Thursday, October 22. 2009
F-Secure Weblog - .my Websites Compromised
Here we go again:
Here's a screenshot of .my domain serving cracked software:
Read the rest of the posting here.
Users aren't the only ones that have to stay vigilant when it comes to security. On the other side of the fence, keeping a website secure is a challenge for even the best webmasters.
We recently came across lots of websites under the ".my" domain that were compromised and unintentionally hosting malicious or unsafe links.
Here's a screenshot of .my domain serving cracked software:
Read the rest of the posting here.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
seems like the hosting itself who host the malicious script. in this case, maxhosting.com.my were infected/targeted
my analysis assume that:
1.) the bad script exploit into one of the vulnerable site (via sqli,file include,etc) in the same host.
2.) sneak itself into some writable directory
2.) then its propagate and spread into all other writable directory in the server.
simple linux cmd like "find /home/ -type d -perm -2 -ls" may reveal such path
3.) copy itself into this writable directory and voila! a distributed malicious hoster in multiple domains
my analysis assume that:
1.) the bad script exploit into one of the vulnerable site (via sqli,file include,etc) in the same host.
2.) sneak itself into some writable directory
2.) then its propagate and spread into all other writable directory in the server.
simple linux cmd like "find /home/ -type d -perm -2 -ls" may reveal such path
3.) copy itself into this writable directory and voila! a distributed malicious hoster in multiple domains
ok my bad, as stated on f-secure weblog:
"The compromised sites were on multiple servers and are a disparate collection of commercial, personal and educational institution websites."
..is true, other sites from different hosting were also infected/targeted this include sites from hoster at *.mschosting.com (exabyte?) and others..
so this malicious targeting vulnerable site but not limited to other vhost/domain using method that i mention above..
"The compromised sites were on multiple servers and are a disparate collection of commercial, personal and educational institution websites."
..is true, other sites from different hosting were also infected/targeted this include sites from hoster at *.mschosting.com (exabyte?) and others..
so this malicious targeting vulnerable site but not limited to other vhost/domain using method that i mention above..
its ok d3ck4, at least u did't just simply jump into conclusion
rather than promoting other people's misery or focusing on someone else's problem.pls be proactive and advise how it can be prevented. then the value of your existence is justified.
well that is "mamak style" all about btw
yes, u state it loud n clear
"promoting other people's misery or focusing on someone else's problem"
yes, u state it loud n clear
"promoting other people's misery or focusing on someone else's problem"
don't burst your hubcap. He's doing everyone a favor by reporting what is intended to be hidden. Learning by example.
Besides, isn't it the job of the IT Team of the organization that website got whacked in the first place to prevent the attack?
Mel and his team have already justified their existence by providing free service, what have you got to show?
Besides, isn't it the job of the IT Team of the organization that website got whacked in the first place to prevent the attack?
Mel and his team have already justified their existence by providing free service, what have you got to show?
lets check
http://global.bsa.org/globalpiracy2008/studies/globalpiracy2008.pdf
http://global.bsa.org/globalpiracy2008/studies/globalpiracy2008.pdf
no new update? or our cyber society security recently suddenly become sooo secure?
SHODAN is a new google hacking in action
http://onlinesecurityblog.info/?p=283
http://onlinesecurityblog.info/?p=283
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia defaced hitbsecconf joomla! hitb web vulnerability malaysia defacement
Recent Entries
Defaced - http://www.webschool.com.my
Defaced - http://cic.jobsmalaysia.gov.my
Defaced - http://cuil.com.my
Defaced - http://www.photodelivery.com.my/cart/
Defaced - http://webapp.uthm.edu.my
Defaced - http://www.afm.org.my
Hacked - http://www.crsm.org.my
Defaced - belianiaga.com
Defaced - teddymarry.com
Mass defacement on BaitulBytes Hosting
February 8 2010
Defaced - http://cic.jobsmalaysia.gov.my
February 8 2010
Defaced - http://cuil.com.my
February 8 2010
Defaced - http://www.photodelivery.com.my/cart/
February 8 2010
Defaced - http://webapp.uthm.edu.my
February 8 2010
Defaced - http://www.afm.org.my
February 5 2010
Hacked - http://www.crsm.org.my
February 4 2010
Defaced - belianiaga.com
February 3 2010
Defaced - teddymarry.com
February 3 2010
Mass defacement on BaitulBytes Hosting
February 3 2010
