A compromised server at the Massachusetts Institute of Technology (MIT) has been identified as being used as a vulnerability scanner and attack tool, probing the Web for unprotected domains and injecting code. According to researchers at Bitdefender who discovered the attack, the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular crime kit used by criminals online.
The attacks started in June, and so far Bitdefender estimates that some 100,000 domains have been compromised, leading to injected pages that look similar to the ones below. In each of the images, the compromised domain has new content injected on top of the existing content, complete with random images, text, and targeted keywords. Interestingly, some of the keywords related to the strings needed to identify a successful attack.
If that wasn’t bad enough, sites that are not vulnerable are still impacted by the scanner, as the flood of GET requests searching for open directories “might grind it to a halt,” Bitdefender explains.
“Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites. It is currently unknown how the crawler bot was planted on the MIT server, but it is certain that it probes the web for hosting accounts that come with a vulnerable version of PHPMyAdmin… Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.2.”
The attacks being staged from MIT’s resources is just one incident from one location. Other compromised hosts have been scanning the Web for vulnerable sites since 2010. These types of attacks are how BlackHat SEO scams are propagated, which target search results in order to spread rogue anti-virus or other malware. In addition, compromised hosts are also leveraged for other schemes, such as spam or botnet control.
Detecting a compromise is as simple as reading logs.
Early compromise attempts were initiated with w00tw00t, or “knock knock” string:
“GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1”
From there, several failed attempts to locate setup or configuration scripts will be recorded.
“GET /muieblackcat HTTP/1.1” 404 “GET //scripts/setup.php HTTP/1.1” 301
“GET //admin/scripts/setup.php HTTP/1.1”
“GET //admin/pma/scripts/setup.php HTTP/1.1” 404
“GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404
“GET //db/scripts/setup.php HTTP/1.1” 404
Sometimes, the requests will 404. Other times they will redirect, as noted here. Some scans will try multiple attempts, draining your server of resources and bandwidth.
If you notice similar logs, recent attacks are creating the directory “muieblackcat,” so scanning for such a location would be the first step in detecting and cleaning a compromised host.
If that directory doesn’t exist, try looking at your server’s stats program, and look for large numbers of image requests that are unusual. If your domain hotlinks images (this is just a bad idea anyway, but it happens) then you know where your sourced material comes from.
Images or content that are outside of the norm are a warning sign, as many of the attacks targeting vulnerable domains are pulling content from external sources. Look for images coming from BlogSpot, foreign domains, CDN related URLs, Tumblr, and DeviantART. These images sources were being used by this attack as recently as October 5, 2011.
The object of these attacks is two fold. The first part is to find misconfiguration within PHPMyAdmin installations, and leverage them to spread malicious content. The second part to this attack is to leverage the trust a domain has. For example, MIT is useful because most organizations will not filter or block traffic coming from an EDU domain.
Examples of earlier attack logs can be seen here.
Some of the scans use a ‘//’ when executing, which you will notice in the examples outlined above.
Using mod-rewrite in HTACCESS can filter these scans, redirecting them to your main domain or elsewhere, such as a 403 page.
RewriteCond %{REQUEST_URI} ^(.*)//+(.*)$
RewriteRule / http: //www.example.com/%1/%2 [R=301,L]
It’s always a good idea to keep from using obvious names if you have to leave a script like PHPMyAdmin available. Sticking to a name that passive scanning and other search methods wouldn’t find. However, the downside to this is that security by obscurity rarely works, and a persistent attacker will discover what they’re after. So on top of obscure naming conventions, layer your websites defenses by leveraging IDS/IPS solutions, and by making sure someone is watching the logs.
Related Reading: ‘Poison Ivy’ Kit Enables Easy Malware Customization for Attackers
Related Reading: Europe and United States Conduct First Joint Cyber Security Exercise