Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mass Website Hack Compromises 200,000 Sites

Zonk posted more than 6 years ago | from the that-is-a-lot-of-angry-pr0n-bots dept.

The Internet 153

Stony Stevenson writes "Hot on the heels of a recent hack in which 10,000 sites were compromised, researchers have disclosed a new large-scale attack. Researchers at McAfee estimated that the attack has been active for roughly one week, and in that time frame has managed to place itself on roughly 200,000 web pages. Most of the infected pages are running the phpBB forum software, said McAfee. The compromised pages are embedded with a Javascript file that links to the site hosting the attack."

cancel ×

153 comments

Sorry! There are no comments related to the filter you selected.

punBB (0)

Anonymous Coward | more than 6 years ago | (#22779974)

And this is why I have never, and will never recommend phpBB to anyone.
punBB > invision > * > phpBB

Re:punBB (2, Interesting)

boost1 (1035958) | more than 6 years ago | (#22779986)

Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.

Re:punBB (1)

snl2587 (1177409) | more than 6 years ago | (#22780194)

Yeah, I installed it way back in the days and forgot it was on my website. I have now gotten several emails from my domain host stating attacks on it using an exploit in phpBB.

Which is why you're supposed to upgrade. The article is incredibly short and doesn't specify, but I'd be willing to bet the exploit was one that has already been patched/revealed.

At least with this attack the computer savvy not running NoScript or the like will be able to avoid getting hit with the payload. And now, time to check to make sure my ASP pages haven't been attacked...

Re:punBB (1)

professional_troll (1178701) | more than 6 years ago | (#22780006)

Apparently Goatse got was one of them... oh wait HACKED!
Nevermind

Please be more forthcoming (5, Insightful)

BadAnalogyGuy (945258) | more than 6 years ago | (#22779992)

Back in the later months of 2001 we experienced a gradual realization that there was something quite amiss about our government's response to terrorist threats which resulted in the disaster of September of that year. It turns out that not only did we know that there would be a terrorist attack, but we had credible leads indicating who and how it would be carried out. But the lack of information sharing led to disaster.

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

Re:Please be more forthcoming (4, Insightful)

Hao Wu (652581) | more than 6 years ago | (#22780066)

This article and its lack of content does as much to spread fear and chaos among computer users as the actual attack. These are technical problems which can be fixed. By not being clear about the threat, the article turns hackers into bogeymen that can't be stopped. Give some better info, tell us how to close the hole, and let us get back to work.

Oh they'll have an answer for that -- just buy McAfee's "protection".

Remember- your Mac is spreading viruses, even if it's not infected.... Be ashamed!

Re:Please be more forthcoming (0, Offtopic)

RuBLed (995686) | more than 6 years ago | (#22780088)

Hi mods. Even though the parent is just living his nickname, this is not offtopic.. it's insightful IMHO, sure you could overrate it but it doesn't matter now since I'm already sacrificing a kitten because you made me post this...

Re:Please be more forthcoming (2, Funny)

whitehatlurker (867714) | more than 6 years ago | (#22780108)

Parent post says it's already sacrificing a kitten [wikipedia.org]

Ewww. Too much information.

Re:Please be more forthcoming (0)

Anonymous Coward | more than 6 years ago | (#22781154)

Waay off-topic, barely disguised political speech. Oh, like you didn't notice.

Please mod political crap down (-1, Offtopic)

dgarbett (833374) | more than 6 years ago | (#22780188)

Will someone mod this political crap down please?

Re:Please mod political crap down (1)

el americano (799629) | more than 6 years ago | (#22780766)

Come on, this guy was right. the phpBB vulnerability has nothing to do with 9/11, and certainly nothing to do with blaming the government for 9/11.

Do you want more posts that start like this, "This reminds me of George Bush's environmental policy..."

Moderation is supposed to stop that sort of thing. Instead he's +5.

Internet-connection license? (0)

mi (197448) | more than 6 years ago | (#22780230)

How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed (or hire someone, who is). I mean, we require licenses and/or permits to alter plumbing in a house or to add a porch — aren't botnets [usatoday.com] more threatening to the country, than an improperly placed pipe here and there?

Since most attacks originate from abroad, we could relax the rule by applying it only to those, who wish to be reachable from outside US (rather than be automatically firewalled by their ISP)...

Licensing requirements would include familiarity with firewalls, computers and network security...

To be sure, I'd hate having to go through this, but having to deal with a botnet-running extortionist is, likely, even worse... Or not? What do you think?

Re:Internet-connection license? (0)

Anonymous Coward | more than 6 years ago | (#22780286)

You forgot about the DNA samples and the Iris scans... Connected to a database that can be accessed by every and each trooper that pulls you over...

Re:Internet-connection license? (1)

CustomDesigned (250089) | more than 6 years ago | (#22780288)

If that happens, certifications will likely be available for commercial OSes only - e.g. M$, Solaris, Novell, Redhat, OSX.

Re:Internet-connection license? (4, Informative)

SL Baur (19540) | more than 6 years ago | (#22780820)

How about this plan: anybody, who wishes to maintain an Internet-reachable computer, needs to be licensed
Let's just not go there, O.K.? There isn't anyone I would trust as a licensing body and when you bring in the inevitable licsensing fees ... er, let's just not go there.

Re:Internet-connection license? (1, Funny)

Anonymous Coward | more than 6 years ago | (#22780852)

I know it's not quite the same thing, but here goes...

Your post advocates a

( ) technical (X) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
(X) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
(X) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
(X) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
(X) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
(X) Joe jobs and/or identity theft
(X) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(X) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:Internet-connection license? (1)

Homer's Donuts (838704) | more than 6 years ago | (#22781680)

And Ham Radio operators should know Morse Code. .-.. --- .-..

I can't believe this crap is +5 insighfull (1)

dgarbett (833374) | more than 6 years ago | (#22780268)

It's just the usual Joe-Sixpack conspiracy theory crap.

No conspiracy theory there, sorry (0)

Anonymous Coward | more than 6 years ago | (#22780472)

He's just referring to the Presidential Daily Briefing from August 6th, 2001. It's pretty well known.

Re:Please be more forthcoming (-1, Flamebait)

moderatorrater (1095745) | more than 6 years ago | (#22780318)

Anyone, and I mean anyone, who uses phpBB deserves to be shot. The most likely explanation is that it was an sql injection attack, which would explain why phpBB was the most commonly hit software but there were other compromised apps. The security's always been lax with that software, and if people haven't patched since installing it's going to be worse.

Re:Please be more forthcoming (2, Informative)

Hynee (774168) | more than 6 years ago | (#22781032)

That's bullshit, phpBB was hit ~2-3 years ago with the self propogating worm Santy, which exploited a bug in a PHP function (unserialize IIRC). phpBB was essentially a victim--the bug was in PHP itself, and phpBB is a widely deployed open source BB, and the developers had removed all usage of the compromised function after the bug was disclosed and before the Santy worm hit. (Site owners who failed to upgrade were hit, a large percentage.)

I haven't heard of any glaring security issues with phpBB before or since, excluding the odd SEC fix. phpBB isn't vulnerable to SQL injection tricks.

Re:Please be more forthcoming (2, Informative)

Anonymous Coward | more than 6 years ago | (#22780356)

For a properly maintained phpBB site, this isn't that big of a deal. As a maintainer for a site which uses phpBB, I can tell you that I have seen this attempted for months. I believe phpBB is mentioned directly because it seems there are programs which allow individuals to create forum accounts and post messages using an automated script. The scripts post messages to visit a (usually) pornographic site. Once you connect you are presented with a page with a display which mimics YouTube.com, however a pop-up is displayed saying you cannot play the video script without the proper video codec, and offers to allow you to download the codec from the site (usually codec.exe). Once you download and open the program, you are infected.

When I first started seeing this happen several months ago, I started experimenting with the security settings of the phpBB program. Enabling the captcha, and requiring administrative account activation. Since no one can create an account without my permission, this problem disappeared on my forum. This isn't practical with all forums, YMMV.

Re:Please be more forthcoming (1)

glwtta (532858) | more than 6 years ago | (#22780428)

Yeah... way to Godwin that up a bit.

Re:Please be more forthcoming (1, Funny)

Anonymous Coward | more than 6 years ago | (#22780478)

Please run for president so I can vote for you.

Re:Please be more forthcoming (2, Insightful)

Loopy (41728) | more than 6 years ago | (#22780586)

While I agree that the synopsis leaves something to be desired, inserting political diatribe equally lacking in factual detail does not improve the situation. I'm not sure who you're trying to score points on that cares but can we stick to the topic at hand or is that just too much to ask?

Re:Please be more forthcoming (0)

Anonymous Coward | more than 6 years ago | (#22780632)

Pointing out that government agencies had communication problems != political diatribe

http://www.brookings.edu/testimony/2003/1208terrorism_thompson.aspx [brookings.edu]

As for the GP's post, I think it's fitting, all things considered.

Re:Please be more forthcoming (1)

Thanshin (1188877) | more than 6 years ago | (#22780728)

Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
 
I always thought the news were to report news, and that the knowledge itself was stored somewhere else.

I'd like to report another case then. Last week I read news about a new book, and the book was not printed in the papers. Actually, the news didn't even tell me where to buy the book.

Re:Please be more forthcoming (2, Informative)

Anonymous Coward | more than 6 years ago | (#22780952)

Here too, we have a threat which is already running wild. Thousands of websites are being attacked. Unfortunately, this article, like many which abound in the security theatre online media, is long on consequences and short on details. Someone knows how the attack spreads, but they aren't sharing the means of stopping the attack.
We know exactly how it spreads: php. Don't get me wrong, php is a good language as of 5.x. However, to write something in it that's not simple to exploit you actually have to know what you're doing, which is not the case the for majority of php developers. Look at the majority of php code out there, it's no surprise at all why it's so security plagued: the developers simply have no clue and php doesn't protect you. Hell, even many tutorials out there have security exploits in them.

If you absolutely have to run a third party php script, do not under any circumstance run it without both the Suhosin [hardened-php.net] patch and the Suhosin module. Running ModSecurity [modsecurity.org] on top of that is also a good idea.

Always treat third party php code as hostile.

Re:Please be more forthcoming (1)

LiquidCoooled (634315) | more than 6 years ago | (#22781602)


Always treat third party code as hostile.


There, fixed it for you :)

Re:Please be more forthcoming (1)

cyberguyd (50420) | more than 6 years ago | (#22781528)

My gaming clan's website has been the target of spammed hacks that are posted to the forums which have a posting with a link in the posting pointing to a download described in this article. Is this something similar which we fixed by having multiple response to questions requiring a response by a human as well as the standard graphic picture with text to be entered. These postings stopped. Now the article is not very clear as to how it occurs. Does it rewrite the phpBB code running the forums itself? Is it an embedded active script that runs when you view the forum? If so how is the loophole closed.

how to detect (0)

Anonymous Coward | more than 6 years ago | (#22779994)

tell me please

Re:how to detect (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22780342)

yes, I was wondering the same. suppose one had a site with phpbb installed and wanted to check if their site was one of those compromised. how would one go about that? tfa doesn't mention. it seems somehow half-assed to publish that several tens of thousands of sites have been compromised, yet not provide any useful information regarding detection, cleaning and prevention.

Good news for us, I guess... (3, Insightful)

jnelson4765 (845296) | more than 6 years ago | (#22779998)

We don't run phpBB. Is it just me, or is phpBB almost always the target of these kinds of attacks? I mean, there are probably hundreds of CMS systems out there, but almost every mass site hijacking/defacement I can remember has involved phpBB.

Am I completely off-base here?

Re:Good news for us, I guess... (3, Insightful)

Phantombrain (964010) | more than 6 years ago | (#22780022)

It's targeted because it is so popular. All of the attacks that are publicized are on boards using outdated software. When more details come out, I'll bet that every single board will be several versions out of date.

Re:Good news for us, I guess... (4, Insightful)

enoz (1181117) | more than 6 years ago | (#22780244)

It's targeted because it is/was popular and has/had serious exploits. [wikipedia.org]

I do not believe anyone really knows what market share the various forums have, but it is generally believed that the most popular are Simple Machines, phpBB, vBulletin, and Invision Power Board (in no particular order).

I cannot believe that phpBB has so many successful attacks simply because it has a large installation base, otherwise these other forum softwares would also be suffering the same fate.

Re:Good news for us, I guess... (4, Insightful)

Dan East (318230) | more than 6 years ago | (#22780030)

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Re:Good news for us, I guess... (5, Funny)

Tablizer (95088) | more than 6 years ago | (#22780050)

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Perhaps they should rename it to PenguinBB so that hackers ignore it. Better yet, EmacsBB (or does it already have one builtin?)
   

Re:Good news for us, I guess... (1)

WWWWolf (2428) | more than 6 years ago | (#22781108)

Better yet, EmacsBB (or does it already have one builtin?)

It sure has [gnus.org] ! Though only a client, not an actual message board server. Which shouldn't be too difficult to implement, of course, if one were inclined.

Re:Good news for us, I guess... (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22780570)

Bull.

This argument comes up time and again, and its false logic. Windows is easy to attack, its that simple. The amount of installs of any OS counts, but its a very very small part of the equation.

Re:Good news for us, I guess... (5, Insightful)

mcrbids (148650) | more than 6 years ago | (#22780698)

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.

Except that popularity != exploitability. Many people think that software is like a safe - if you grind at it long enough, eventually it'll open. Software isn't like that. You can grind at software forever and it won't change anything unless you actually find a vulnerability - a case not handled by the software.

For example, MySQL is much more popular online than Microsoft SQL. Yet MS-SQL gave rise to the slammer worm [google.com] while the vastly-more-commonly-installed MySQL has not ever been infected by anything anywhere near the same magnitude. (Yes, there have been a few. They didn't get very far)

The formula is NOT:
Popularity = Exploited.

It's more like
Popularity * Bad Design = Exploited.

And even bad software can eventually be cleaned up. Sendmail used to be a security nightmare. But despite its position as the #1 mail server software on the Internet, it's been quite a few years since any serious vulns were exploited.

Re:Good news for us, I guess... (2, Informative)

ncryptd (1172815) | more than 6 years ago | (#22781146)

It's the same reason hackers devote so much time exploiting Windows - more bang for your buck. phpBB is everywhere.
It's not so much that as it is the fact that phpBB 1.x/2.x have a appalling number of security flaws. It's wildly insecure, so much so that there's actually a mod (crackertracker) designed to help harden installations against the inevitable attacks.

I'd be willing to bet that most of the phpBB installs were 1.x/2.x -- the phpBB team actually paid for an audit of the 3.x line, and so far it seems to be much more secure code.

Re:Good news for us, I guess... (1)

Tony Hoyle (11698) | more than 6 years ago | (#22781486)

The problem with phpBB is it's so damned hard to upgrade. There's no plugin architecture - 'plugins' are done by hand-modifying the code (and the changes aren't even sent as diffs, they're instructions that must be hand applied).

Because of this even a minor upgrade is about a days work whilst everything is re-applied and retested. It's hell if you have any custom themes - because you have to basically recreate it from scratch because again the themes are hooked into the core code and themes for one version don't work with another.

My wife has a heavily modified phpBB for example, it's somewhere in the early 2.x cycle I think. She doesn't even remember the names of half the changes, and some of them are custom mods. Upgrading simply isn't an option for her, because it would basically mean scrapping her forum and starting again.

Re:Good news for us, I guess... (1)

Zedrick (764028) | more than 6 years ago | (#22780896)

In my experience (I work for a large webhost), osCommerce and Joomla/Mambo (and most of their stupid useless 3rd party components) are far worse than phpBB. The biggest problem for (old versions of) phpBB is that it's an easy target for spambots.

Re:Good news for us, I guess... (1)

Antique Geekmeister (740220) | more than 6 years ago | (#22780950)

I hadn't noticed such concentration of phpBB as a target,but there are numerous popular web packages that make no attempt to properly manage security. Even Bugzilla, with its setup tools and database passwords in plain site inside the directories with the Bugzilla software itself and accessible on a casually installed Apache server, treats security as a tacked-on afterghought. Subversion is no better, with its quiet practice of storing your passwords for HTTP, HTTPS, or svnserve access in plain-text in the user's home directory.

This kind os behavior is far, far too common in the open source world, so I'm unsurprised that phpBB got caught this way.

why this happens (5, Interesting)

ILuvRamen (1026668) | more than 6 years ago | (#22780020)

My old phpBB forum got hacked. Wanna know why? Cuz I used the auto-installing plugin that my host provided. It was about 20 versions behind and they NEVER updated it. So it had a gaping security hole in it. And guess what else! I couldn't patch it because it was considered some sort of embedded plugin that I couldn't tocuh the system files of. I had to install a fresh, updated version and phpBB and then copy the database over AND alter the database manually to reflect all the changes between between versions, which was a major pain in the ass. Needless to say I was pissed. Oh and I tried to sue/have arrested those Zone-H assholes that posted it like it was some sort of trophy case but apparently they're not hosted in the US so I dropped it. I would be willing to guess that every single hack was because of outdated phpBB quick installs like ipowerweb makes available on their servers.

Re:why this happens (1)

ILuvRamen (1026668) | more than 6 years ago | (#22780034)

oh, I should probably mention instead of implying that it was like a year ago, not in this attack

Re:why this happens (1)

Zebra_X (13249) | more than 6 years ago | (#22780080)

Ah well, you get what you pay for!

Then again, I just had to fix my vista machine from the endless reboot of death. ^ ^

Re:why this happens (1)

kylehase (982334) | more than 6 years ago | (#22780254)

I've never been comfortable with those auto-installers and cpanel tools and now I have good reason to dislike them. Did you have an option to upload and install your own scripts/CGIs? I'm using a host with SSH access. Sure it costs a bit more but the extra level of control is worth every penny.

Re:why this happens (1)

Killshot (724273) | more than 6 years ago | (#22780672)

it is worthwhile to find a host that allows you reasonable amount of control over your website.

Well, (5, Funny)

Tablizer (95088) | more than 6 years ago | (#22780032)

It's a good think slashdot is immu PENI5 PILLS FREE WITH DISCOUNT MORT6A6ES! PENISFREE@OFFER.COM NOW!

Re:Well, (2, Funny)

XnavxeMiyyep (782119) | more than 6 years ago | (#22780190)

Pen fifteen? What's that?

Re:Well, (2, Funny)

glwtta (532858) | more than 6 years ago | (#22780422)

Pen fifteen? What's that?

Must be a special offer from Pen Island.

Why is it always porn? (4, Insightful)

rhinokitty (962485) | more than 6 years ago | (#22780054)

Does a light bulb dim in the minds of some computer users at the prospect of free pornography? It is the easiest thing in the world to get free porn online, why is installing something on your computer from a porn website all of a sudden appealing when a pop up window seduces you into it? I have a new term for this, it is called getting "FreePwned."

Re:Why is it always porn? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22780104)

Please tell us more about this whole free porn thing that you mentioned.

Re:Why is it always porn? (1)

Sterrance (1257342) | more than 6 years ago | (#22780162)

Very true, I imagine (or atleast hope) that if a normal person saw such a thing as free porn, they'd get rid of it immediately. This hack though can have a devastating effect though if done right. Imagine trying to see a Youtube Video someone posted on your forum only to find you need to upgrade Flash... and then discover that "upgrade" was a trojan. Thank god hackers (and nerds in general) are total pervs.

A lesson - Clean your User Input! (0)

Anonymous Coward | more than 6 years ago | (#22780074)

JavaScript is naughty. All HTML / non-BB code / *anything else* should be run through PHP's filter extension.

'social engineering' (1)

sneakyimp (1161443) | more than 6 years ago | (#22780114)

I read both those articles and got the impression that the attack was 'social engineering' meaning that phpBB's only role was to allow someone to post a URL to a site which actually hacked the stupid victims. There is no specific mention of any exploit.

There *is* a mention of an exploit on ASP machines.

Re:'social engineering' (2, Interesting)

enoz (1181117) | more than 6 years ago | (#22780300)

For the longest time phpBB did not even have the option to force users to authenticate their email address let alone use any captcha on the registration page. For this reason many existing phpBB forums are flooded with fake accounts, and possible these were used in order to post the links or malware.

Re:'social engineering' (5, Funny)

McFadden (809368) | more than 6 years ago | (#22780542)

From another site I read regularly, a forum member posted the following (the link was recently taken down, but I checked it at the time and it's absolutely true):

Some years ago I registered www.confuse.me.uk with some intention of doing something or other with it. Part of that was going to be a forum which I set up, then never had time to do anything more with it.

I took a look today and I have 14,140 members, 8,358 threads and 22,914 posts and each and everyone one of them is spam. Spammers replying to spambots replying to spammers.

Re:'social engineering' - site down-Google mirror (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22780942)

Confused.me.uk is now down however looking at the Google mirror [64.233.183.104] (taken 03-03-2008 08:40 PM) - we can see that this guy wasn't kidding!!!!!

Registered Members: 14333
Total Threads: 8729 | Total Posts: 23375
Welcome to our newest member, RatRulkyPaurl

There are currently 0 members and 3 guests on the boards. | Most users ever online was 558 on 06-28-2007 at 08:05 PM.

Happy belated birthday fdaaproved, newrings, skinonlin!!!!

Re:'social engineering' (1)

RockMFR (1022315) | more than 6 years ago | (#22780336)

Sounds like it was just some (persistent) XSS hole in phpBB that allowed the attackers to post javascript. The social engineering would come in later, obviously.

Not really an exploit? (1)

Schlopper (413780) | more than 6 years ago | (#22780178)

From the article:

"Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering"

I'm a little confused here - how can it be "social engineering" when the javascript required to create the porn/codec popup had to be inserted somehow?

Re:Not really an exploit? (1, Informative)

Anonymous Coward | more than 6 years ago | (#22780292)

It sounds like the page is actually altered, but the user must agree to install the 'codec'. So phpBB is a drive-by infection, but the end-user does not get a hidden automatic drive-by malware installation.

Uh So Like... (1)

iminplaya (723125) | more than 6 years ago | (#22780200)

This IS Slashdot, right? Or have I been posting to the NSA all this time?

Hi mom!

This is not the NSA. (0, Troll)

jd (1658) | more than 6 years ago | (#22780242)

There is no NSA. The NSA does not exist. They are not run by CmdrTaco as they do not exist to be run. There are no Macra! (Sorry, wrong series.)

NARC!!! (1)

BadAnalogyGuy (945258) | more than 6 years ago | (#22780514)

Don't, like, trust anyone with a UID shorter than 6 digits, man...

Language is a Virus (5, Insightful)

Detritus (11846) | more than 6 years ago | (#22780340)

200,000 web pages is not the same thing as 200,000 web sites.

Turn off computer or modem when not using (-1)

LM741N (258038) | more than 6 years ago | (#22780346)

My brother emailed the link about the attack and asked me what he should do. At first I thought that turning off the computer when its not in use would be a good idea, but then Windows takes a long time to reboot. If you have a cable modem, just unplug the power jack. You could also unplug the ethernet cable from the net, but those connectors tend to break over time. Perhaps some company makes an on/off Internet switch. If not, someone should.

Re:Turn off computer or modem when not using (2, Informative)

Mortimer82 (746766) | more than 6 years ago | (#22780410)

Tell him to set up power saving correctly. Although my computer needs to stay connected to the mains for suspend to ram to work. It's to most intensive purposes "turned off". Takes 7 seconds (at most) to go to sleep and a few seconds wake up and I never have a problem.

Re:Turn off computer or modem when not using (1)

nacturation (646836) | more than 6 years ago | (#22780722)

It's to most intensive purposes "turned off". How about for purposes which are a bit less intensive?
 

Re:Turn off computer or modem when not using (1)

EnglishSteve (834757) | more than 6 years ago | (#22780468)

My Cable Modem (Motorola Sb5101) has an "Internet Standby" button on it - apparently, when you press it, it prevents any data transfer in or out but keeps the modem itself connected to the provider etc.

At least I think that's what it does - I've never actually used it, as the cable modem is outside my hardware firewall anyway.

Re:Turn off computer or modem when not using (1)

kitsunewarlock (971818) | more than 6 years ago | (#22780522)

You can disable the connection to the internet in your modem's driver options (or ethernet port's driver's options...) or your computer's network settings. Leaving a link to the settings on your desktop ensures you won't forget to turn it back on when you come back to your computer after going out to do whatever the hell anyone would do without a computer (buy a new moniter?).

Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect. But I'm sure there's something you can do during that time (boot up your MP3 player...etc...).

Re:Turn off computer or modem when not using (1)

Stanislav_J (947290) | more than 6 years ago | (#22781522)

Mind you it does take all of 20 seconds to have your network grab you an IP address...verify your computer...and finally connect.

20 seconds?!? Who's got that kind of time? I'll be old by then!

Re:Turn off computer or modem when not using (1)

gbobeck (926553) | more than 6 years ago | (#22780564)

Buy a cheap $40 home router box.

Re:Turn off computer or modem when not using (1)

fyrewulff (702920) | more than 6 years ago | (#22780618)

Most if not all cable modems have a standby button on it to literally "turn off the internet".

It's usually located on the top, if it's a Motorola.

Re:Turn off computer or modem when not using (0)

Anonymous Coward | more than 6 years ago | (#22780644)

Or turn off your network interface using the magic of network configuration commands.

Pages, not sites (5, Informative)

Dan East (318230) | more than 6 years ago | (#22780350)

The title (which appears to be the only part the submitter actually "authored") is incorrect and conflicts with the text it quotes. An estimated 200,000 pages (most likely individual posts in phpBB forums) are out there, not sites.

According to this video [avertlabs.com] , the pages are being inserted via SQL injection attacks. The 200k pages is based on a google search (he does not reveal what criteria he is searching for) which came back with 150k hits. So it is not clear how many actual sites are compromised. One could assume that once a phpBB site is compromised, every page of every thread, which is analogous to individual web pages, would redirect to the worm download site. A popular forum could easily have several thousand thread-pages. In fact, every single page would probably be redirecting, which would include each user's summary page (which would be in the thousands for even a small site). So a small number of cites could be accounting for all the 200k pages.

Also, in the video it is clear from the url that it is a phpBB2 site that is compromised. phpBB is currently at a major version of 3.

The attack modifies the forum title (4, Interesting)

The Famous Brett Wat (12688) | more than 6 years ago | (#22780640)

According to this video, the pages are being inserted via SQL injection attacks.

When this news broke last night (my local time), my heart skipped a beat because one of my phpBB instances isn't totally up to date, so I did a quick bit of research to see if I could fill in the massive blanks left by this report. Yes, it does look like an SQL injection attack: the attack appends a SCRIPT tag to the forum's main title, which is inserted into various locations on every page from a database field. Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers. I suspect that the search in question is a Google "intitle:" search which keys off the domain name of the site carrying the exploit code, since this becomes a visible part of the title.

I have no idea exactly how the SQL injection is being effected, but my phpBB forum was not impacted. This may be because my version is not too old, because I lack a vulnerable add-on module, or because my custom anti-bot mechanisms deflected the attack. I couldn't see anything in the past few days of log activity which contained key strings used in the exploit, but I didn't search very hard once I determined that my instance was unaffected.

Re:The attack modifies the forum title (1)

Ed Avis (5917) | more than 6 years ago | (#22781492)

Due to one thing and another this results in some hideously malformed HTML, but it has the desired effect (of executing the Javascript) in the major browsers.
How many vulnerabilities would be eliminated if web applications (a) produced valid HTML and (b) validated each page of output before sending it to the browser?

If you think that's too slow, then the validation could be done asynchronously and if a script starts generating invalid pages then it could be temporarily disabled while the administrator investigates.

I'm running phpBB (5, Interesting)

HangingChad (677530) | more than 6 years ago | (#22780352)

But I've made some modifications to my install. I replaced the registration and profile pages with a web form that posts to an Email parser. There was a lot of activity the last few days, spam registrations out the yang.

It's funny because to them it looks like the registration page and they keep running scripts against it. I block the IP ranges of the spam registrations at the boundary but they just keep block hopping.

They'll still get a script reg through sometimes, so there's something I'm missing. I could just install the security updates but it's so much more fun to try and tweak it myself.

Re:I'm running phpBB (2)

aXi (6533) | more than 6 years ago | (#22780416)

You probably never heard of botnets. Or dhcp.

Re:I'm running phpBB (1, Insightful)

pandrijeczko (588093) | more than 6 years ago | (#22780962)

Or girlfriend.

200,000 Sites Hacked (4, Funny)

ponraul (1233704) | more than 6 years ago | (#22780372)

And nothing of value was lost.

Re:200,000 Sites Hacked (3, Informative)

CrossChris (806549) | more than 6 years ago | (#22780660)

Actually, that's not quite true: my brother's website was abused like this, which resulted in Google referrals warning that "this site contains malicious software". His company ranking was Number 1 in every Google search for his type of service. It's proving very expensive for him.

Re:200,000 Sites Hacked (0)

Anonymous Coward | more than 6 years ago | (#22781674)

Uh huh.

I noticed that you didn't actually -mention- this super-popular page's name, what it was about, a link or any other information except for that "my brother is so cool."

I'm guessing you made this post just to get your karma up a few points, didn't you?

Re:200,000 Sites Hacked (1)

owlstead (636356) | more than 6 years ago | (#22780834)

Except some innocence.

Upgrade to phpBB3 (1)

DraconPern (521756) | more than 6 years ago | (#22780476)

The attack probably targeted phpBB2. Get the latest phpBB version which at this moment is 3.0.0.

Re:Upgrade to phpBB3 (1)

DJRikki (646184) | more than 6 years ago | (#22781114)

Or dont! Give phpBB3 at least until June (6 months from release) to be fully tested in the wild as you would with any major system upgrade. I remember the "fun" had upgrading from 1.4.4 to 2.0.0 back a few years ago. Lessons learned. However, worth noting phpBB2 had an upgrade issued only a month ago up to version 2.0.23 - maybe they knew something ?

Re:Upgrade to phpBB3 (0)

Anonymous Coward | more than 6 years ago | (#22781344)

PHPBB3 has been in RC stage for near on a year. I've been using it on a fairly high traffic site for at least six months. I could argue it's more stable, more secure, but that still doesn't take into account the people admining the forums. If you're going to have major issues upgrading to a new version, you're probably also going to have issues properly securing your forums.

But most people don't know better... (1, Insightful)

TheNetAvenger (624455) | more than 6 years ago | (#22780488)

Most of us can say phpBB or even the 1000s of php based 'pre-packaged' web sites out there are disasters waiting to happen. Either being poorly coded, not keeping up to date with the latest patches or able to use the current secure versions of PHP, etc.

The problem here is most of the people using this software has limited HTML/Web programming skills and find these as easy solutions to what they want, a site for their MMO Clan, their band, etc.

These packages are not only presented as free and easy, but safe because they are built on non-MS technologies, which is where the anti-MS FUD actually hurts the Web and consumers.

In contrast, if these projects were built on ASP for pre-processing instead of PHP, they wouldn't break with each security update as often happens in PHP land, and unlike PHP, ASP stays updated and has proven to be highly secure. The kicker with mainstream ASP is it requires an IIS server and Windows server is not always cheap or the cheapest hosting solution for these same users.

I am hoping that MS's interest in help PHP to play nice with Windows 2008 IIS even better, that as MS is able to quality check PHP code used through IIS, that MS's automation security investments will pay back to even the PHP world, as potential security risks would be something that is now also in Microsoft's interest to publish back to the PHP group.

I know this isn't saying PHP is inherently insecure, we are talking about phpBB and similar products, but if they can get into a cycle of consistent security minded models and staying current with PHP updates without having to worry about applications breaking it will make a big difference.

Developing for PHP and/or working with pre-built PHP applicaitons, I have watched developers spend the majority of their time working around bugs in the applications or in PHP itself. Where an ASP developer there are very few known problems that have to be coded around and they also don't have the hours of ensuring version matching to make the application work like you end up doing with PHP pre-built apps.

This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates.

Re:But most people don't know better... (1)

DJRikki (646184) | more than 6 years ago | (#22781140)

"This is one area where ASP gets a nod, as keeping the versions up to date is seamless, and applications and sites designed around ASP simply don't break even with the most massive updates." Ahem... "This contrasts [Thursday's] attack in that the vast majority of those were active server pages (.ASP)," explained McAfee researcher Craig Schmugar on a company blog posting." From - http://www.itnews.com.au/News/72214,second-mass-hack-exposed.aspx [itnews.com.au]

Re:But most people don't know better... (0)

Anonymous Coward | more than 6 years ago | (#22781298)

unlike PHP, ASP stays updated and has proven to be highly secure

[citation needed]

Re:But most people don't know better... (3, Informative)

Tarwn (458323) | more than 6 years ago | (#22781356)

Ok, what?

First, I'm not sure if your talking ASP or ASP.Net, but either way the vast majority of your comment can be shortened to:
There are lots of PHP packages out there. People think they are safe because they are not MS. PHP packages should be re-written in ASP. PHP breaks due to updates but ASP updates better, therefore ASP is a better choice. PHP isn't inherently insecure, it's the packages.

Your entire statement boils down to this logic:
1) There are a lot of insecure Packages in PHP
3) It's not an insecurity in PHP, it's an insecurity in the packages
2) ASP updates better than PHP

Your comparing apples (ASP) to oranges (PHP Packages). I have no experience how well or poorly the security of packages in PHP perform against the security of packages in ASP.Net, we would have to pick a large pool of them to find out. And just because Windows Updates makes updates available for ASP.Net does not mean that people actually are that willing to reboot their web farms for every update that appears. Your saying the problem is bad coding and that ASP solves it, I would beg to differ.

And here is my anecdotal comment:
I have answered thousands of ASP questions (ASP used to be my primary web 'language') as well as written/re-written many sites and over time I have seen a lot of site examples and snippets that would leave a page wide open or in a position to break on regular occasions (or just plain didn't work). On the other hand I have worked with several PHP packages that were solidly put together and worked against a range of PHP versions. PHP must be better because I haven't personally seen anywhere near as many errors in coding as I have in ASP. None of the first several thousand ASP posts would work at all against the next version of the language (ASP 3 => ASP.Net) and needed to be rewritten from scratch, but most or all of the packages I used with PHP 4 worked just fine with PHP 5.

ppl r stoop1d. (2, Insightful)

rice_burners_suck (243660) | more than 6 years ago | (#22780516)

This is the kind of thing that really upsets me. I mean, if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune, instead of using them to fsck up other peoples' websites? that sort of behavior ain't cool. in fact, it's decidedly uncool and people who act that way should be banished to a big island for criminals, like Australia.

Re:ppl r stoop1d. (2, Insightful)

rolfc (842110) | more than 6 years ago | (#22780544)

Obviously they think they are making more money this way. I for one is happily running Firefox with Noscript. That makes me feel safe.

Re:ppl r stoop1d. (1)

gbobeck (926553) | more than 6 years ago | (#22780580)

if someone has the 1337z sk1llz to do this sort of thing, why aren't they using those skills to make a fortune

No offense, but this isn't 1337. This is a script kiddie attack.

Now, if someone with real "1337" skills did an attack, we would only find out years after the fact, if ever, and they would have gotten away with a fair sum of cash too.

Making Open Source a harder sell (3, Insightful)

QuantumFTL (197300) | more than 6 years ago | (#22780748)

Granted PHPBB was hacked because it's poorly written and these sites were likely not kept up to date, but... these kinds of success large scale attacks really don't do much to show how much more secure open source software is - even very popular FOSS like this!

Yeah yeah, I know I'll be marked as troll/flamebait or whatever... but I don't see any upmodded discussion of this, it's a serious issue, if only for the perception it fosters in the industry.

Re:Making Open Source a harder sell (1)

ncryptd (1172815) | more than 6 years ago | (#22781162)

Yeah, it's OSS, but it's crap. There are quite a few open-source boards that are written with security in mind -- but up until the 3.x branch of phpBB, security was hardly even an afterthought. Same thing with Wordpress. Just because it's popular open source software doesn't mean it's indicative of the level of quality found throughout all open source projects.

The twist (5, Funny)

Thanshin (1188877) | more than 6 years ago | (#22780892)

And then, you read the top of the report and discover that all this is old news, that you've been only reading spam for the last two years.

For a second, you think that humanity may not be the mass of morons you thought. That patching the bug will let you access the real, intelligent, acute comments of human forums.

Then, as the patch starts to work, you see those comments; the beauty of human forums brings a tear to your eye. As you start posting, you feel unable to write, your keyboard doesn't seem to work.

You then understand you were just another spam generator, and the patch is killing you.

Fade to black.

no javascripts....no problem (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22781468)

Firefox and NoScript. Never surf the web w/o them.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>