Is Aminet OK/infected?

[WotTheFook]

We do know about it, I've been researching it all evening.

AmiBay and ClassicAmiga have both been hit with the same script exploit attack that hit Aminet.

It has only been partially effective and the root access, FTP and e-mail have not been compromised. A config file has been corrupted and there is a URL redirect to an ibiz.cc site in place, however, this is only affecting the home page. You should block this ibiz.cc redirect if it comes up on your machine.

If a Java icon appears in your Systray, you should kill it immediately, as this is part of the exploit that is attempting to download malware to your machine.

We hope to have this repaired by tomorrow morning. We backed up the site early this morning and once we have checked the backup config files, we can get the site fully functional again.

In the interim, you can access via any other AmiBay page except the home page. A Google link that isn't the home page will let you access the site, but please ensure that your anti-virus and malware protection is up to date.

WotTheFook aka Merlin

[Piru]

We do know about it, I've been researching it all evening.

Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.

The timing of these issues makes me think of the recent PHP-CGI remote command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

[LoadWB]

Did you manage to find out how the initial exploitation vector was? That's the most important thing to figure out. If the hole isn't fixed properly you might just get pwned again.

The timing of these issues makes me think of the recent mod_cgi PHP command injection vuln:
http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

I was discussing this earlier today with a colleague.  Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd?  On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.

[Piru]

I was discussing this earlier today with a colleague.  Why run PHP as a CGI under *nix rather than a compiled so or compiled into the httpd?  On Windows I can see it (FastCGI,) but on a *nix machine I just don't see an advantage.

Whatever the reasons are, there are likely tens of thousands of hosts around with the vulnerable setup and the vulnerability is exploited actively. I expect to see very active scanning for these in the httpd logs.

[Duce]

This is not something just hitting our little crater of the world, but a widespread problem on the internet as a whole.  The below gives a rough overview of how widespread it is:

http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit

Classic SQL injection.  In this day and age, there's no reason to not be running up to date, modern virus and malware protection, especially on a Windows machine.

Unless you absolutely need Java, uninstall it.

[Piru]

This is not something just hitting our little crater of the world, but a widespread problem on the internet as a whole.  The below gives a rough overview of how widespread it is:

http://www.avgthreatlabs.com/webthreats/info/blackhole-exploit-kit

Classic SQL injection.  In this day and age, there's no reason to not be running up to date, modern virus and malware protection, especially on a Windows machine.

Unless you absolutely need Java, uninstall it.

SQL injection? Really? I'd find that somewhat surprising.

[Duce]

Unsure about the exact terms of what happened to Aminet, but Blackhole is being spread by such methods (SQL, PHP).

http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

[Piru]

Unsure about the exact terms of what happened to Aminet, but Blackhole is being spread by such methods (SQL, PHP).

http://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Well that article does explain many parts related to the kit itself, like for example that it itself is PHP and that it uses MySQL backend. It also covers many of the client side vulnerabilities it exploits (that list is obviously outdated by now, though).

It however does not mention anything about how the actual sites linking to it are compromised in the first place or if Blackhole has any tools for that.

There are two sides to this:
1) pwning websites / servers and making them link to blackhole instance
2) blackhole exploiting the client vulnerabilities of the unsuspecting browsers of the infected sites and installing malware

Anything in 2 is obvious. But how 1 happens in the first place is the interesting part.

[WotTheFook]

@ Piru

This is from one of our developers on the matter.

"It won't be until at least this afternoon before we can start removing it.

This injection attack seems quite complex compared to most site hijacking automated scripts.

Lots of sites are getting hacked in recent days, and not just vBulletin, but also WordPress, Joomla, and lots of others including popular ecommerce sites.

No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account login. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files.

These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.

In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page."

We'll know more when the devs start digging further. I wouldn't say that A.org is immune from this attack either, so the Admins need to back the site up as soon as possible.

It's definitely a PHP code injection script, coupled with a java script to redirect to either a usa.cc or ibiz.cc site (from the bahviour we've seen so far) that attempts to download malware. The origin appears to be Russia, as that is where the redirect is pointing to from a trace on the IP.

FTP and e-mail appear to be unaffected thus far.

WotTheFook aka Merlin

[WotTheFook]

This is what Google Diagnostics had to say about the ibiz.cc site...

"Google Safe Browsing diagnostic page for ibiz.cc
Advisory provided by Safe Browsing

Diagnostic page for ibiz.cc
What is the current listing status for ibiz.cc?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 28 time(s) over the past
90 days.

What happened when Google visited this site?
Of the 164 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2012-05-08, and the last time suspicious content was found on this site was on 2012-04-25.

Malicious software includes 443 trojan(s), 90 scripting exploit(s), 27
exploit(s).

This site was hosted on 9 network(s) including AS43239 (SPETSENERGO), AS53665
(BODIS), AS44050 (PIN).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, ibiz.cc appeared to function as an intermediary for the infection of 37 site(s) including engranes.cl/, urbanlookout.com/,
aloveletterforyou.com/.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It
infected 145 domain(s), including abu-farhan.com/, doncb.com/,
iworkshop.com.hk/.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.
Updated 2 hours ago© Google - Google Home"

[WotTheFook]

More information (I told you we've been busy...)

This is also to inform the Admins on A.org.

No one has yet worked out how they are gaining access, but some think it is gaining access from an admin account loggin. Then uploading a load of files in a buried location on the server by installing bogus plugins on the forum or cms software that then uploads their files. This is just speculation at the moment though.

These files contain a JavaScript based malware payload (not Java), so ensure you have a way to control JavaScript running per site.

In addition the attack injects a line of PHP code to the top of every php file on the site. So when anything accessed an injected/infected script the hash included in the injected code translates into a redirect to the hidden payload files to run the malware, and then redirects to a random domain holding page.

AmiBay was backed up in the morning before this attack hit, so we should be in a position to restore the correct files once we have checked them over to ensure that they aren't affected.

[runequester]

are these attacks windows specific or ?

[zipper]

Just a part of a bigger attack going on around.

[Piru]

are these attacks windows specific or ?

Well it depends on what you're asking.

There are two levels at play:

1. Someone is attacking web sites via some vulnerabilities in their software (old vulnerable sw versions, security issues in the actual web sites themselves etc). These are very often running linux or bsd, but also sometimes Windows. Sometimes the access to the system is gained by stealing the login credentials by attacking a desktop/laptop of the administrator.

2. The successfully breached websites are programmed by distribute malware. The motive in this case is money: The attackers "lease" the hacked sites and distribute tailored malware for whoever is willing to pay. Typically the malware is a rootkit that'll man-in-the-browser normal bank transactions to steal money. In most (if not all) cases these malwares target Windows platform. That's only because most of the potential victims are using Windows. If OS X continues to gain ground it will be targeted as well at some point.

So at different levels the attacks are targeting different platforms.

Recommendations

System administrators

Keep your host operating system up to date with security updates. Keep track of security updates of the actual web application platforms as well, and install new security updates as soon as they arrive (of course using staging host to verify that everything works fine after installing the upgrade). You can follow the Full Disclosure mailing list to keep track of recent activity on the security front. There are also numerous RSS/Twitter feeds you can follow, but I find those a bit tiresome in the long run. YMMV.

End users

Windows users need to be very careful to maintain security of their systems and installed applications. I can recommend Secunia PSI to all windows users. This tool will check all installed applications for old versions and (optionally) automagically install the required updates.

OS X users should install the OS security updates as soon as they arrive. For application updates there's AppFresh tool which works somewhat similar to Secunia PSI. It's not as good as PSI, but best I've found for OS X so far.

Linux/BSD users should install security updates weekly.

While OS X / Linux/BSD users might not be targets for the most attacks, that's really no excuse to skip the security updates. Sometimes vulnerabilities in these systems are actually exploited and the feeling of false security the users of these systems might have can lead to some rather nasty surprises (say for example storing tons of confidential material on the systems in belief no-one can possibly breach the system...).

[WotTheFook]

My best guess at present is that it's a variant of this:-

BlackHole Exploit Kit

A type of crimeware Web application developed in Russia to help hackers take advantage of unpatched exploits in order to hack computers via malicious scripts planted on compromised websites. Unsuspecting users visiting these compromised sites would be redirected to a browser vulnerability-exploiting malware portal website in order to distribute banking Trojans or similar malware through the visiting computer.
 
Blackhole exploit kits are based on PHP and a MySQL backend and incorporate support for exploiting the most widely used and vulnerable security flaws in order to provide hackers with the highest probability of successful exploitation. The kits typically target versions of the Windows operating system and applications installed on Windows platforms.
 
On March 25, 2012, the Blackhole Exploit Kit 1.2.3 was released, IC3 stated. This kit included the latest critical vulnerability in Java, allowing the bypassing of Java's sandbox environment. Java's sandbox is designed to provide security for downloading and running Java applications, while preventing them access to the hard drive or network. New malware samples appearing in the wild have been highly successful at exploiting this flaw and it is estimated at least 60% of Java users have not yet patched against it.


The first Blackhole exploit kit appeared on the black market in August 2010 as a Web application available for sale on a subscription basis ($1,500 for an annual license). Newer releases and a free version of the Blackhole exploit kit have since appeared on warez download sites. The most well-known Blackhole exploit kit attack targeted the U.S. Postal Service's Rapid Information Bulletin Board System (RIBBS) website in April 2011.

[Dr.Bongo]

Amibay is re-directing to a spam page now