10,000 hacked sites sounds like a very, very low figure to me - isn't it?

10,000 hacked sites sounds like a very, very low figure to me - isn't it?

It's all relative. Don't forget the leveraging aspect. .. 10,000 site x ___ visitors per day. At 100 visitors per day per site that's 100,000 exposures. at 1000/day/site that is 1,000,000 exposures/day. More than likely the hackers can find a way to further exploit the machines they infect.

cg

The report seems vague to me. I did not see any information that helps webmasters check thier site..

No solutions, hints, or what to look for, just be scared unless you own updated anti-virus software....

[edited by: Edge at 12:53 pm (utc) on June 20, 2007]

10,000 site x ___ visitors per day. At 100 visitors per day per site that's 100,000 exposures

Close, but even worse ;)

10,000 x 100 = 1,000,000

From another BBC article, Google searches web's dark side:

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC.
Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis".
About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge.

[news.bbc.co.uk ]

Google's results sound a bit closer. I wonder what they call a site... I presume it's one domain name not one page.

The report seems vague to me. I did not see any information that helps webmasters check thier site..
No solutions, hints, or what to look for, just be scared unless you own updated anti-virus software....

The report is not vague. It is just public news.
For the security of your webservers, you shouldn't depend solely on BBC-news. There is other IT security related information worth checking, too.

This one seems to be just an IFRAMEd pointer to a 'bad' web server hosting an MPACK exploit tool.
Short story at SANS with more pointers:
[isc.sans.org...]
[blog.trendmicro.com...]
[websense.com...]

So the solution/hint is to check your own page sources if someone planted an IFRAME into them that shouldn't belong there ...

Kind regards,
R.

"The report is not vague. It is just public news."

Can you be less vague and more specific?

It would appear that MPack requires PHP and MySQL to operate. There is a report on it at the Panda Labs blog here:

[blogs.pandasoftware.com...]

The hack uses a file named index.php which is usually placed in an iframe (apparently).

Matt

"One in 10 web pages scrutinised by search giant Google contained malicious code"

Google's figures in that report are VERY deceptive. Many news outlets interpreted this to mean one in ten of all sites, but this is NOT what Google's report says.

If you look at the small print, it's only one in ten of the sites that Google had already flagged as suspicious, so they aren't representative of the web as a whole. Google deliberately sought out sites that were already thought to be compromised, so one in ten was actually a surprisingly low figure.

To use a non-computing analogy: If you hang around a court and one in ten drink drive cases results in a conviction, that doesn't mean that one in ten people is a drunk driver, it just means one in ten people already suspected of being a drunk driver have been convicted. The actual figure for the entire population would be much lower.

I don't use iframes so I just did a search on a site of mine using frontpage checking the box that says "find in code" for the term "iframe" since that's what the mpack uses. I found an iframe tag but it turns out it was an old project of mine from a year ago, and I was clean. That might not be the best logic, but since I'm running on a windows box with no php in site I'm okay for now. I stopped using unix servers running php when the shared server I was running on got hacked last year so that the home page of every site on the server was replaced with an anti-American terrorist type message.

Can you be less vague and more specific?

... more specific? Didn't you see the attached 3 *specific* links with further *specific* information? What else do you need?

And today, the SANS came out with an authorized reprint of an analysis authored by iDefense:
[isc.sans.org...]

Sorry, I can't be more specific than these specific links I provided.

Kind regards,
R.

Specific enough to me, Romeo. Thanks for the links. From the last one:

It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server.

I guess that explains how the bad guys get the iframes into a site's HTML.

Romeo,

The links you provided are just that and nothing else. They may or may not be related...

If you go back and read the original post and follow the link to the press release there are no such links. There are some semi-related and related links on the right side of the page.

The press release - editorial or what ever, is in-conclusive, vague, and doesn't give any specifics.

I do not doubt the possibilty that the editorial is correct, however without specifics, evidence, case studies and other supporting information I have to take the artical/editorial at face value.

Again, a general editorial on a security risk.. I submit to you: So, Whats New? Give me solutions not hype or type fodder!

is there a way to "lock" your htm so that it can still be viewed and function properly without allowing anyone else to modify it? Unless I am not understanding it, can't you just chmod it to where everything except root can read only?

A script running PHP can do anything you can do to a file -- that includes running chmod on the file -- if you are "root" any application that is running as root (or a superuser) can impersonate you -- as a sole webadmin, you probably have root access to all of your applications and files -- but if you are on a hosted system, you can never be root, so the bad script will probably have more access than you.