Lots of juicy, juicy in this one, but there's something about it that smells funny.
A server compromise trend has been recently reported targeting multiple hosting platforms. RedHat Enterprise Linux & Centos 4/5 and Fedora Core 5/6 are the most common targets. This compromise is not believed to be specific to cPanel software. This issue has been seen on systems running a variety of control panels. There are still many unknown details regarding this exploit. It has been established that this compromise requires super user privileges. It is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs. The initial entry point is not confirmed at this time.
So basically, the people too stupid to pick a decent root password are getting exploited... nothing much new here... kind of hard to take over the Internet with unimportant machines no one puts much importance into and don't attract many pageviews.
This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
...alternatively, you could simply find an exploitable bug in tcpdump or grep and encourage many thousands of people around the world to run those binaries for several minutes on their really important, high page-view sites while you madly scan thousands of prospective target webhosts with your other botnet of more easily exploited machines.
Exploitable bugs in tcpdump you say? No... that's never happened before.
In case any of you have loved ones or whatever running Windows, this is something you may need soon. Normally this wouldn't be such a pain in the ass, but this is now one of those "landscape changes" resulting from people like the Russian Business Network (also known as "criminals"--there is no mincing words on this) really bearing down on the subject of installing malware onto people's computers.
I'm going to say something that will upset some of you now. Pregnant women and those prone to fainting may wish to stop reading now.
* * *
This fscker will get you through Firefox if you're not careful.
* * *
It's not Firefox that's being exploited, but any one of three plugins (and probably more than that) that are installed if you have not been keeping them up to date. High on the list of possibilities are Quicktime and Adobe Reader plugins for one very specific reason.
Those two things have their automated update checkers tied up in exceptionally ponderous system tray apps that most people disable because they're a big waste and slow down booting. ...so if you don't have these doing their thing through the system tray, the first time you may find out there's a necessary update is when the plugin is triggered by the browser--at which point it's too late, you've been compromised.
The machine I just cleaned up was infected while a person was browsing MySpace (and this isn't MySpace-specific, I'll explain at the bottom) using Firefox and it was infected through the Quicktime plugin. All the user initially saw was that Quicktime was informing them of an update being available... and then they started getting the popups advertising for what are essentially phony anti-spyware programs.
This particular variant did the following things above and beyond "the usual". It blew AVG right off the drive. It damaged the Quicktime installation so that it could not be updated without going and manually getting the update, although Quicktime itself still worked properly. After a partial removal in safe mode was attempted, it locked out all accounts, including the administrator account. Very not cool, that. (It of course disabled all the internet security settings in XP, and riddled the registry with itself, and installed "partner" software as the usual.)
Why this is not specific to MySpace
The problem that's coming up now is that the criminals are using front companies to buy ad space from legitimate/normal ad companies, and serving the ads from their own machines, which every so often will instead return a 404 document which invokes a vulnerable plugin. I've seen multiple perfectly reasonable sites go into a panic lately (CuteOverload got so freaked out their wiped their site and restored it from a scoured backup) because their users were reporting that their antivirus solutions were hollering about viruses on their site--which turned out to be coming from major ad banner companies that would otherwise be considered "safe".
Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools.
I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.
Evildoers online divide roughly into two categories - those who don't want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?
Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I'll describe a number of dubious business enterprises we've unearthed.
Recent advances in algorithms, such as Newman's modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution.
I'll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.
Microsoft Forges 'Pact' With Cyberwarriors Worldwide
Topic: Computer Security
7:23 pm EDT, Aug 8, 2007
Multinational corporations have foreign policies, and the "home" country doesn't necessarily get special treatment:
In an effort to curb distrust, in 2003 Microsoft signed a pact with China, Russia, the United Kingdom, NATO and other nations to let them see the Windows source code.
A few thoughts:
1) Possession of source code has limited defensive value unless you actually build your software from that source. Based on press reports the agreement does not facilitate local compilation. 2) Is it really feasible for a third party to audit the Vista source? The people involved seem to think so, or are at least making a show of it. I am dubious. 3) The utility of this 'pact' would seem to be substantially offensive.
Consider:
Microsoft has reportedly signed a new government security program source code agreement with China Information Technology Security Certification Center, allowing CNITSEC and other approved institutions to look over the source code and relevant technical data of Microsoft's products, including Windows Vista ,so as to improve their evaluation on the security of Microsoft products. The agreement is an important part of the MOU signed between National Development and Reform Commission and Microsoft in April 2006.
Microsoft's Government Security Program helps government departments and international organizations evaluate the security of Microsoft products. CNITSEC previously signed an agreement with Microsoft on security source code in February 2003 and was authorized to check over the company's major source code and technical data.
From 2003:
According to sources at the software company, China is the eighteenth nation to sign such an agreement to view Microsoft's proprietary source code.
NBC Reporter with hidden camera in purse hoping to catch conference attendees committing to crimes (according to Defcon staff) flees Defcon 15 after being outed.
OMG FUCKING LOOOOOOLLLLL!!!!
For more information on this awesome totally ethical NBC program, see this.
Basically, a college intern leaves a tape full of highly classified information in his car overnight, unattended and when his car gets broken into and the tape stolen, he doesn't feel he should be held responsible for it.
Aside from the fact that both he and the University of Ohio are morons, I'm glad he got fired. It's the best thing that could have happened to him. Maybe next time he'll think before leaving important data in his car, and maybe from now on they'll hire some people who provide a secure offsite storage service.
Blocking brute force attacks against ssh with iptables and netfilter
Topic: Computer Security
7:57 am EST, Feb 15, 2006
For those of you not yet using a port-knocker or otherwise getting irritated with the crap all the script kiddies are filling your system logs with from endless connections against your sshd, this article is for you.
Just two (or four, if you like logging) slightly obfuscated lines of iptables, and you can not only stop the lamers, you can slow their scripts down. (Something that's bound to get me packeted sooner or later, but whatever) This is quite portable to anything that's got a reasonably recent version of iptables (1.3.x) installed. You only need the barest of netfilter support in the Linux kernel.
Well, as if the embarrasment of having published more than one astoundingly stupid security non-vulnerability wasn't enough to teach him to keep his mouth shut, Steve Gibson (of the Gibson Research Corporation), part kook, part snake-oil salesman, has managed to come up with one that beats even the tinfoil hat wearing crowd.
To wit, he has decided that the WMF vulnerability is not actually a bug, but an honest to God planned back door in the code.
