View Full Version : Hundreds of Thousands of Microsoft Web Servers Hacked

Glenn H
04-25-2008, 10:17 AM
Oh the humanity

Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines.

The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.

On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.

"Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. "While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week."

According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.

Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.

Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.

There are indications that this attack is coming in waves, with the bad guys swapping in new malicious downloader sites every few days. According to posts on an IIS user forum, Web site administrators first saw signs of this attack on April 17, the day before Microsoft issued its initial advisory on the IIS vulnerability.

If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that IIS.net post I mentioned earlier has some great tips to help administrators lock down their systems.

These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site. Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web. True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.