UPDATED 11:35 EDT / NOVEMBER 07 2011

NEWS

MIT Server Becomes Host to Seething DoS and Vulnerability Scanner Suite Infection

Recently, a server at the Massachusetts Institute of Technology has been found host to a heavy duty suite of attack tools and used for vulnerability scanning and compromises. Researchers at Bitdefender caught it attempting to inject malware code into unprotected sites on the Web. The researchers say that the ongoing attacks appear to be related to the Blackhole Exploit Pack, a popular cyberattack kit used by criminals.

SecurityWeek has an article that breaks down the function of this compromise and what it means for the Web in general.

The outbound attacks appear to have started in June and Bitdefender estimates almost 100,000 domains have been compromised in the past five months. The attacks probably started shortly after the attackers managed to breach the MIT server—but instead of using the server to serve as a beachhead to reach further into MIT’s network, they turned it around and used it to marshal artillery aimed at the rest of the web.

While the attacks serve as a notable threat to sites that run open, unpatched versions of PHPMyAdmin (a popular script for controlling a backend database) the amount of outbound GET traffic generated by the vulnerability scanner can also bring smaller web servers to their knees. Adding a Denial of Service issue to the types of assault this scanner is capable of—although that seems to be a “bug” in the case of the compromise software.

“Judging by initial data, one MIT server (CSH-2.MIT.EDU) hosts a malicious script actively used by cyber-crooks to scan the web for vulnerable websites,” said Bitdefender. “It is currently unknown how the crawler bot was planted on the MIT server, but it is certain that it probes the web for hosting accounts that come with a vulnerable version of PHPMyAdmin… Our information shows that the vulnerable versions of PHPMyAdmin range from 2.5.6 to 2.8.2.”

The infected pages left behind by the attack scripts seem to be a bizarre mishmash of images taken from all over the Web, a slurry of word salad containing keywords, all injected on top of the normal content the page would server. The rest seems to be further malicious content intended to spread the infection.

EDU and Fortune 500 networks become extremely big targets for these type of “foothold” compromises because they’re sprawling, contain low-maintenance load bearing servers, and often undefended on the fringes. As a result, attackers might sneak in to use the resources of the network for these sort of nefarious designs and it could take days—or even months in this case—before the infection is discovered and rooted out. MIT’s domain was especially favorable because many organization don’t block traffic from educational networks.

Network operators need to remain vigilant and good stewards of their domain to prevent invading forces from setting up command and control inside their borders. Firewalls do a lot more than simply keep bad connections from coming into their networks; they also function to make certain that all outbound traffic is legitimate. With the proper scripts watching the firewall and triggering on suspicious outbound behavior, this sort of vulnerability scanning should be been detected on day one.

Installing and maintaining Intrusion Detection Software (IDS) has become a must for all large networks and everything outbound or inbound should go through some sort of gatekeeper.

The overall health and stability of large networks belonging to EDU and Fortune 500 companies can be judged not just by how easily they become hosts to footholds; but how quickly they detect and respond to them. It takes more than just attack retardant systems—since, in this era, it’s not about if but when you’ll be compromised—it’s all about how effective the IT detection and fire fighting happens to be that really wins the day.


A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU