hacked into serving up Blackhole exploit kit

Cryptome, a website dedicated to publishing secret and censored information, was infected with a variant of the Blackhole exploit kit for the past four days.

Fortunately the operators of Cryptome were able to restore the site from backup tapes and remove the malicious code before too many people were compromised by the exploit code.

Cryptome believes the malware, which Sophos detects as Mal/Iframe-X, attempted to infect 2,863 visitors after all of the sites HTML files were modified on February 8th, 2012.

The code in place was specifically targeting Windows users using Internet Explorer 6, 7 and 8 and directing them offsite where the Blackhole exploit code was located.

One comment made to Cryptome’s blog about the incident makes some interesting observations on how the server may have been exploited.

Creative Commons image of a Black hole courtesy of WikiMedia CommonsIt appears the web server supports Microsoft Frontpage extensions (WebDAV) which are designed to allow Microsoft Frontpage users to publish web pages without all the scary complexity of FTP or SSH/SCP.

Frontpage hasn’t existed for quite some time and the web server extensions that support it have been buggy and had many security vulnerabilities from day one (zero?).

I recently had a security incident on a personal web server (which I will write up once my research is complete) and thought this might be a good time to highlight some best practices.

Maintaining a secure online presence is not easy, but there are some thing you should think about if you operate a web site.

  • Reduce the threat surface. Don’t load WebDAV, Frontpage, PHP/Perl/Python/Ruby or any other module into your web server that you aren’t actively using. The less moving parts you have, the harder it is to break.

  • Turn off debugging and server status pages. Many sites are happy to tell you precisely what software is installed and enabled on the server allowing attackers to precisely exploit known vulnerabilities.

    WinSCP logo

  • Stop using FTP. It’s dead, okay? Unencrypted passwords, communications channels that are not firewall/NAT friendly, etc, etc. Use a secure protocol for publication like SCP or SFTP, preferably with protected keys rather than passwords.

  • Consider using a version control system like Git or CVS to publish and monitor your sites. Not only can you easily undo mistakes, but recovering from an incident is often easier.

  • Watch your logs carefully and consider using tools that can block known attack patterns like a web application firewall.

Owning a web site is like owning a home. It comes with the responsibility of maintenance and care to keep it in tip-top shape. Unfortunately it also comes with a bit of liability if you don’t invest the necessary time.

Creative Commons image of a black hole courtesy of WikiMedia Commons.