We have discovered more than 300 websites that include malicious code that will attempt to run a program on your machine without end-user intervention. Similar to the recent Scob attack, a dual-pronged approach of exploiting vulnerable servers and clients is being used. There is no commonality on the web server side with the exception of 164 sites that are all hosted by the same hosting facility in Florida. Details on the hosting facility in Florida: The site that includes the exploit code is: http://www.karl-marx.ru/ And the counter is located at: http://www.karl-marx.ru/counter.php We were not able to download and research the code as it was unavailable at the time of this report. Detailed infected URLS: http://www.karl-marx.ru//main.chm http://www.karl-marx.ru/counter.php http://www.karl-marx.ru/script.php? http://www.karl-marx.ru/wcmd.htm IP: 207.36.201.106 The IP address is owned by an ISP in Florida who has been notified. All of the sites we are also hosted by the same ISP in Florida but appear to be on a different machine with the IP address. All sites are Vhosted. IP: 207.150.192.12 The exploits are utilizing IE vulnerabilities like the following: (a variety of uses with .CHM). http://www.microsoft.com/technet/security/bulletin/ms04-023.mspx Server-side Vulnerability exploited: It is not clear how the server(s) were compromised, but the hosting facility has been contacted and we are waiting to hear from them to get details. The webserver that was infected most was running, Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp. The other 140 servers that are using the CHM exploit are a variety of Web Servers including Apache and IIS. Also, many are running PHP. Although evidence shows that most have been exploited, some also appear to be knowingly using this vulnerability to install spyware and other tools on your machine without your knowledge (10 sites using exploit.chm) Details on WebServers: Apache/1.3.20 Sun Cobalt (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6b PHP/4.3.4 mod_auth_pam_external/0.1 FrontPage/4.0.4.3 mod_perl/1.25 Apache/1.3.22 (Unix) PHP/4.1.1 mod_perl/1.26 rus/PL30.9 Apache/1.3.26 (Unix) Apache/1.3.26 (Unix) mod_mhp mod_mhp_log mod_virtcgi frontPage/5.0 mod_status_mhp Apache/1.3.26 (Unix) PHP/4.1.2 Apache/1.3.26 (Unix) PHP/4.3.4 FrontPage/5.0.2.2510 Apache/1.3.27 OpenSSL/0.9.6 (Unix) FrontPage/5.0.2.2634 PHP/4.3.4 Apache/1.3.27 (Unix) FrontPage/5.0.2.2634 Apache/1.3.27 (Unix) PHP/3.0.18 Apache/1.3.27 (Unix) PHP/4.2.3 mod_ssl/2.8.12 OpenSSL/0.9.7-beta3 Apache/1.3.27 (Unix) PHP/4.3.2 Apache/1.3.27 (Unix) PHP/4.3.4 Apache/1.3.27 (Unix) (Red-Hat/Linux) FrontPage/5.0.2.2623 mod_python/2.7.8 Python/1.5.2 mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.3 PHP/ 4.3.6 mod_perl/1.26 mod_webapp/1.2.0-dev Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_perl/1.26 PHP/4.3.3 FrontPage/5.0.2 mod_ssl/2.8.12 OpenSSL/0.9.6b Apache/1.3.27 (Unix) (Red-Hat/Linux) mod_ssl/2.8.12 OpenSSL/0.9.6b DAV/1.0.2 PHP/4.3.3 mod_perl/1.26 Apache/1.3.28 (Unix) Apache/1.3.28 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.2 FrontPage/5.0.2.2634 mod_ssl/2.8.15 Open SSL/0.9.6b Apache/1.3.28 (Unix) PHP/4.3.3 Apache1.3.29 - ProXad [Jun 9 2004 15:20:12] Apache/1.3.29 (Unix) FrontPage/5.0.2.2623 Apache/1.3.29 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634 mod_ssl/2.8.16 Open SSL/0.9.6b Apache/1.3.29 (Unix) mod_gzip/1.3.26.1a PHP/4.3.8 Apache/1.3.29 (Unix) mod_layout/3.2.1 PHP/4.3.4 Apache/1.3.29 (Unix) mod_watch/2.3 Apache/1.3.29 (Unix) PHP/4.3.2-RC Apache/1.3.29 (Unix) PHP/4.3.4 Apache/1.3.29 (Unix) PHP/4.3.5 Apache/1.3.29 (Unix) PHP/4.3.8 Apache/1.3.29 (Unix) (Red-Hat/Linux) PHP/4.3.8 Apache/1.3.31 (Unix) Apache/1.3.31 (Unix) FrontPage/5.0.2.2635 PHP/4.3.7 Apache/1.3.31 (Unix) mod_accounting/0.5l mod_ssl/2.8.18 OpenSSL/0.9.7d mod_deflate/1.0.21 Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.3 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope nSSL/0.9.7a Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.8 FrontPage/5.0.2.2634a mod_ssl/2.8.18 Ope nSSL/0.9.6b Apache/1.3.31 (Unix) mod_auth_passthrough/1.8 mod_tsunami/2.0 mod_bwprotect/0.2 mod_log_bytes/1.2 mod_bwlimited/1.4 PHP/4.3.4 FrontP age/5.0.2.2634a mod_ssl/2.8.18 OpenSSL/0.9.7d Apache/1.3.31 (Unix) mod_python/2.7.10 Python/2.2.2 mod_webapp/1.2.0-dev mod_perl/1.29 mod_throttle/3.1.2 PHP/4.3.4 FrontPage/5.0.2. 2510 mod_ssl/2.8.18 OpenSSL/0.9.7d Apache/2.0.39 (Unix) mod_perl/1.99_07-dev Perl/v5.6.1 Apache/2.0.40 (Red Hat Linux) Apache/2.0.47 Apache/2.0.47 (Unix) PHP/4.3.3 Apache/2.0.47 (Unix) PHP/4.3.4 Apache/2.0.49 (Fedora) Apache/2.0.49 (Unix) PHP/4.3.5 Apache-AdvancedExtranetServer/1.3.26 (Mandrake Linux/6mdk) PHP/4.2.3 sxnet/1.2.4 mod_ssl/2.8.10 OpenSSL/0.9.6g Microsoft-IIS/5.0 Microsoft-IIS/6.0 SHS Squeegit/1.2.5 (3_sir) .V15 Apache/1.3.26 (Unix) mod_fs 6.005 Zeus/3.4 Zeus/4.2 _______________________________ Dan Hubbard Security & Technology Research Websense, Inc.
