Mass Injection At Media Temple Hosting Leads To Web Exploit Kit
Security researchers from Websense warn that over one hundred websites hosted at Media Temple (mt) have been injected with rogue code that lead visitors to a potent Web exploitation kit. The toolkit targets a dozen vulnerabilities in older versions of Flash Player, Adobe Reader, Internet Explorer or Java Runtime.
The mass compromise was detected by Websense’s ThreatSeeker Network, and even though the affected websites are hosted at Media Temple, this does not imply any security problems with the hosting company’s servers or infrastructure. Similarly to other hosting providers, Media Temple has had its share of compromised websites under its roof in the past and this is because hackers systematically scan entire address spaces for vulnerable targets, before proceeding to infect them.
A large number of the websites compromised in this latest attack (46%) are running WordPress, but again, this does not suggest any unpatched vulnerability in the popular blogging platform. The Websense security researchers note that most likely the injections are the result of flaws in outdated third party software.
The rogue code added to the compromised websites is obfuscated JavaScript, generates and directs users to one of malicious malicious URLs. “Using the algorithm […], we generated 64 URLs […] and find there are 2 different scripts. One is very simple with an anti-bot trick so it won’t be crawled by search engines. […] The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix,” the Websense experts explain.
An exploit kit is a collection of exploits for vulnerabilities affecting various applications that are usually found on most people’s computers. At the moment, the Phoenix kit targets two flaws in Adobe Flash Player, five in Adobe Reader, three in Internet Explorer and two in the Java Runtime Environment, however, these could change in the future.
In order to stay protected from such threats users are advised to always keep their applications up to date and run a capable antivirus program on their computers. Free specialized programs like the Personal Software Inspector (PSI) from Secunia, can monitor most programs installed on a computer and alert the owner as soon as any updates for them are available.
Credit: Softpedia.com News
More on CyberInsecure:
Print This Post
Posts
August 7th, 2010 at 9:23 am
I’m a tech support agent over at (mt) Media Temple.
We can confirm that this blog post is correct. From out investigations we’re finding several variations of injected obfuscated code. Right now there’s no sign of our infrastructure being breached, nor WordPress itself being breached. The vast majority of compromised sites are running 3rd party plugins and themes. These themes are, at this point, the primary point for the malware to be injected into. We can’t confirm 100% as of yet if the themes injected are the attack vector. This is still under investigation.
For what it’s worth, there’s several variations of this attack. I can’t go deeply into every variation fully as of yet since those also have variants, but here’s a general rundown:
Variant 1) A remote javascript include in injected into the wp-posts table. Appending the injection to the end of each post. The WordPress Firewall plugin offers some insight:
See http://mediatemple.net/security (under redirect exploit) for information on how to clean this up.
” WordPress Firewall has detected and blocked a potential attack!
Web Page: www. maroonedcomic. com/ wp-trackback.php?p=1
Warning: URL may contain dangerous content!
Offending IP: 174.129.88.35 [ Get IP location ]
Offending Parameter: tb_id = 999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_pass,1,1))=57),CHAR(111,112,101,110),CHAR(1 15,117,110,45,116,122,117)))/**/FROM/**/wp_users/**/WHERE/**/ID=1/*
This may be a ‘SQL Injection Attack.’ ”
Variant 2) Code is injected into the footer.php & home_footer.php of the *activated* theme. Check /wp-content/themes// for injections. The most recent version is injected between … tags. This is ALSO found in tandem with a PHP injection commonly beginning with . The PHP injection has been found in various files in the active theme, so be sure to check thoroughly.
Variant 3) If the theme has a /js/common.js or any other javascript file, sometimes code is injected there instead of between .. tags. This is sill found in tandem with the PHP injection.
Variant 4) We’ve found the same code as variant 2 injected into static files in odd locations. Example:
/wp-content/w3tc/pgcache/_index.html
/wp-content/w3tc/pgcache/_index_low.html
The injected code appears primarily to either install trojans on viewers computers, or participate as intermediaries for other attacks. Several other hosts have been named to be hit with a similar attack as well.
We’re working on a blog post to address what customers are facing, and working on helping customers clean up their blogs from these attacks. We’re committed to being as transparent as possible with our findings to aid others being affected, regardless of where they are being hosted. Attacks like this affect the internet community as a whole, it’s important to work together and share information.
If you’re a (mt) customer and have any questions, contact us 24/7.