According to this story, there has been another compromise of a debian project server. (Is this the third in the last year?)… the Alioth webserver was offline most of the 5th of September…
It was simply stopped because we discovered that some script kiddies were running an IRC proxy. After thorough investigation, we discovered that they exploited a pmwiki security hole[1] to deface some web pages, to install some malicious php pages which in turn were used to setup the IRC proxy.
It went un-noticed by most people for a few years. After all, the ones that were affected were just those that were “asking for it”. Where to start. Let’s see, back in the day there were some that sent out messages to other peoples computers and even when people tried to stop getting the messages they kept coming, so a few sites decided that if they could “blacklist” the places that these messages were coming from, they could help people deal with the mass of messages. So they did, and the people sending the unwanted messages were a bit frustrated and improved their distribution a bit, taking over virus infected pcs for sending their messages. The defenders matched and started blacklisting dialup addresses as mail sources. It was frustrating for those doing legitimate mail servers on a dynamic internet address, but there were legitimate ways to fix the problem. But the senders of the messages got mad.
So, I had the script all ready, I’ve got my x11vnc custom compiled to be as widely compatible as possible, I’ve tested thoroughly on the internal network. The next step was to test my x11vnc “one cut and paste” script over the internet. So, I visited my parents pc which dual-boots Windows XP and Mandrake 10.0…. I did the cut and paste into the “run command…” menu and waited and waited and waited. dropped to a console and started again, but checked that x11vnc was already running. I didn’t know what could be taking so long. I tried again and the FIRST connection gave the prompt.
Strange AIM worm going around. It apparently includes an interesting combination of rootkits, a rootkit detector, spyware/adware, and a specialized bittorrent client. The machines can then be controlled through IRC. Source seems to be the Middle East…
IM hackers then control a global botnet where their infections can be tested and payloads are pushed. Facetime traced these hackers to the Middle East.
The same IM hackers sent movies by way of IRC and their own version of BitTorrent, installing it without consent. Now the IM hackers are back with more, nastier malware, Rootkit Revealer and adware from 180solutions/Zango.
F-Secure is reporting on another SPAM attack that tries to get people to click on a link to a site with an exploit-crafted WMF file. The message is along the lines of a claimed Professor at Yale announcing the unfortunate vandalism over the New Year holiday, the link purports to be pictures of the act in the “hope that someone may recognize the culprits work”. I’m sure this won’t be the last of that sort….
Incidents.org writes to remind as that bot’s aren’t just for Windows. The recent PHP exploits have seen the use of the “kaiten” bot. After infection on the system it connects to an IRC server. It would primarily target linux systems. They do give a very good way to blunt most Linux bot-style malwares…
Unfortunately a LOT of people that have bought Sony-BMG cds (or borrowed, whatever…) are going to have some headaches too. By stock in Tylenol or Aleve or something…. anyway… here’s todays roundup of Sony Rootkit news. Including a virus borrowing the gift of SONY…
First up is some “backstory” that reminds us of Sony’s attitudes in the past on the issue of piracy and what should be done about it, along with the precient “I think most people don’t know what a rootkit is” satatement.
Incidents.org is reporting scanning for phpbb include vulnerabilities through Google. Apparently there is an IRC botnet being “cultivated”. They are scanning for versions of phpBB prior to 2.0.10, the current release is 2.0.18.
The new IRC bot scans for vulnerable systems using Google, when successful it announces that “oopz and sirh0t and Aleks g0t pwned u!”, and has UDP flooding and UDP/ICMP/TCP scanning capabilities.
The file phpbb_patch was found on exploited systems.
Along the lines of “Wishlist of Spyware Slime” that I referred to last week, it appears there’s a chat transcript out from before the arrest of the suspected writer of the mytob and zotob worms. The security fix has the details.
Wednesday afternoon and Esbot is up to revision .B, Zotob is up to G according to Sarc (Symantec antivirus research). They have appropriate removal tools and details on affected systems there. Meanwhile the Sans institute (incidents.org) has a rundown of the latest in todays handlers diary.