Hackers Use MIT Server to Hack 100,000 Sites
November 7, 2011 2:42 PM
comment(s) - last by
Nearly five months of attacks went unnoticed and successful thanks to the MIT domain's strong reputation
Most content-heavy sites on the web today are driven by a mix of PHP and SQL. Unfortunately, exploits abound from popular PHP database manager frontends like PHPMyAdmin. Thus, "hacking" many websites has been reduced from an art down to a "brute force" search for applicable SQL vulnerabilities [
]. And that's just was cybercriminals want.
In this bold new world of SQL injection having a reliable host for your "brute force" attack web-crawler program is essential. A recent incident involving an infected server at the
Massachusetts Institute of Technology
shows how *.edu servers may be the perfect vehicle to carry out cybercriminals' attacks.
The MIT server had the perfect profile to carry out attacks. It had bandwidth aplenty. And it piggybacked on its school's strong reputation, making its requests automatically appear trusted and less suspicious.
MIT's campus [Source: Aisha]
Thus it's not surprising that once a malicious softbot was planted on the MIT server that it was able to wreak havoc on the internet for nearly six months.
The attacking server was identified by Bitdefender, the antimalware arm of Romanian-based software firm Softwin. It is unknown how the malicious software was planted on the server. What is clear is what the attacking software has been doing.
The attacking server (CSH-2.MIT.EDU) would locate webpages and initiate a set of SQL injection attempts using GET requests and certain characters troublesome sequences like "//". An example is seen below in the
"GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1"
"GET /muieblackcat HTTP/1.1" 404 "GET //scripts/setup.php HTTP/1.1" 301
"GET //admin/scripts/setup.php HTTP/1.1"
"GET //admin/pma/scripts/setup.php HTTP/1.1" 404
"GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404
"GET //db/scripts/setup.php HTTP/1.1" 404
These attempts targeted vulnerabilities in PHPMyAdmin versions 2.5.6 to 2.8.2. PHPMyAdmin is an open source frontend that
at the popular software repository SourceForge. It has an impressive 50k+ downloads a week. The latest version is 3.4.7.
The attacks compromised a reported 100,000+ websites in the five months since the MIT server was compromised in June.
The script would use injection attempts to deface pages, dumping keywords on them that would elevate their page rank. It would also dump images from BlogSpot, DeviantART, and Tumblr, among others, on the front-page.
Over 100,000 webpages were compromised by the rogue MIT server. [Source: SecurityWeek]
The telltale sign of the compromised pages was a directory "muieblackcat", which was created on the victims' server space.
For now the attack has been silenced, but it serves as a warning of the growing dangers of SQL injection attacks and the potential of abuse of trusted *.edu servers.
wrote a piece
on the attacks, suggest implementing anti-injection rewrite rules/conditionals and to rename your PHPMyAdmin script to prevent quick identification from casual attackers.
This article is over a month old, voting and posting comments is disabled
RE: Has Dailytech been hacked?
11/7/2011 9:00:14 PM
Yes. And because you replied to this thread they are now hacking you.
Oh crap now they are hacking ME.
"What would I do? I'd shut it down and give the money back to the shareholders." -- Michael Dell, after being asked what to do with Apple Computer in 1997
Nokia is the Victim of SQL Injection, Loses Developer Records
August 29, 2011, 8:37 AM
LulzSec Strikes Again, 1M Sony Pictures User Accounts Compromised
June 2, 2011, 6:27 PM
Sony Boots up ID Theft Protection for Customers Whose Data Was Stolen
May 26, 2011, 11:05 AM
Explosion Rocks Foxconn's iPad 2 Factory, Three Dead
May 23, 2011, 10:10 AM
Pirate Bay Hacked, 4 Million User Records Looted, Site Is Down
July 8, 2010, 10:31 AM
Google Street View and reCAPTCHA Get Smarter with New Algorithm
April 17, 2014, 9:02 AM
Mt. Gox CEO Refuses to Come to the U.S. in Financial Crimes Probe
April 16, 2014, 3:50 PM
Mark Zuckerberg: Facebook Home Reception Slower than Expected, Social Graph Will Pick Up
April 16, 2014, 2:00 PM
FBI's Facial Recognition Database to Have 52 Million Criminal, Non-Criminal Photos by 2015
April 15, 2014, 2:56 PM
Microsoft's Anti-Google "Scroogled" Campaign May Have Ended
April 15, 2014, 2:44 PM
FAA Requiring All Flights to Have GPS Tracking System by 2020
April 15, 2014, 1:25 PM
Most Popular Articles
Cities to Carpoolers: Sharing Your Car is Illegal, We Will Seize Your Cars
April 4, 2014, 9:17 PM
Taiwan's AOU Claims to Have World's Highest-Res. OLED Smartphone Display
April 11, 2014, 1:44 PM
iPad Exploiter is Freed by Federal Appeals Court
April 11, 2014, 7:40 PM
It's Very Likely Neanderthals and Humans Had Sex, Produced Offspring
April 10, 2014, 8:40 PM
A-10 Warthog May Live to Fight Another Day with Support from Lawmakers
April 14, 2014, 9:41 AM
Latest Blog Posts
Facebook Aims to Provide Internet to "Every Person in the World" with Drones, Satellites
Apr 1, 2014, 10:20 AM
Retail Mobile Sites Experience Outages in Light of Simplexity's Bankruptcy
Mar 14, 2014, 8:48 AM
Tesla vs. BMW: Who Has the Safer EV?
Feb 1, 2014, 2:56 PM
Justice Leaks Details of Next HTC One Two Flagship Phone
Dec 5, 2013, 4:04 PM
Global Cyber Espionage Concerns Reveal Growing Cyber Armies
Nov 29, 2013, 11:04 AM
More Blog Posts
Copyright 2014 DailyTech LLC. -
Terms, Conditions & Privacy Information