500,000 Web Pages Hacked
Will Spencer
April 26, 2008
A vulnerability in Microsoft IIS (Internet Information Server) allowed a hacker to vandalize more than half a million web pages this week.
The hacker exploited unidentified vulnerabilities in Microsoft IIS to post his own hidden code on these web pages.
The hidden code attempts to break into the computers of every visitor who views the compromised web page. This infected an unknown, but most likely very large, number of PC's across the globe.
The hacker inserts a JavaScript call into the compromised pages. The JavaScript then loads an IFRAME from a web site controlled by the hacker. An IFRAME is an HTML element that allows one web page to be inserted into another web page.
The page which is loaded from the hackers web site attempts to take over the viewers PC using eight known exploits. If one of the exploits succeeds, the infected PC is now under the control of the hacker.
As this is a new issue, most anti-malware companies have yet to update their products to protect customers from infection or to remove the infection from affected PCs.
In the interim, the only available protection for users is to disable JavaScript in their web browsers.
Webmasters can determine if their pages have been compromised by searching for the names of the web sites hosting the hackers malicious code. The known web hosts at this point are nihaorr1.com, nmidahena.com and aspder.com.
It is not yet known how the hacker is breaking into the web sites. It appears to be a SQL Injection attack which exploits vulnerabilities in Microsoft SQL Server.
The hacker exploited unidentified vulnerabilities in Microsoft IIS to post his own hidden code on these web pages.
The hidden code attempts to break into the computers of every visitor who views the compromised web page. This infected an unknown, but most likely very large, number of PC's across the globe.
The hacker inserts a JavaScript call into the compromised pages. The JavaScript then loads an IFRAME from a web site controlled by the hacker. An IFRAME is an HTML element that allows one web page to be inserted into another web page.
The page which is loaded from the hackers web site attempts to take over the viewers PC using eight known exploits. If one of the exploits succeeds, the infected PC is now under the control of the hacker.
As this is a new issue, most anti-malware companies have yet to update their products to protect customers from infection or to remove the infection from affected PCs.
In the interim, the only available protection for users is to disable JavaScript in their web browsers.
Webmasters can determine if their pages have been compromised by searching for the names of the web sites hosting the hackers malicious code. The known web hosts at this point are nihaorr1.com, nmidahena.com and aspder.com.
It is not yet known how the hacker is breaking into the web sites. It appears to be a SQL Injection attack which exploits vulnerabilities in Microsoft SQL Server.
Print
Email
