Mass Website Hack Compromises 200,000 Sites 153
Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."
Please be more forthcoming (Score:5, Insightful)
Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.
Good news for us, I guess... (Score:4, Insightful)
Am I completely off-base here?
Re:Good news for us, I guess... (Score:3, Insightful)
Re:Good news for us, I guess... (Score:5, Insightful)
Why is it always porn? (Score:3, Insightful)
Re:Please be more forthcoming (Score:5, Insightful)
Oh they'll have an answer for that -- just buy McAfee's "protection".
Remember- your Mac is spreading viruses, even if it's not infected.... Be ashamed!
Re:Good news for us, I guess... (Score:4, Insightful)
I do not believe anyone really knows what market share the various forums have, but it is generally believed that the most popular are Simple Machines, phpBB, vBulletin, and Invision Power Board (in no particular order).
I cannot believe that phpBB has so many successful attacks simply because it has a large installation base, otherwise these other forum softwares would also be suffering the same fate.
Language is a Virus (Score:5, Insightful)
Re:how to detect (Score:3, Insightful)
But most people don't know better... (Score:1, Insightful)
The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.
These packages are not only presented as free and easy, but safe because they are built on non-MS technologies, which is where the anti-MS FUD actually hurts the Web and consumers.
In contrast, if these projects were built on ASP for pre-processing instead of PHP, they wouldn't break with each security update as often happens in PHP land, and unlike PHP, ASP stays updated and has proven to be highly secure. The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.
I am hoping that MS's interest in help PHP to play nice with Windows 2008 IIS even better, that as MS is able to quality check PHP code used through IIS, that MS's automation security investments will pay back to even the PHP world, as potential security risks would be something that is now also in Microsoft's interest to publish back to the PHP group.
I know this isn't saying PHP is inherently insecure, we are talking about phpBB and similar products, but if they can get into a cycle of consistent security minded models and staying current with PHP updates without having to worry about applications breaking it will make a big difference.
Developing for PHP and/or working with pre-built PHP applicaitons, I have watched developers spend the majority of their time working around bugs in the applications or in PHP itself. Where an ASP developer there are very few known problems that have to be coded around and they also don't have the hours of ensuring version matching to make the application work like you end up doing with PHP pre-built apps.
This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates.
ppl r stoop1d. (Score:2, Insightful)
Re:ppl r stoop1d. (Score:3, Insightful)
Re:Good news for us, I guess... (Score:-1, Insightful)
This argument comes up time and again, and its false logic. Windows is easy to attack, its that simple. The amount of installs of any OS counts, but its a very very small part of the equation.
Re:Please be more forthcoming (Score:3, Insightful)
Re:Good news for us, I guess... (Score:5, Insightful)
Except that popularity != exploitability. Many people think that software is like a safe - if you grind at it long enough, eventually it'll open. Software isn't like that. You can grind at software forever and it won't change anything unless you actually find a vulnerability - a case not handled by the software.
For example, MySQL is much more popular online than Microsoft SQL. Yet MS-SQL gave rise to the slammer worm [google.com] while the vastly-more-commonly-installed MySQL has not ever been infected by anything anywhere near the same magnitude. (Yes, there have been a few. They didn't get very far)
The formula is NOT:
Popularity = Exploited.
It's more like
Popularity * Bad Design = Exploited.
And even bad software can eventually be cleaned up. Sendmail used to be a security nightmare. But despite its position as the #1 mail server software on the Internet, it's been quite a few years since any serious vulns were exploited.
Making Open Source a harder sell (Score:4, Insightful)
Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.
Comment removed (Score:2, Insightful)
no javascripts....no problem (Score:-1, Insightful)
Re:punBB (Score:3, Insightful)
Re:why this happens (Score:4, Insightful)