Hackers hijack critical Internet organization sites of IANA and ICANN

June 27, 2008 (Computerworld) Turkish hackers yesterday defaced the official sites of the international organizations that oversee the Internet’s critical routing infrastructure and regulate domain names, researchers said today.

A group calling itself “NetDevilz” claimed responsibility for the hack, which Thursday morning temporarily redirected visitors to the sites for IANA (Internet Assigned Numbers Authority) and ICANN (Internet Corporation for Assigned Names and Numbers).

Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site, said researchers at zone-h.org, a group that collects evidence of site attacks, including page defacements and redirects. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message: “You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us?”

The hackers redirected IANA and ICANN traffic to the same IP address that they used last week when they broke into Photobucket Inc.’s image-sharing site and pushed its users to a server operated by Atspace.com, a German hosting service, said Bulgarian security researcher Dancho Danchev in a blog post today.

A spokesman for ICANN contacted Friday morning wasn’t aware of the hack, and declined comment until he found find out more.

Source / full article: ComputerWorld Security

June 28, 2008 Posted by Smokey | Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | Atspace.com, Dancho Danchev, hackers, hijacking, IANA, ICANN, NetDevilz, photobucket, site attacks, Turkye, zone-h.org | Leave a comment

Hundreds of Thousands of Microsoft Web Servers Hacked

April 25, 2008; 8:00 AM ET Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.

The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft’s Internet Information Services (ISS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn’t aware of anyone trying to exploit that particular weakness.

“Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers,” said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. “While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week.”

Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.

Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.

If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that IIS.net post I mentioned earlier has some great tips to help administrators lock down their systems.

Source: Washingtonpost.com

SQL Injection Attacks on IIS Web Servers

April 25, 2008 9:33 PM You may have seen recent reports that have surfaced stating that web sites running on Microsoft’s Internet Information Services (IIS) 6.0 have been compromised. These reports allude to a possible vulnerability in IIS or issues related to Security Advisory 951306 which was released last week.

Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies.

Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform. More information on SQL injection attacks can be found here and here.

Guidance from Microsoft for web application development best practices can also be found on this MSDN page. Best practices guidelines that developers may follow to mitigate SQL injection, can be located here. As we continue to make progress in our investigation on this attack, we will provide updated guidance and information on the IIS.net site. For the latest information on this issue, please subscribe or visit the IIS security forum.

For end-users, the investigation also shows no indication of an un-patched vulnerability in IIS, SQL Server, Internet Explorer or any other Microsoft client software, so we recommend customers apply the latest updates to be protected from these attacks.

To further protect themselves from reported attacks, we encourage all customers to apply our most recent security updates to help ensure that their computers are protected from attempted criminal attacks. For more information about security updates, visit: www.microsoft.com/protect.

Anyone believed to have been affected can visit: http://www.microsoft.com/protect/support/default.mspx and should contact the national law enforcement agency in their country. Those in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at: www.ic3.gov

Source and links provided by: BillS IIS Blog

April 25, 2008 Posted by Smokey | Advisories, Alerts, Malware, News, Recommended External Security Related Links, Vulnerabilities | asp.net, chinese malware, Dancho Danchev, developers, exploit security flaws, haoliuliang.net, HTML code, IIS news, Internet Information Services (ISS), Microsoft ISS Web Servers Hacked, nihaorr1.com, security advisory kb951306, sql injection attacks | Leave a comment