Nearly five months of attacks went unnoticed and successful thanks to the MIT domain's strong reputation

Most content-heavy sites on the web today are driven by a mix of PHP and SQL.  Unfortunately, exploits abound from popular PHP database manager frontends like PHPMyAdmin.  Thus, "hacking" many websites has been reduced from an art down to a "brute force" search for applicable SQL vulnerabilities [1][2][3][4] [5][6][7].  And that's just was cybercriminals want.

In this bold new world of SQL injection having a reliable host for your "brute force" attack web-crawler program is essential.  A recent incident involving an infected server at the Massachusetts Institute of Technology shows how *.edu servers may be the perfect vehicle to carry out cybercriminals' attacks.

The MIT server had the perfect profile to carry out attacks.  It had bandwidth aplenty.  And it piggybacked on its school's strong reputation, making its requests automatically appear trusted and less suspicious.

MIT view
MIT's campus [Source: Aisha]

Thus it's not surprising that once a malicious softbot was planted on the MIT server that it was able to wreak havoc on the internet for nearly six months.

The attacking server was identified by Bitdefender, the antimalware arm of Romanian-based software firm Softwin.  It is unknown how the malicious software was planted on the server.  What is clear is what the attacking software has been doing.

The attacking server (CSH-2.MIT.EDU) would locate webpages and initiate a set of SQL injection attempts using GET requests and certain characters troublesome sequences like "//".  An example is seen below in the server logs:

"GET / HTTP/1.1"
"GET /muieblackcat HTTP/1.1" 404 "GET //scripts/setup.php HTTP/1.1" 301
"GET //admin/scripts/setup.php HTTP/1.1"
"GET //admin/pma/scripts/setup.php HTTP/1.1" 404
"GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404
"GET //db/scripts/setup.php HTTP/1.1" 404

These attempts targeted vulnerabilities in PHPMyAdmin versions 2.5.6 to 2.8.2.  PHPMyAdmin is an open source frontend that is maintained at the popular software repository SourceForge.  It has an impressive 50k+ downloads a week.  The latest version is 3.4.7.

The attacks compromised a reported 100,000+ websites in the five months since the MIT server was compromised in June.  

The script would use injection attempts to deface pages, dumping keywords on them that would elevate their page rank.  It would also dump images from BlogSpot, DeviantART, and Tumblr, among others, on the front-page.  

MIT hacked webpage
Over 100,000 webpages were compromised by the rogue MIT server. [Source: SecurityWeek]

The telltale sign of the compromised pages was a directory  "muieblackcat", which was created on the victims' server space.

For now the attack has been silenced, but it serves as a warning of the growing dangers of SQL injection attacks and the potential of abuse of trusted *.edu servers. SecurityWeek, which wrote a piece on the attacks, suggest implementing anti-injection rewrite rules/conditionals and to rename your PHPMyAdmin script to prevent quick identification from casual attackers.

Sources: SecurityWeek, MalwareCity

"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town." -- Charlie Miller

Latest Blog Posts
Around the World
Saimin Nidarson - Feb 18, 2017, 5:48 AM
News of Future
Saimin Nidarson - Feb 17, 2017, 6:30 AM
Some News
Saimin Nidarson - Feb 14, 2017, 5:36 AM
What's New?
Saimin Nidarson - Feb 10, 2017, 6:15 AM
Unleashed News
Saimin Nidarson - Feb 9, 2017, 6:00 AM
Eye catching news
Saimin Nidarson - Feb 8, 2017, 6:16 AM
Some World News
Saimin Nidarson - Feb 7, 2017, 6:15 AM
Today’s news
Saimin Nidarson - Feb 6, 2017, 10:11 AM
Some News
Saimin Nidarson - Feb 5, 2017, 7:27 AM
Notes and News
Saimin Nidarson - Feb 4, 2017, 5:53 AM
World News
Saimin Nidarson - Feb 3, 2017, 5:30 AM
Gadget News
Saimin Nidarson - Feb 2, 2017, 7:00 AM
News Around The World.
Saimin Nidarson - Feb 1, 2017, 7:20 AM
Some News
Saimin Nidarson - Jan 31, 2017, 7:57 AM
Tips of Today
Saimin Nidarson - Jan 30, 2017, 6:53 AM
What is new?
Saimin Nidarson - Jan 29, 2017, 6:26 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki