iSKORPiTX/zone-h update: The biggest hacking incident in the web-hosti ng history

["Fergie" <fergdawg () netzero net>]

Roberto Preatoni updates us:

[snip]

We received a mail from stokia.com fellows with an interesting analysis on the incident:

"The hack seems to have been done through a asp script that is automatically installed on all hosting customers 
accounts on these particular servers.

The mass defacement was placed in a sub directory on each site. /ssfm/isko.htm

A search on google for: ' ssfm vulnerability ' (without quotes) returns a google cache result with a godaddy user 
complaining about being hacked through the ssfm directory, and a response from "hosting support" claiming that the 
problem "is a vulnerability in the Microsoft IIS".

Quote: This email is in regards to the issue that you escalated on xx xxxxx 2005. The ssfm hack is not something we can 
really defend against. It is a vulnerability in the Microsoft IIS webserving system. As Microsoft uses closed source 
software, we are dependant on them for a fix to this issue. They have not, as of yet, issued a patch for this 
vulnerability. Rest assured that your passwords have not been compromised. The attacker does not need these to insert 
his file into the account as it is done through a hole in the IIS system (and this is the only directory that they 
would have access to).

A search on google for: ' ssfm directory asp ' (without quotes) returns multiple results for godaddy users seeking help 
with the file 'gdform.asp'. The 'gdform.asp' appears to be a form mail type script. The source code of 'gdform.asp' 
also contains a reference to the SSFM folder. filename = Server.MapPath("ssfm"). (See the second post at 
http://forums.aspfree.com/asp-development-5/asp-email-form-on-godaddy-114110.html for the source code to gdform.asp

A search on google for: ' ssfm directory godaddy ' (without quotes) or ' ssfm directory secureserver.net ' (without 
quotes) returns multiple results for users seeking help with the 'gdform.asp' or 'gdform.php' form mail type scripts.

We have not examined the source code to the asp file in detail or done more than superficial research on this mass 
defacement, but this does not appear to be a vulnerability in IIS. This appears to be a problem with poor script coding 
and / or failing to properly validate user form input. I would guess that the hacker is able to inject their own code 
into the asp or php script being used to send mail."

[snip]

Link:
http://www.zone-h.org/news/read/id=206009

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.