Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Hacked MIT Server Used to Stage Attacks, Scan for Vulnerabilities

A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers at Bitdefender who discovered the attack, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online.

A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers at Bitdefender who discovered the attack, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online.

The attacks started in June, and so far Bitdefender estimates that some 100,000 domains have been compromised, leading to injected pages that look similar to the ones below. In each of the images, the compromised domain has new content injected on top of the existing content, complete with random images, text, and targeted keywords. Interestingly, some of the keywords related to the strings needed to identify a successful attack.

CSH-2.MIT.EDU Hacked MIT Server Used for Attacks

MIT server being used as vulnerability scanner

If that wasn’t bad enough, sites that are not vulnerable are still impacted by the scanner, as the flood of GET requests searching for open directories “might grind it to a halt,” Bitdefender explains.

“Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. It is currently unknown how the crawler bot was planted on the MIT server, but it is certain that it probes the web for hosting accounts that come with a vulnerable version of PHPMyAdmin… Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.2.”

The attacks being staged from MIT’s resources is just one incident from one location. Other compromised hosts have been scanning the Web for vulnerable sites since 2010. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control.

Detecting a compromise is as simple as reading logs.

Early compromise attempts were initiated with w00tw00t, or “knock knock” string:

“GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1”

Advertisement. Scroll to continue reading.

From there, several failed attempts to locate setup or configuration scripts will be recorded.

“GET /muieblackcat HTTP/1.1” 404 “GET //scripts/setup.php HTTP/1.1” 301

“GET //admin/scripts/setup.php HTTP/1.1”

“GET //admin/pma/scripts/setup.php HTTP/1.1” 404

“GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404

“GET //db/scripts/setup.php HTTP/1.1” 404

Sometimes, the requests will 404. Other times they will redirect, as noted here. Some scans will try multiple attempts, draining your server of resources and bandwidth.

If you notice similar logs, recent attacks are creating the directory “muieblackcat,” so scanning for such a location would be the first step in detecting and cleaning a compromised host.

If that directory doesn’t exist, try looking at your server’s stats program, and look for large numbers of image requests that are unusual. If your domain hotlinks images (this is just a bad idea anyway, but it happens) then you know where your sourced material comes from.

Images or content that are outside of the norm are a warning sign, as many of the attacks targeting vulnerable domains are pulling content from external sources. Look for images coming from BlogSpot, foreign domains, CDN related URLs, Tumblr, and DeviantART. These images sources were being used by this attack as recently as October 5, 2011.

The object of these attacks is two fold. The first part is to find misconfiguration within PHPMyAdmin installations, and leverage them to spread malicious content. The second part to this attack is to leverage the trust a domain has. For example, MIT is useful because most organizations will not filter or block traffic coming from an EDU domain.

Examples of earlier attack logs can be seen here.

Some of the scans use a ‘//’ when executing, which you will notice in the examples outlined above.

Using mod-rewrite in HTACCESS can filter these scans, redirecting them to your main domain or elsewhere, such as a 403 page.

RewriteCond %{REQUEST_URI} ^(.*)//+(.*)$

RewriteRule / http: //www.example.com/%1/%2 [R=301,L]

It’s always a good idea to keep from using obvious names if you have to leave a script like PHPMyAdmin available. Sticking to a name that passive scanning and other search methods wouldn’t find. However, the downside to this is that security by obscurity rarely works, and a persistent attacker will discover what they’re after. So on top of obscure naming conventions, layer your websites defenses by leveraging IDS/IPS solutions, and by making sure someone is watching the logs.

Related Reading: ‘Poison Ivy’ Kit Enables Easy Malware Customization for Attackers

Related Reading: Europe and United States Conduct First Joint Cyber Security Exercise

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.