Hackers Use MIT Server to Hack 100,000 Sites
November 7, 2011 2:42 PM
Nearly five months of attacks went unnoticed and successful thanks to the MIT domain's strong reputation
Most content-heavy sites on the web today are driven by a mix of PHP and SQL. Unfortunately, exploits abound from popular PHP database manager frontends like PHPMyAdmin. Thus, "hacking" many websites has been reduced from an art down to a "brute force" search for applicable SQL vulnerabilities [
]. And that's just was cybercriminals want.
In this bold new world of SQL injection having a reliable host for your "brute force" attack web-crawler program is essential. A recent incident involving an infected server at the
Massachusetts Institute of Technology
shows how *.edu servers may be the perfect vehicle to carry out cybercriminals' attacks.
The MIT server had the perfect profile to carry out attacks. It had bandwidth aplenty. And it piggybacked on its school's strong reputation, making its requests automatically appear trusted and less suspicious.
MIT's campus [Source: Aisha]
Thus it's not surprising that once a malicious softbot was planted on the MIT server that it was able to wreak havoc on the internet for nearly six months.
The attacking server was identified by Bitdefender, the antimalware arm of Romanian-based software firm Softwin. It is unknown how the malicious software was planted on the server. What is clear is what the attacking software has been doing.
The attacking server (CSH-2.MIT.EDU) would locate webpages and initiate a set of SQL injection attempts using GET requests and certain characters troublesome sequences like "//". An example is seen below in the
"GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1"
"GET /muieblackcat HTTP/1.1" 404 "GET //scripts/setup.php HTTP/1.1" 301
"GET //admin/scripts/setup.php HTTP/1.1"
"GET //admin/pma/scripts/setup.php HTTP/1.1" 404
"GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404
"GET //db/scripts/setup.php HTTP/1.1" 404
These attempts targeted vulnerabilities in PHPMyAdmin versions 2.5.6 to 2.8.2. PHPMyAdmin is an open source frontend that
at the popular software repository SourceForge. It has an impressive 50k+ downloads a week. The latest version is 3.4.7.
The attacks compromised a reported 100,000+ websites in the five months since the MIT server was compromised in June.
The script would use injection attempts to deface pages, dumping keywords on them that would elevate their page rank. It would also dump images from BlogSpot, DeviantART, and Tumblr, among others, on the front-page.
Over 100,000 webpages were compromised by the rogue MIT server. [Source: SecurityWeek]
The telltale sign of the compromised pages was a directory "muieblackcat", which was created on the victims' server space.
For now the attack has been silenced, but it serves as a warning of the growing dangers of SQL injection attacks and the potential of abuse of trusted *.edu servers.
wrote a piece
on the attacks, suggest implementing anti-injection rewrite rules/conditionals and to rename your PHPMyAdmin script to prevent quick identification from casual attackers.
"Intel is investing heavily (think gazillions of dollars and bazillions of engineering man hours) in resources to create an Intel host controllers spec in order to speed time to market of the USB 3.0 technology." -- Intel blogger Nick Knupffer
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
LulzSec Strikes Again, 1M Sony Pictures User Accounts Compromised
June 2, 2011, 6:27 PM
Sony Loses Yet More Customer Records, 3 More Sites Hacked
May 25, 2011, 8:16 AM
Sony Appears to Have Lost Yet Another User Database
May 23, 2011, 9:09 AM
Pirate Bay Hacked, 4 Million User Records Looted, Site Is Down
July 8, 2010, 10:31 AM
Science & Environment
February 20, 2017, 6:37 AM
The USA’s newest weather satellite sends first photos.
January 24, 2017, 6:41 AM
Netflix took a decision to invest in original content
January 19, 2017, 7:00 AM
Amazon Airborne Fulfillment Center – Your Merchandise Drop-Shipped from the Clouds
December 29, 2016, 5:00 AM
Amazon is experimenting with a new kind of grocery stores, Amazon Go
December 8, 2016, 5:00 AM
Google has developed Deep Learning Algorithm to detect Diabetic Eye Disease
December 4, 2016, 5:00 AM
Most Popular Articles
How Apple watch Series 2 differ from the S1
February 18, 2017, 5:37 AM
February 17, 2017, 6:01 AM
Samsung Notebook 9 vs Acer Aspire S 13
February 17, 2017, 7:23 AM
Seagate FireCuda – 2TB of Fast Gaming Solid State Hybrid Drive Storage
February 6, 2017, 8:24 AM
Comparison: NuVision vs Kindle Fire HD
February 18, 2017, 6:25 AM
Latest Blog Posts
AMD and More
Feb 24, 2017, 5:55 AM
Feb 23, 2017, 6:30 AM
Feb 21, 2017, 6:12 AM
Here is how startups are helping new parents in raising children
Feb 20, 2017, 6:45 AM
Around the World
Feb 18, 2017, 5:48 AM
News of Future
Feb 17, 2017, 6:30 AM
Amazon parachutes May Float Packages to Customers
Feb 16, 2017, 8:00 AM
Now you Can Watch Facebook on Your TV
Feb 15, 2017, 7:42 AM
Feb 14, 2017, 5:36 AM
Razer Blade Stealth – Little Kaby Lake Powerhouse
Feb 13, 2017, 7:50 AM
Android 7.0 Nougat 7.0 Update Bring Less Battery Life for Samsung Galaxy S7 & S7 Edge
Feb 12, 2017, 7:45 AM
Apple iPhone 8 – OLED Display & Wireless Charging
Feb 11, 2017, 8:09 AM
Feb 10, 2017, 6:15 AM
Feb 9, 2017, 6:00 AM
Eye catching news
Feb 8, 2017, 6:16 AM
Some World News
Feb 7, 2017, 6:15 AM
Feb 6, 2017, 10:11 AM
Feb 5, 2017, 7:27 AM
Notes and News
Feb 4, 2017, 5:53 AM
Feb 3, 2017, 5:30 AM
Feb 2, 2017, 7:00 AM
News Around The World.
Feb 1, 2017, 7:20 AM
More Blog Posts
Copyright 2017 DailyTech LLC. -
Terms, Conditions & Privacy Information