460)
        For this, you'd want to use something like Tripwire or AIDE. It's been used for years, and will detect changes to files.

        You're right that it won't help you detect that somebody has managed to insert a chunk of javascript or PHP in your insecure mySQL/PHP w

      • Re: (Score:2, Informative)

        by the_olo (160789)

        I thought about this myself. One possible solution that I considered would be to maintain a local list of files on your server and their CRC/Hash values. A script on the server would scan all the files and output a similar list than you could then check ag

      • Re: (Score:2)

        by budgenator (254554)
        what you would have to do is set up a script to take a local mirror of the website that has every authorized file, in it authorized form with their appropriate hashes and compare it to what is on the website via FTP and report any additions, deletions or c

      • Radmind (Score:2, Informative)

        by fitterhappier (468051)
        Radmind: http://radmind.org/ [radmind.org]. Radmind's is designed for this purpose exactly. It's a tripwire with the ability to roll back changes, or capture them and store them for deployment to other systems.
    • You first need a file integrity checker. AFICK (my favorite) or similar will do a run, on whatever period of time you set a cronjob and conf file at. You then get an email to you listing what files have changed over that period of time.

      Also, keep an eye

    • In addition to the other tools mentionned by /.ers, there are 2 root-kit checking tools that are worth mentioning :
      - chkrootkit [chkrootkit.org]
      - rkhunter [rootkit.nl]

      They are scripts that scan the system for known root kits, weird behaviours and hidden files in unusual places.
      They can

      • Re: (Score:3, Informative)

        by flydpnkrtn (114575)
        OK I know I'm feeding the trolls but you know you can choose to NOT see certain authors' stories under Preferences->Homepage, right?

      • Re: (Score:2)

        by ThePilgrim (456341)
        Sophos is a private company. they dont have a stock price that needs raising.
  • But I thought all these sites were validated and certified and IP imdemnified, else what was the point of paying huge wads of dosh to all the lawyers, oh wait, now I get it .. :)

  • Hmm, time to improve the common tools (Score:4, Interesting)

    by davidwr (791652) on Friday January 25, @10:43AM (#22181160) Homepage Journal
    Perhaps the time has come to harden the "common stacks" so certain switches are off.

    For example, once you set up your web site, "lock it" so if there are any changes to files or directories that shouldn't change, the site will break in a non-harmful way rather than be compromised.

    If and when these files need updating, the "unlock" process should be done using a tool independent of the main web-server process, perhaps by using a different web-server process running on a different port or even a process on a different computer that validates the request then passes it on to the main web server.

    • Re: (Score:2)

      by Penguinisto (415985)

      For example, once you set up your web site, "lock it" so if there are any changes to files or directories that shouldn't change, the site will break in a non-harmful way rather than be compromised.

      If it's not supposed to change at all, just issue chattr +i on it to make it immutable. Then it won't change, even w/ system root permissions. Just remember to unset the flag any time that you do want to change something ("chattr -i").

      /P

        • Re: (Score:2)

          by Penguinisto (415985)
          Err, you do realize I wrote "If it's not going to change" up there, right?

          chattr is not meant to be any sort of cure-all - far from it. But for files (and even directories) in the chroot jail that don't change very often (if at all), like logo images, ce

  • virtualized rootkits (Score:3, Interesting)

    by Speare (84249) on Friday January 25, @10:50AM (#22181252) Homepage
    Okay, say someone's site is served by an ISP. The ISP gives the site owner a shell account and manages the LAMP infrastructure. The shell account is likely a virtualized instance, meant to limit the damage that each little site can do to the hosted infrastructure, not to limit the damage that the host does to little sites or their visitors. How can the site owner "check their own site" in such a case? Virtualization itself is a sort of rootkit conceptually, so how can the virtualized account check for malicious rootkits in its own instance or in the greater infrastructure?

  • Completely useless. (Score:4, Insightful)

    by Lumpy (12016) on Friday January 25, @10:53AM (#22181276) Homepage
    Until they release the fricking list of IP addresses or Domain names.

    I would love to put that list in my squid blocking file to protect my users.

    • Re: (Score:2)

      by Bryansix (761547)
      That would be a sump move. If it was IP addresses then once an IP address was re-assigned to a good host you still wouldn't see their website. You have no way of removing IP addresses from your list.

      If it was domains names the same problem would apply b

  • what does this look like from the client? (Score:4, Interesting)

    by oni (41625) on Friday January 25, @11:02AM (#22181410) Homepage
    If I run FF and keep it patched, am I safe? If I did get compromised, what would the symptoms be?

    I tend to think that keeping my OS patched keeps me pretty safe, but there's always a delay after a new vulnerability is discovered before the patches come out (the zero day) and what concerns me is that if someone has a very large network of compromised web servers, they can roll out a zero day vulnerability to all of them and do a lot of damage.

    As to symptoms, I think spyware used to be the big problem, and infected computers would have popups and such. But now I think that infected machines will be used primarily to send spam. Is that correct?

  • What I wanna know is ... (Score:3, Interesting)

    by jc42 (318812) <{jc1742} {at} {gmail.com}> on Friday January 25, @11:34AM (#22181798) Homepage Journal
    When do we get a FOSS runtime library for using this valuable public resource?

    Imagine all the useful things we could do for the world if we all had access to this distributed computing power.

    • Re: (Score:2)

      by KublaiKhan (522918)
      Shush, I'm trying to put together a business model based on that idea. Don't go blabbing it everywhere! ;-p

      • Re: (Score:2)

        by jc42 (318812)
        I'm trying to put together a business model based on that idea.

        Well, I think you might be a bit late with that. ;-)

        But think of the good things that could be done with a free and open implementation.

        OTOH, it's been more than 25 years since the first true d

  • Yes... (Score:3, Interesting)

    by SigmundFloyd (994648) on Friday January 25, @12:00PM (#22182126)

    Sophos claims that they are detecting 6,000 new sites daily that have been compromised to serve malware
    ...but do they run Linux?
  • Somebody should warn 3M that they are next. I'm sure they would want to prepare. Ok, sorry I'll get my coat.

  • Vendor FUD or Real? (Score:4, Interesting)

    by a-zarkon! (1030790) on Friday January 25, @01:46PM (#22183860)
    I for one would like some description of how they're detecting these 6000 new sites per day. Also, what are they considering a website? Do they include bot systems that configured to listen on port 80 as part of the worm propagation and command/control? That's not really a website in my opinion, but it may be in theirs. It would be great if they published a list of the 42000 new websites they have discovered over the past 7 days, you know just to back up their claim. Wouldn't hurt to notify the owners of those sites that they've got a problem.

    Absent more detail, I am calling shenanigans on this statistic, Sophos, and the Register. I am soooo sick of the FUD.

    Harumph!

Check for more

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.