i2 Security Blog

Keeping you upto date on the world of IT Security

i2 Security Blog - Keeping you upto date on the world of IT Security

Attack on Wampserver and WordPress sites

Kimberly from Stopmalvertising found the Blackhole Exploit Kit on the Website of the very popular Webserver software site known as WampServer.  WampServer is an package of web components bundled together for windows users, the name comes from the package of software (Windows, Apache, MySQL, PHP).
Almost at the bottom of the webpage the team discovering this found some Javascript requesting a file from jquery.googlecode.com. The URL is followed by a long string of parameters. The file returns a 404, it’s just there to fool people.

Once the script was decoded they found an iframe leading to vc-business.com/in.php.  According to the analysis of this, if a vulnerable Java, Windows Media Player, Flash or Adobe Reader version is detected, the visitor will be redirected to 91.194.214.66/dng311011/c7a44076f6c722eb74725563b0a000a0/spl.php and from there to 30domaaaam.in/main.php?page=c76874df55550a3f. According to Norton Safe Web, 91.194.214.66 has been listed as distributing the ZeroAccess rootkit.

Another attack by Blackhole Exploit was discovered in thousands of WordPress websites that use a popular non-updated TimThumb image tool.  Avast senior researcher Jan Sirmer found attackers had exploited weak FTP server authentication credentials and a vulnerability in the TimThumb image resizer to upload malicious PHP files to the sites.  But this is not the only way the attack was successful.  Another vector was to use stolen passwords to direct FTP changes.  In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

Microsoft YouTube site pwned

The weekend saw Microsoft’s youtube presence hacked and content changed from helpful video’s to cartoons and advertising offers.

One of the uploaded videos, called Bingo, showed a character from the LA Noire video game shooting another animated figure in the head. Other videos called on YouTube visitors to post video responses, create new background images for the channel or provide sponsorship.

By midday GMT the site had been returned to normal.  Nobody is claiming to know how this hack took place, but the obvious theory is poor password security by a Microsoft employee.  There are also rumours circulating that the account and channel was actually created by a Microsoft fan before being handed over to Microsoft at a later date.  It could be that the account was still linked to the previous owners email and therefore a password change was easy to facilitate.

One heading on the channel also read, “I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/.”  So maybe there is something

iPad2 iOS5 Lock Screen Vulnerability

ipad2 imageAs soon as iOS5 was released people were already looking for issues with it.  One of the first discovered on the iPad2 was an issue with the screen lock functionality.

Marc Gurman has discovered a vulnerability on the iPad that allows for a limited bypass of the device’s locked screen. Anyone with a Smart Cover on their iPad can gain access to the previously-open app (or the home screen if no app was open).

Simply hold the power button to bring up the ‘Power Off’ screen, close the smart cover, re-open it, and click cancel, the attacker will be dropped into the screen that was open before the iPad was locked. If the attacker gets dropped into the home screen, then they’ll be able to see the installed apps, but won’t be able to open anything. If Safari or Address Book (or any other app) was the open when the device was locked, then the attacker would have access to that app.

From a locked iPad 2:

1) Lock a password protected iPad 2
2) Hold down power button until iPad 2 reaches turn off slider
3) Close Smart Cover
4) Open Smart Cover
5) Click cancel on the bottom of the screen

Obviously with more and more iPad’s being used in the business world and also in education you can probably imagine the issues this type of vulnerability could cause.  Just imagine if your email was the last app open, or your address book with all of your customers 🙂

For now the only way to stop this happening is to disable the “Smart Cover Unlocking” feature, which can be found in Settings>General.

Although I’m sure Apple will be working on a fix for this already.

BT and Nigel Mansell Twitter Accounts Hacked


BT Business and Nigel Mansell both fell victim to a Twitter account hijack on friday which then went onto punt a popular diet pill scam.

@btbusiness and @Mansell5 were both directed to a weight loss site on friday, where there was an article discussing the supposed benefits of Acai Berry.
@btbusiness soon noticed and regained control of their account, however @Mansell5 was only changed over the weekend, with Nigel tweeting on sunday evening, “I’m thinking its time to choose a new password!”
The image above shows the @btbusiness offering 🙂

The Acai Berry spam attack has been seen numerous times before, last December when Gawker was hacked a number of Twitter account were hijacked because users were using the same password on both their Gawker and Twitter accounts.

It appears no harm was done this time but both BT Business and Nigel Mansell could have faced a lot more embarrassment over this, if they had been punting something other than diet pill scams.

Apple OSX Lion Password Security

Recently the long awaited update to Apple’s OSX was released in the form of ‘LION’. However Apple seem to have gone back in time with their implementation of password security on Lion.

Directory Services in OSX used to require authentication when requesting a password change, but this is no longer the case in Lion.

In order to change the password of the currently logged in user all you need to type is:

$ dscl localhost -passwd /Search/Users/Jon
(where Jon is the current user)

Now although this requires a machine to be left unlocked, how many times do you you see a Mac left unlocked on someones desk???