Are there any websites that are NOT compromised?
Today was yet another day with lots of compromised websites, some notable others less.
This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:
- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site
- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...
- In particular for small sites like this, the standard blocklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.
FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.
The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Application Security: Securing Web Apps, APIs, and Microservices | Washington | Dec 13th - Dec 18th 2024 |
Comments
To answer your question, I think (but I can't be certain) that isc.sans.edu isn't compromised and currently safe to browse...
JacL
May 8th 2013
1 decade ago
http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c
http://heise.de/-1859414 (german page of http://www.h-online.com/)
a_human
May 8th 2013
1 decade ago
If only more entities would react to compromise this way! Kudos to WTOP and whoever may have assisted them in fixing their problem and crafting the public announcement.
shaun
May 8th 2013
1 decade ago
WP SuperCache & Total Cache both have had recent vulnerabilities, which apparently have been fixed, but there appears to be no obvious mention of the problems or fixes on their sites.
Without warning users, who's going to upgrade?
BJ
May 8th 2013
1 decade ago
It's just a matter of time before the IT industry (software and security included) is regulated to the same extent that other industries are (energy, manufacturing). We are still in the wild west days... and WP's nonexistent communication on security issues is a perfect example of that.
JacL
May 8th 2013
1 decade ago
JacL
May 8th 2013
1 decade ago
http://www.osirt.com/2013/05/media-site-mass-hack-malware-analysis/
Brad
May 10th 2013
1 decade ago
KBR
May 13th 2013
1 decade ago