About Me

Craig Schmugar

Craig Schmugar

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Follow Up To Yesterday's Mass Hack Attack

Thursday, March 13, 2008 at 2:04pm by Craig Schmugar
Craig Schmugar

Yesterday we uncovered a newer mass hack affecting over 10,000 web pages.  That number has since doubled.  Today, I took a look at another recent mass attack, which was similar to those reported by Dancho Danchev, but reference a JS file rather than an IFRAME.  

The attack seems to have started more than a week ago, and nearly 200,000 web pages have been found to be compromised, most of which are running phpBB.  This contrasts yesterday’s attack in that the vast majority of those were active server pages (.ASP).  The ASP attacks are different than the phpBB ones in that the payload and method are quite different.  Various exploits are used in the ASP attacks, where the phpBB ones rely on social engineering. phpBB mass hacks have occurred in the past, including those done by the Perl/Santy.worm back in 2004.

Here’s a brief video demonstrating how the phpBB attack looks from the end user’s perspective.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

« Older Comments

Comments (25)

  • Expert SEO guides January 2, 2010 9:19PM

    I had never thought the obviously simple ways Google works. The truth of the issue is that even though it crawls your page multiple times, it takes a tonne of work on your part to get a site to become “relevent” to the spiders. I guess this lends to my understanding of search engines.

    Reply
  • celik kapi August 30, 2009 3:12AM

    Even if it is an ad, they are apparently very good at what they do. I mean, infecting this many machines this quickly just so their product is needed… they are hella smart.

    Reply
  • leoo November 7, 2008 7:44PM

    PJ – I can tell the target of the attacks by looking at the pages that were hit.

    Reply
  • Jen Hemmings March 24, 2008 7:58AM

    Very interesting to have come across this article and video. It was possibly last Thursday/Friday that I was using the internet for general use. I like to read the news. During the evening, my browser would open, but would not close. This issue was quickly resolved but I still wonder what might have caused it.

    Reply
  • Craig Schmugar March 19, 2008 8:51AM

    I’ve responded to Henry S offline.

    For those looking for more about how they can tell if they have been impacted. Compromised sites have script injected on pages.

    script src="http://... .js

    Reply
    • « Older Comments