Some 35,000 sites that use vBulletin, a popular website forum package,
were hacked recently by taking advantage of the presence of files left
over from the program's installation process.
The hack by itself is fairly standard, but the way in which it was
carried out shows how search engines like Google can unwittingly become a
party to such hacking.
Krebs' findings were unearthed in conjunction with work done by security research firm Imperva,
members of which believe the hacks are being executed by way of a
botnet. The botnet not only injects the malicious code into the target
sites, but also scrapes Google in a massively parallel fashion looking
for vBulletin-powered sites that might make good targets.
Why scrape Google in parallel? As a workaround for Google's defense mechanisms against automated searches.
Such
defenses work well against a single user scraping Google, since after a
certain number of such searches from a single host, the user is
presented with a CAPTCHA. This typically stops most bot-driven scrapes.
But if a great many such searches are performed in parallel, it doesn't
matter if each one of them eventually runs afoul of a CAPTCHA. Together,
in parallel, they can still scrape far more than any one system alone
can. (Krebs did not describe the size of the botnet used, however.)
The
hacks themselves, of which Krebs has identified two, are fortunately
rather easy to detect. One involves adding surreptitious admin accounts
to the vulnerable vBulletin installations. The other hack, "apparently
used in a mass website defacement campaign," adds an admin account named
"Th3H4ck".
Now the good news: The very thing that made it
possible to find those vulnerable vBulletin sites -- a properly crafted
Google search -- can also be used to identify any existing hacked vBulletin installs. If you see a site you know on that list, tell the administrator. There's a good chance he doesn't know he's been hacked.
Scanning for vulnerabilities with Google isn't by itself new; Bruce Schneier pointed out in 2008 how this process was not only possible but could be automated.
But deploying such Google scanning via a botnet for the sake of seeking
out vulnerable sites in a massive parallel operation is a relatively
new wrinkle -- at least until Google finds a way to block such things en
masse without impacting regular search services.
Krebs points
out it's difficult to place the blame exclusively on vBulletin. The
makers of the software point out that its installation instructions ask
that users remove the "/install" and "/core/install" directories after
setting up the program.
In that sense, this issue is akin to the
ways ColdFusion projects have been plagued by break-ins -- in part
because many outfits are running older, unpatched versions of the software, but mainly because many firms don't follow Adobe's own instructions for hardening ColdFusion setups.
The
oft-targeted WordPress has the same issue: It's easy to set up, but
securing it requires that the end-user take a number of steps that often
aren't followed.
from InfoWorld.com
No comments:
Post a Comment