Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Are there any websites that are NOT compromised?

Published: 2013-05-08
Last Updated: 2013-05-08 01:16:07 UTC
by Johannes Ullrich (Version: 1)
8 comment(s)

Today was yet another day with lots of compromised websites, some notable others less.

This morning, a reader wrote in to notify us that the county government website of a county in Georgia was compromised. Sure enough, it appeared to serve malicious javascript, launching the usual exploit kit Java exploit (zeroaccess was the readers guess, and I think he was right). With smaller sites/organizations like this, I usually try to give them a call, and in this case, was pretty quickly sent to a person who was responsible for the web site content. Sadly, I don't think this person had any basic understanding of exploit kits or web applications to understand most of what I tried to explain, but she knew someone to contact. As of right now, the web site *appears* to be "clean". Which gets me to the next point, some of the difficulties one encounters in notifying sites:

- Frequently, like in this case, the exploit only shows up on some pages, and not all the time. Sometimes you need to visit with a specific browser, sometimes it is random, or in other cases, the miscreant appears to filter out requests from "administrators" showing them the unaltered site

- It is very hard to NOT get people to go to the URL right away as you talk about it being dangerous. It was relatively early in the morning, and I forgot my usual introduction not to go the site, so sure enough, as I explain which page I noticed as "infected", the person at the phone responded "but it look normal"...

- In particular for small sites like this, the standard blacklists don't work. Virus Totals URL Scanner showed the site as "safe" . Kaspersky Anti Virus on one of my Mac's flagged the javascript with a generic exploit signature and prevented access.

FWIW: My guess is that the site was infected via the Wordpress plugin "Super Cache" which was installed on the site. This plugin had some recent vulnerabilities.

The other compromisse, that created a larger news response, was the compromise of wtop. com and federalnewsradio. com. Both sides are related to each other, so I consider them one compromise. The interesting response in this case was that the site blocked access from users running Internet Explorer, but let others in to the site. I didn't see any exploit code when I retrieved the site, but I am not sure if it is safe to assume that an exploit is only going to attack one particular browsers, the miscreant appears to filter out requests from "administrators" showing them the unaltered site.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords:
8 comment(s)
Diary Archives