Hackers Use MIT Server to Hack 100,000 Sites
November 7, 2011 2:42 PM
comment(s) - last by
Nearly five months of attacks went unnoticed and successful thanks to the MIT domain's strong reputation
Most content-heavy sites on the web today are driven by a mix of PHP and SQL. Unfortunately, exploits abound from popular PHP database manager frontends like PHPMyAdmin. Thus, "hacking" many websites has been reduced from an art down to a "brute force" search for applicable SQL vulnerabilities [
]. And that's just was cybercriminals want.
In this bold new world of SQL injection having a reliable host for your "brute force" attack web-crawler program is essential. A recent incident involving an infected server at the
Massachusetts Institute of Technology
shows how *.edu servers may be the perfect vehicle to carry out cybercriminals' attacks.
The MIT server had the perfect profile to carry out attacks. It had bandwidth aplenty. And it piggybacked on its school's strong reputation, making its requests automatically appear trusted and less suspicious.
MIT's campus [Source: Aisha]
Thus it's not surprising that once a malicious softbot was planted on the MIT server that it was able to wreak havoc on the internet for nearly six months.
The attacking server was identified by Bitdefender, the antimalware arm of Romanian-based software firm Softwin. It is unknown how the malicious software was planted on the server. What is clear is what the attacking software has been doing.
The attacking server (CSH-2.MIT.EDU) would locate webpages and initiate a set of SQL injection attempts using GET requests and certain characters troublesome sequences like "//". An example is seen below in the
"GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1"
"GET /muieblackcat HTTP/1.1" 404 "GET //scripts/setup.php HTTP/1.1" 301
"GET //admin/scripts/setup.php HTTP/1.1"
"GET //admin/pma/scripts/setup.php HTTP/1.1" 404
"GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404
"GET //db/scripts/setup.php HTTP/1.1" 404
These attempts targeted vulnerabilities in PHPMyAdmin versions 2.5.6 to 2.8.2. PHPMyAdmin is an open source frontend that
at the popular software repository SourceForge. It has an impressive 50k+ downloads a week. The latest version is 3.4.7.
The attacks compromised a reported 100,000+ websites in the five months since the MIT server was compromised in June.
The script would use injection attempts to deface pages, dumping keywords on them that would elevate their page rank. It would also dump images from BlogSpot, DeviantART, and Tumblr, among others, on the front-page.
Over 100,000 webpages were compromised by the rogue MIT server. [Source: SecurityWeek]
The telltale sign of the compromised pages was a directory "muieblackcat", which was created on the victims' server space.
For now the attack has been silenced, but it serves as a warning of the growing dangers of SQL injection attacks and the potential of abuse of trusted *.edu servers.
wrote a piece
on the attacks, suggest implementing anti-injection rewrite rules/conditionals and to rename your PHPMyAdmin script to prevent quick identification from casual attackers.
This article is over a month old, voting and posting comments is disabled
RE: Could have been avoided...
11/7/2011 5:13:18 PM
I agree, but often times it is easier said than done. You never know what is going to break version to version, especially if you are doing anything beyond the stock implementation. So people tend to not upgrade as often because of this. It isn't usually as simply as installing some windows updates with a mouse click.
RE: Could have been avoided...
11/7/2011 8:21:13 PM
Normally I'd agree, but we're talking about MIT -- we do kind of expect them to be on top of these things.
RE: Could have been avoided...
11/7/2011 8:37:39 PM
You would think they would at the very least see what the new versions fixes and see if it's worth upgrading too. Something like this I would take the risk and upgrade (with a test environment first to make sure not much breaks or to fix ahead of time) rather then leave a hole like that open.
"It seems as though my state-funded math degree has failed me. Let the lashings commence." -- DailyTech Editor-in-Chief Kristopher Kubicki
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
Updated: LulzSec's Strikes Latest Victims -- Hacker Mag. 2600, FBI Affiliate
June 4, 2011, 8:28 PM
Sony Loses Yet More Customer Records, 3 More Sites Hacked
May 25, 2011, 8:16 AM
Ballmer: Windows 8 Will Land in 2012, Pop up in Tablets
May 24, 2011, 2:49 PM
Pirate Bay Hacked, 4 Million User Records Looted, Site Is Down
July 8, 2010, 10:31 AM
Tech's Biggest Loser on Tax Day: eBay Pays Nearly 99 Percent Tax Rate
April 15, 2015, 3:28 PM
Death and Dragons -- Report Claims Game of Thrones Hit by Piracy "Tidal Wave"
April 10, 2015, 8:37 AM
Court Blocks Twitter and YouTube in Turkey After Pro-Communist Attack in Istanbul
April 6, 2015, 10:53 AM
In Graphics and Quotes: $10.4 Billion Charter & Bright House Merger
April 2, 2015, 5:19 PM
WSJ Report Implies That Google Leveraged Lobbying to Kill Antitrust Abuse Probe
March 25, 2015, 5:37 PM
Nationalist Hackers From Turkey Cause Chaos, Deface Dozens of Sites
March 16, 2015, 12:29 PM
Most Popular Articles
Raytheon $1.9 Billion Purchase of Websense Raises Tough Questions
April 20, 2015, 1:57 PM
After Record-Setting Week, Samsung Predicts 70 Million GS6/GS6 Edge Sales
April 17, 2015, 8:39 PM
HBO to VPN HBO Now Users: Prove You Live in U.S. or We Will Terminate You
April 21, 2015, 12:17 PM
Testers Trolled by Promise of Uninstallable Windows 10 Preview Build 10061
April 16, 2015, 2:52 PM
Apple Plans In-Store Workshops to Teach Users How to Use Its Smartwatch
April 17, 2015, 1:02 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information