[Eug-lug] Question about exploits and malware

[Bob Miller]

It's really hard to tell what happened from here.  I suspect the
server was broken into through some vulnerability in Linux, Apache,
PHP, or another installed package.  Without doing a forensic analysis,
we won't know.

Once an attacker had gained access to the server, it would be
trivially easy to use a script to edit static web pages (or php source
files) and rewrite hyperlinks en masse.  You could write a script to
do that.  I could write a script to do that in just a few minutes.

Who did it and what their motivation was is just speculation.  The is
simplest explanation would be that the porn sites' owners did it, but
there's no real evidence, at least from here.  The site administrator
could get some clues from Apache's logfiles.

FWIW, I spot checked a few other diary entries there, and they didn't
appear to be defaced.

marbux wrote:

> I got a Google News email notice a few minutes ago of an article that
> sounded interesting from svg.org. It was published today.
> <http://svg.org/section/Diary>. I started reading, decided to click on
> a link, and was transported to a porn site. In checking further, it
> looks like nearly all of the hyperlinks on the page lead to different
> porn sites. But this is a serious organization and the article deals
> with a serious subject in a serious way. It seems unlikely that the
> author submitted the article with the porn links in it, particularly
> because many of the links from comments posted on the page also point
> to porn sites.
> 
> I've sent the site admin an email about it, but I started wondering
> what kind of security hole might enable a porn link spammer on a
> production basis to gain access to a web site's content and
> automagically substitute URLs in content hyperlinks. Any new known
> malware tools out there for doing this kind of thing on a production
> basis? I['ve never encountered anything like it before. My sniff is
> that this is something done by a person who spends all day doing the
> same thing around the web.
> 
> I know I would not be a happy camper if all the links on my site
> suddenly became links to porn sites. So I'm interested in
> double-checking my security against any known new exploit that might
> have been used to trash that site. Of course I can't rule out that a
> site admin is is playing a joke on the author of the article.
> 
> FWIW, the site's About page has information about the hardware and
> software they are running.
> 
> Best regards,
> 
> Marbux
> _______________________________________________
> EUGLUG mailing list
> euglug at euglug.org
> http://www.euglug.org/mailman/listinfo/euglug

-- 
Bob Miller                              K<bob>
                                        kbob at jogger-egg.com